The cybersecurity arms race continues to accelerate. Machine learning and artificial intelligence (AI) make bad actors smarter. Exploits become more sophisticated. Mobile devices multiply the doorways into an organization. As a CISO, how do you keep up? Even though you run faster and faster on the hamster wheel of threat detection, it feels like you are still falling behind. What do you do when your most critical data is spread across a broad information fabric which no longer exists within your corporate network?
Can you really trust anyone?
Yes, but you can’t trust anyone everywhere. And yesterday’s security technologies are of limited use to be able to trust someone even somewhere.
The Zero Trust Problem
“Zero Trust,” as a term, reflects an unmanaged, post-perimeter computing environment. With no control over OS, device, network, application, or context, you can only assume the worst – that the entire system is compromised.
Some would also argue that this was the case even in a traditional corporate network – that our faith in the security of a captive network was itself misplaced, as breach after breach reminds us every month.
But how, then, can you get your work done? User trust is clearly not enough. Let’s use a physical example: I may trust you as a person, but if I visibly hand you $10,000 in bills in a bad part of town, you are almost certainly going to get robbed and I’m going to lose my money. Similarly, if I trust you completely in a business setting and give you access to confidential information in a compromised computing environment, that information will almost certainly be lost.
Smart CISOs know that they must find a way to establish trust in this zero trust world. All the traditional analytics around user behavior to (hopefully) identify insider threats must now be combined with a sophisticated trust model and dynamic policy framework that incorporates multiple security signals to continuously assess whether to provide access to corporate data.
Why Zero Trust Now?
Enterprise computing is following the model of consumer computing. Mobile is the front-end. Cloud infrastructure is the back-end. The traditional perimeter is irrelevant to the consumer and increasingly irrelevant to the business user as well.
The traditional policy enforcement point (PEP) was a firewall, wireless access point, or VPN concentrator that controlled access to resources on the corporate network. The PEP collected user attributes like credentials, work role, and location. That information was then forwarded to a policy decision point (PDP), which was usually an authentication and authorization service through an identity and access manager (IAM). That’s a lot of acronyms, but it worked well if the user wasn’t malicious.
However, modern work happens on mobile devices connected to cloud services, not locked-down laptops accessing a secure datacenter over a corporate network. The network PEP model is inadequate for securing these post-perimeter, zero trust environments, because the old controls and traditional arbiters of trust can no longer do their jobs.
Three Steps to Building Trust in a Zero Trust World
Security vendors love to pitch “sky is falling” “data apocalypse” “hackers in hoodies” scenarios. Is it really that bad and is the problem really that difficult to solve? It is true that zero trust environments require a new mindset and technical approach to security. But, like almost everything else in security, starting with basic hygiene and establishing a foundational process and architecture are the most important steps and something that every organization can do today. Build the foundation of the house and establish good practices first before you focus on the bells-and-whistles.
Remember that risk and trust balance each other. The more risk that exists in an environment, the harder you must work to establish enough trust to justify access to corporate data.
Here are three steps to build trust in a zero trust world:
Step 1: Start human
Don’t start with technology. Understand the environment in which your business USERS want to do their work, not the environment in which YOU want them to do their work. Otherwise you will end up establishing trust in an environment that no one is using. For example, if you are an agent-based insurance company, you will have to establish trust in an environment where the agents are using their personal devices over potentially compromised networks to access business data. If you are a manufacturing company looking to automate your factory operations, you will have to establish trust in a highly controlled environment of company tablets and controlled networks. The appropriate approach for Step 1 is good ‘ole fashioned research – engage with your employees and do side-by-sides to understand and support their daily workflows.
Step 2: Respect the device
Mobile devices will be one of the primary ways your employees consume data and access business services … and most of that will happen through mobile apps, not browsers. That means data will be resident on the device. You must establish a perimeter on the device that prevents business data from leaking to other apps while also protecting the privacy of personal data. You must enforce encryption and set appropriate authentication and security policies. You must be able to install and delete apps over-the-air. And you must ensure that untrusted devices and apps cannot access business services – let the trusted in and keep the untrusted out. The appropriate approach for Step 2 is to enroll the device in a unified endpoint management (UEM) solution so that IT has the authority to protect device-side business data and enforce context-driven access policies.
Step 3: Assume change
It’s not really a “zero trust” world … it’s a “dynamic trust” world. The reason we say “zero” is because without any visibility, IT has no idea what level of trust really exists, and so it is better to assume “zero.” But the reality is that the context of modern computing changes constantly – that’s the nature of both mobile and cloud. Devices move across networks and locations. New apps are downloaded, and configurations are changed. Devices are borrowed by friends or family members. The key is to establish an automated tiered compliance model that monitors for contextual changes and then automatically takes appropriate actions, such as notifying the user, expanding or blocking access, and provisioning or retiring apps. The appropriate solution for Step 3 is to first define your trust model and the signals that should drive action, and then configure automated tiered compliance in your UEM solution.
Who Should You Trust?
There is no one-size-fits-all answer. It will differ by company, function, and use case … and it will change over time as the needs of your business evolve. But by following the steps above, you can establish an approach to trust that is “Adaptable by Design” and therefore suitable for your organization today and tomorrow.
- Why Smart CISOs Focus First on Trust - January 11, 2019
Excellent article Ojas. Would like your thoughts on a framework to tackle this issue.