Is your company getting to grips with the zero-trust security conundrum? A recent data threat report revealed, totally unsurprisingly, that the pandemic-driven shift to large scale remote working had led to 44% of security teams not being confident in their secure access systems being up to the job. The exact same number, 44%, were looking to a zero-trust network access/software-defined perimeter to help address this, according to the same research. But what is a zero-trust security model and why should your business care?
What is a zero-trust security model?
The idea of protecting your network perimeter at all costs has become somewhat redundant over the last decade or so as the network edge now extends, well, almost everywhere. The cloud, IoT, mobile users and more recently the work-from-home explosion, collectively mean that a trusted perimeter is now an oxymoron. The digitally transformed business reality of today dictates that everything is now treated as external, everything needs to be considered a potential threat until it can be confirmed otherwise. This ‘never trust and always verify’ approach sits at the heart of what a zero-trust strategy is.
What it isn’t, is a product you can buy off the shelf. I mentioned strategy for a reason: zero-trust is a strategic security model, a policy-led thing that is supported by technology rather than the other way around.
Neither is zero-trust some security panacea that will prevent all threats or defeat all attackers. Instead, it’s about reducing the risk profile, diminishing the damage that an attacker can wreak. Lateral network movement, finding gaps in the application of the principle of least privilege, is at the heart of most breaches. You need look no further than the human-operated ransomware threat where attackers will often start by using targeted phishing to get access to a network and then work from there to exfiltrate data and lock things down. Where an attack starts, in other words, is rarely where it finishes.
The zero-trust concept of never trust, always verify means that by validating users and devices, enforcing granular permissions, and continually adding context regarding the who, what and how of access, you can minimize exposure not only at the starting point of an attack but also right along those lateral movement routes.
Zero-trust doesn’t actually mean trust nothing
Here’s the thing though, and I hope you are sitting down: implementing a zero-trust strategy isn’t actually about trusting nothing. There, I’ve said it. So, what is it about when we come to the practicalities of implementation?
That ‘never trust’ mantra still remains as the backbone of your strategic assumption, but the reality is that zero-trust can only work if you have the technical ability to authorize, to validate and to verify every device and every user with confidence. What zero-trust does is remove any notion of trust being the default and instead replace it with an assertation requiring that trust be earned. Each new device, each user, needs to pass that ‘test’ of trustworthiness before access is given.
This means you first need visibility into your business assets and an understanding of where your data is, who uses it and for what purpose and the value to both your organization and an attacker.
This end-to-end visibility requirement enables a proper risk assessment to be made as well as providing the context required to allow for the granular access controls that prevent lateral movement.
Of course, this will therefore demand a degree of automation to be able to keep up with changing operational requirements in order for your zero-trust policy configuration to be dynamic and meaningful. A zero-trust model works best where the access controls are closest to the resources to be protected, it’s that context thing again that brings the right level of granularity into the trust equation.
The end of passwords?
One zero-trust conundrum is that while it addresses the perimeter vanishing-point problem, it seems to clash head-on with the idea that security should never come with a usability cost attached. A security measure that makes life unnecessarily complicated, cumbersome or time-consuming for the end-user is doomed to failure. That’s a simple truth, but fortunately, a ‘never trust and always verify approach’ doesn’t have to fall foul of this critical canon.
Thanks to what are commonly referred to as passwordless authentication methods, a coherent policy can be enforced while actually removing one barrier to usability. Instead of requiring users to input passwords at every turn, alternatives such as modern authentication and multi-factor authentication (MFA) involving both something you possess (such as a smartphone or hardware key) and something you are (a biometric authentication involving a fingerprint or facial scan) can be used, for example.
Verification can be achieved without a user friction overdose.
Once again, this reinforces the golden rule that a zero-trust approach to security should never be thought of in isolation. I repeat, it’s a strategy and not a product. Think of it as being just one step towards a more secure business that must encompass everything from risk assessment to application access and policy enforcement.
It’s a mantra that should ring in the ears of every security practitioner and serve to drive another: trust no one, verify everywhere. The idea that your assets and data should only be accessible to fully authorized and authenticated parties is hardly a eureka moment, so if you haven’t yet considered the zero-trust security model, or a passwordless future, maybe now’s the time to start.