A year after President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity changed the term Zero Trust from something just cybersecurity professionals talked about to an item on everyone’s wish list. Zero Trust is now a label slapped on cybersecurity devices and software packages regardless of whether they are actually built with Zero Trust Architecture. However, many executives outside of the cybersecurity arena are still unaware of what Zero Trust is. While the executive order is geared towards federal agencies and their compliance towards improved cybersecurity, these compliance measures are often adapted and adopted by both public and private sector. Examples of this can still be seen in the widespread implementation of standards and protocols advised by the National Institute of Standards and Technology (NIST). In fact, NIST has a document that lays out the basics, tenets, and use cases for Zero Trust Architecture: NIST Special Publication 800-207. I want to cut to the core of what a Zero Trust model is, whether organizations beyond the federal government need it, and how it can be implemented if so. This article is not meant to be a definitive guide, it is intended for executives and managers that need a better grasp of the concept to make informed decisions on their cybersecurity needs.
Let me first start with what a Zero Trust model is not. A Zero Trust model does not mean no one is trusted. It is not a single security appliance or software package that can be implemented across your business’ information technology ecosystem. It is not easy or fast and it is not any one single thing you can do or buy to create a Zero Trust model in your organization. Instead, at the most basic level, Zero Trust model is a set of principles that can be acted on to secure your organization by ensuring no one person, device, or application is trusted implicitly. A common analogy used to describe traditional cybersecurity is the concept of a castle and a moat.
The problem with the concept of securing the perimeter like a castle and moat, is that time and again we have come to realize that this does not work. Whether it is someone that has breached the perimeter security and is running amuck on your network or a malicious insider that is inside your “castle walls” already, all the castle and moat model manages to do is ensure that we feel safe in an unsafe situation. Just because someone is inside the castle does not mean they are supposed to be. Furthermore, just because they are in the castle does not mean they get to go wherever they like. This is precisely what happens when the cybersecurity perimeter is breached, and attackers make lateral movements in the network to get to your kingdom’s treasure.
Let’s carry this castle analogy forward into a Zero Trust model. In a Zero Trust model the assumption is that the castle has been invaded already. The term Zero Trust does not mean no one person, device, or application is trusted. Instead, it applies to implied trust, no one person, device, or application is implicitly trusted just because they are inside your network. You have supplied credentials and made it into the castle, now you must prove who you are, why you are there, and what you are doing. These proofs must be repeated for as long as you are accessing any part of the castle. This security guard will be attached to your hip and will check repeatedly if you belong there.
Every time that the proof is submitted it will be checked against several variables. Are you supposed to be here, is this the normal time that you are usually here, are you allowed to move things from one part of the castle to another? If at any point it is suspected that you are in violation of any of these variables, you will be launched from the castle or at a minimum put in the castle dungeon until someone vouches for you. Ok, I think I have exhausted the analogy.
Let’s dive into the reality of implementing a Zero Trust model and what that means. NIST SP 800-207 defines Zero Trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Implementing a Zero Trust model requires adherence to 7 basic tenets. The NIST Zero Trust basic tenets can be seen here below in bold with a brief breakdown of what they mean in plain terms.
1. All data sources and computing services are considered resources.
This means that we need to not only safekeep the data that we are using and creating but also the means of creating the data. This tenet accommodates the use of outside cloud services and personal devices that may access your organization. With this single tenet, an organization can expand the scope of its cybersecurity beyond its physical information technology assets and embrace cloud and bring your own device (BYOD) benefits while setting acceptable standards. Securing the cloud and outside devices has often been seen as an additional factor to deal with in cybersecurity instead of being baked in from the beginning.
2. All communication is secured regardless of network location.
In other words, just because a desktop is plugged into a network jack inside your organization does not mean it is automatically trusted. The device must prove that it belongs there just as if it were outside the network. Furthermore, all communications from that all devices “should be done in the most secure manner available, protect confidentiality and integrity, and provide source authentication.”
3. Access to individual enterprise resources is granted on a per-session basis.
If you logged in yesterday and were allowed access to sales accounting files does not mean you automatically have access to the sales accounting files today. You will need to prove who you are and that you have access to the sales accounting files again today. One day is an arbitrary time frame, it would need to be much shorter than that to qualify. NIST also brings up the concept of least privilege. Using the above example, just because you have access to the sales accounting files, does not mean you need access to sales personnel files.
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
At the base level of this tenet is the concept of setting policy. There needs to be policy created and strictly enforced surrounding roles, rules, attributes, and least privilege. But of course, it is not that simple, and this is where we start getting into the weeds. This tenet of Zero Trust is where we see our friend the security guard again. Who are you (identity), what are you doing here (application/service), what are you trying to access (requesting asset), do you usually do this now (behavioral), where are you (environmental)? The security guard will come in the form of an automation tool (think software) that will constantly monitor access to resources (remember data and computing services) and analyze that access in context of policy.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
Just as no person is implicitly trusted, neither are any of the information technology assets in your organization. All your organization’s information technology assets (think computers, software packages, BYOD’s) will be monitored and patched in a timely fashion to ensure that they are secure. Automation tools to the rescue once again! Software tools can ensure that all assets are constantly monitored, and problems mitigated as they arise. If an asset cannot be secured sufficiently, but is still necessary for business, then it will be siloed to minimize security exposure.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
Our friendly security guard makes a return here. Before any access is granted the security guard will verify who you are and ensure you are accessing what you are supposed to, CONSTANTLY. NIST does make a concession here and allows for such constant monitoring to strive to “achieve a balance of security, availability, usability, and cost-efficiency.” Though constant authentication and authorization is required for Zero Trust models, there is a point of absurdity if you spend more time proving who you are versus performing a job.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
Again, automation will be necessary here to collect as much information as possible about your information technology assets. This information can be used to understand your cybersecurity health as well as drive the dynamic information that the automated “security guard” will use when confirming who is allowed to do what.
The 7 basic Zero Trust tenets in brief
Now to the question of whether your organization needs to adopt a Zero Trust model for your cybersecurity needs. The short answer is, probably. However, a full adoption of a Zero Trust model may not be possible or necessary due to budget and technology constraints.
There are a couple of spots of good news. If you have a robust cybersecurity program in place in your organization, it is likely that some of these tenets are already in action within your organization. Such as the concepts of network segmentation, least privilege, log aggregation and analysis, and robust authentication and authorization policies. The challenge comes when trying to incorporate legacy systems (traditional cybersecurity appliances and software) into a Zero Trust model. If you do not have a cybersecurity program in place, adopting a Zero Trust model will be a steep learning curve, but a traditional cybersecurity program was also going to be a steep learning curve. On the upside, organizations with no set cybersecurity program in place will not have the challenge of incorporating legacy cybersecurity products to make them work with a Zero Trust model.
The Zero Trust model can be adapted by organizations large and small. The trick comes in taking parts of Zero Trust model that can be implemented with maximum impact to cybersecurity effectiveness while simultaneously ensuring minimal impact to how you conduct business. A cybersecurity program that secures business at the cost of doing business isn’t one that makes sense. As the Zero Trust model becomes more widely utilized, we will see applications that will allow for easier more cost-effective adoption of the tenets. The sooner your organization adapts and adopts the tenets of a Zero Trust model, the easier it will be to incorporate those automation tools when they become available.
If you need help updating your organization’s cybersecurity governance and policies or starting with no cybersecurity program at all, we here at Quantum Vigilance are happy to discuss options that best fit your needs.