When the pandemic hit and it became essential to shift to a remote workforce, companies around the world tried their best to keep the lights on. They had to reimagine their business processes, lay down the responsibilities to their workforce and realign the necessary tools to support the remote 'working environment'. Threat actors saw this opportunity and there was a massive surge in cyberattacks. In an August 2020 report, Interpol accessed that cybercrime has shifted significantly away from people and small enterprises and toward large organizations, governments, and essential infrastructure. Between February and March 2020, the agency observed a 569 percent increase in harmful registrations, including malware and phishing, and a 788 percent increase in high-risk registrations.
This meant that you had to ensure business continuity while keeping the security measures intact. For many organizations, it proved to be a very difficult task. Now that the dust has settled and work is returning to normal, firms around the world are looking for new measures and models-one that is fully proof and future ready. In this blog, we will look at one such security model, known as Zero Trust security. We will access its attributes, the challenges it addresses and understand its applicability to present and future threats.
Traditionally, computer networks used a "trust but verify" security architecture- this meant that any person or device was considered trustworthy if it was authenticated. That worked well for early computer networks because companies could effectively regulate the devices and connections, as they all operated from a single central place (or on-premises)
The proliferation of telecommuting and mobile devices shifted the threat environment. Today, IT teams must strike a balance between network security and the requirements of a mobile workforce. This led to the need for a new paradigm to assure end to end device and network security, since hackers discovered that once they had "access," there was no resistance to looking at and stealing whatever they want. This need led to the Zero trust concept.
Zero trust was coined in 2010 by Jon Kindervag, then-vice president and lead analyst at Forrester Research. It is based on the principle of "never trust, always verify." The network does not differentiate between users, packets, interfaces, or devices based on their origin. Each individual begins with the same amount of trust and must establish what or who they are in order to acquire access to vital assets. Users get access to only the information necessary to fulfill the request.
Zero Trust is guided by the following principles:
1. Never Trust, Always Verify — Consider each user, device, workload, and information to be untrustworthy. Using dynamic security rules, authenticate and explicitly authorize each user to the least amount of authority necessary.
2. Assume Breach - Consciously operate and protect resources as though an opponent has a presence in the surroundings. By default, deny all users, devices, data flows, and requests for access. All adjustments, resource requests, and network traffic should be logged, inspected, and continually monitored in the event of suspicious activity.
3. Clearly Verify — Access to all resources must be consistent and safe, utilizing different authentication methods characteristics (dynamic and static) to calculate confidence levels for relevant resources.
1) Do Away With The Notion of Trust in a Network: There are no trustworthy sources when there is no trust. Each packet transmitted over a network must be permitted, authenticated, and encrypted. By treating all communication equally (whether within or outside the network) and constantly authenticating the user, hackers have a far more difficult time breaching network security.
2) Implement Vital Preventive Security Measures: Zero trust is a strategy; in order to establish a network around this architecture, IT departments must design their networks with a few crucial preventive security measures in mind.
This raises critical issues with identity and device verification: Is the person or device connected indeed who they claim to be? Is the device sufficiently protected? Is there any odd behavior taking place? These are the types of questions that a system of zero trust will address. When developers want to increase the security of their apps, they generally turn to multi-factor authentication (MFA), which requires two (or more) forms of authentication in addition to the standard username and password login.
Additionally, zero trust networks ensure that users and devices always provide the least amount of access feasible. Authorization is restricted to the minimum amount necessary to execute an activity. This restricts the attacker's mobility beyond the break-in point in the event of an attack.
By approaching Information security in this manner, it becomes significantly simpler to contain security events. There is a reduced chance of getting hacked even by using Bring Your Own Device (BYOD) devices or insider attacks. Micro-segmentation is a technique that allows engineers to leave the traditional "castle and moat" attitude associated with conventional network architecture, which places most of the protection on the network perimeter. Rather than that, smaller zones are built within the typical perimeter to further isolate network segments by device, purpose, or id. For example by compartmentalizing security beyond the login page, the attacker does not have complete control over the contents of the system in the event of a break-in.
3) Enables Real-time Breach Response Tactics.
While the measures described above significantly increase network security, break-ins do occur. To contain the same network administrators should adopt real-time monitoring tools to increase the speed with which they respond to incoming threats.
Along with monitoring, automatic remediation is critical. A computer can operate at a quicker rate than a human, therefore many zero trust systems include some form of an automated system for detecting, investigating, remediating, and preventing more attack attempts.
While we have discussed the attributes of Zero Trust, including its principles, the main focus of this blog is to analyze its applicability in the present age. While we praise its benefits, it is also worthwhile to analyze its limitations and separate hype from reality.
While many of the Zero Trust procedures are sound and rational, many become difficult to attain due to the following challenges that practically every business faces:
1. Outdated Apps
Technology is always evolving, and the apps of yesterday might be outdated tomorrow. Internal application redesign, recoding, and redeploying may be costly and disruptive. To pursue these sorts of activities, there must be a compelling business case. It is not always viable to add security settings to existing apps to make them zero-trust aware. Unlikely, your existing applications do not yet support zero trust.
As a result, depending on your reliance on bespoke apps, this will influence whether or not you can embrace zero trust in those processes, as well as the associated work and expense. This is especially true when programs are not micro perimeter compliant or lack the appropriate application programming interfaces.
2. Legacy Systems
Most likely, legacy programs, infrastructure, and operating systems are not zero-trust aware. They lack a concept of least privilege or lateral mobility, and they lack dynamic authentication models that adapt to changing contexts.
To allow zero trust implementations, a layered—or wrapper—approach is required. However, a layered approach encapsulates external access to the resource and allows it to interact with the system only occasionally. This undermines the zero-trust idea. You cannot always monitor the behavior of a program that is incompatible. While you may scrape screens, capture keystrokes, and monitor logs and network traffic for potentially malicious activities, your response time is restricted. You can restrict the legacy application's external interaction to the user or other resources—but not the runtime itself. This restricts zero trust's scope, and depending on the features of the old application, companies may discover that monitoring network traffic is impossible owing to stringent encryption standards.
3. Technologies Based on Peer-To-Peer Collaboration
Beginning in 2015, Windows 10 included a peer-to-peer mechanism that enables peer computers to exchange Windows Updates to conserve Internet traffic. While some companies disable this feature, others are unaware of its existence. This favoured lateral mobility between unregulated systems. While there are no known vulnerabilities or exploits for this functionality, it does expose communications that violate the zero-trust concept. There should be no lateral movement that is not authorized—even within a given micro perimeter.
Additionally, you will discover that protocols such as ZigBee or other mesh network technology run in direct opposition to zero trust. They function via peer-to-peer communication, and the trust model is exclusively dependent on keys or passwords, with no dynamic models for authentication modification.
Therefore, if you want to adopt zero trust, carefully explore if your company utilizes peer-to-peer or mesh network technologies, including those used in wireless networks. These are significant impediments to implementing the access and micro perimeter restrictions necessary for zero trust.
Even for enterprises capable of building a new data centre, implementing a role-based access model, and fully embracing zero trust, digital transformation concerns might make the idea difficult to adopt.
The digital revolution facilitated by Cloud, DevOps, and IoT does not support the zero-trust paradigm, as segmentation and enforcement of the notion require extra technologies. This can be too expensive for big deployments and may even impair the solutions' ability to interact effectively with multiple user access. If you have any doubts, examine the storage needs and license fees associated with logging every event for dynamic access to all resources used in the project.
While some may argue that the Cloud embraces segmentation and zero trust models, the truth is that it all relies on how the Cloud is used. Straightforward cloud transfer of your raised floor does not imply zero trust. If you construct a new application as a service in the cloud, it can surely embrace zero trust.
However, just migrating to the Cloud as part of your digital transformation does not imply that you will automatically receive the benefits of the mandated zero trust paradigm. And, if you want to accept zero trust and include it into your strategy, you can be assured that it will not function effectively as a layered approach.
To resolve the Zero Trust concerns that have plagued cybersecurity for over a decade, you must flip your mindset. This means, prioritize strategy first, and technology second. Recognizing that identity, device integrity, access control, and continuous inspection are all necessary to accomplish Zero Trust is far different from buying and deploying technologies that address a single cybersecurity issue without regard for the larger picture of a strategic approach. Cybersecurity should always be aligned with business objectives, and practitioners should understand that their purpose is not to identify bad actors or prevent the next zero-day assault, but to always keep the business functioning, even when confronted daily with a barrage of cyber-attacks.
In the current state of Cyber world, the success of a firm is contingent upon its capacity to safeguard its devices and network. Zero trust is the logical conclusion. However, that discussion is meaningless until we understand how to implement it, and therein is the rub: There are various misconceptions about what zero trust truly entails.
At its heart, zero trust is a security framework that employs layered security measures and protections to ensure that no one user, program, or device possesses the network's "trust." Everything is validated and only the most restricted access is granted.
The following are some of the most fundamental considerations that every attacker will consider while intending to hack an IT system:
Where does a trustworthy network come to an end?
How many systems can this trusted device access?
What can I do with this trustworthy username and password combination?
What are the similarities between these questions? They are all predicated on the idea that an implicitly trusted component can confer a demonstrable offensive advantage on an attacker. Attackers do get an advantage when they can take control of an implicitly trusted machine and gain access to other systems without performing further security checks. On the other hand, Zero Trust negates this benefit by eliminating the idea of trust from decision-making related to information access and interaction with digital assets.
Senior Director | ISSQUARED Information Security
Surya Jatavallabhula is a Cyber Security and Risk professional with an extensive history in Banking, Biotech, Medical, and Education sectors. Surya has played various roles under security domains including CISO, Security Partner/SME for Information and Cyber Security, DevSecOps, Risk Management, Data privacy, Enterprise Security Architecture, Data Architecture, Technology Risk, and Portfolio Management after graduating in MS Risk Management from Stern School of Business, New York University, U.S and M.B.A from Leeds University Business School, U.K.