The move to a pathway that leads to the Zero Trust model of security is the latest trend in cyber security.  

Year after year, thousands of businesses are hacked and billions of data records are stolen by cyber thieves. This can lead to business closures in extreme cases as well as the loss of confidence in the security of governments, banks and corporations up to and including countries’ national elections.

Zero Trust

Under post-mortem investigations, often these breaches aren’t sophisticated. Instead, what they do is exploit stolen, weak or compromised credentials. Our trust in identities is being used against us. To address these issues, the use of a Zero Trust model is gaining industry momentum recently. According to IDG’s 2019 Security Priorities Survey, 38% of security and IT decision-makers anticipate their spending in security awareness and evaluations to increase over the next year. 71% of security-focused IT decision-makers are familiar with the Zero Trust model. 47% of organizations are actively researching Zero Trust technologies.

What is the Zero Trust model?

The Zero Trust model which was introduced in 2010 by Forrester Research working together with the National Institute of Standards and Technology (NIST), isn’t a new concept. Forrester analyst John Kindervag found through research that inherent trust assumptions in security measures can leave businesses vulnerable to internal and external cyber-attacks. Zero Trust is a security concept based on the belief that businesses shouldn’t inherently trust anyone outside their perimeters or inside their systems. With this thinking, security managers should verify all the requests to connect to their systems before granting access to them.

Originally, the concept of Zero Trust was a data-centric network design that used micro-segmentation to enforce more granular rules to limit lateral movement by cyber attackers. Since its beginning, the Zero Trust concept and its benefits have significantly evolved. Currently, Zero Trust is being implemented by companies to drive strategic security initiatives as well as to enable business decision-makers including IT managers to apply pragmatic detection, prevention and response measures.

What is the Zero Trust eXtended Ecosystem?

The Zero Trust model’s biggest evolution has been reported by Dr. Chase Cunningham, a Forrester Research analyst, in the Zero Trust eXtended (ZTX) Ecosystem report extending the original model beyond just a network focus to include the ever-growing attack surface and the following associated processes and elements:

  • Networks — Segment, isolate and control the network.
  • Data — Secure and manage data, encrypt data both at rest and in transit and categorize and develop data classification schemas.
  • Workloads — Apply Zero Trust controls to the entire application stack, covering the app layer via the hypervisor or self-contained processing components (i.e., containers, virtual machines).
  • Devices — Isolate, secure and always control every device on the network.
  • People (a.k.a. Identity) — Limit and strictly enforce the access of users, and secure those users.

Once you apply security controls to all the above-mentioned elements, you are on a pathway to Zero Trust. However, the driving principle must be the realization and knowledge that the easiest way for any cyber attackers to reach sensitive data is by compromising one or more user’s identities. Problems increase if the stolen user identity is one that belongs to someone who is a privileged user with broad access to your network. Believe it or not, 80% of security breaches are through privileged credentials.

Where does the path to Zero Trust Start?

Limiting a business’s cyber risk exposure to the top cause of current data breaches, privileged access abuse, can be done beginning with these actions:

  1. Discover and Vault — Identify all privileged user accounts along with their resources, and vault away the credentials to properly manage them.
  2. Consolidate Identities with Least Access and Privilege — Vaulting isn’t enough by itself. The second step is to reduce the attack surface by consolidating identities, and then eliminating local accounts as much as you can. Next implement both privilege elevation controls, and workflow for just-in-time privilege access. Take care of the lowest hanging fruit by implementing basic multi-factor authentication (MFA) for all privileged users.
  3. Use High Assurance to Harden the Environment — The last step is to harden the environment by air-gaping administrative accounts as recommended in the Microsoft Enhances Security Administration Environment (ESAE) guidelines. Additionally, lockdown any workarounds that can be dangerous by implementing host-based monitoring, advanced behavioral analytics and add Assurance Level-MFA for the environments with the most sensitive materials.

By moving traditional perimeter-based security strategies to a Zero Trust approach, you will provide more robust detection, prevention and incident response capability to continuously protect expanding attack surfaces which include big data lakes, cloud, DevOps, microservices and containers. Using this pathway allows businesses to defend themselves against advanced cybersecurity threats while limiting the impact of any breaches. It also supports new operational and business models, and enables necessary compliance (HIPAA, PCI).