Zero Trust is a significant change factor in how cybersecurity is approached. We used to think that our organization was a castle - with walls (firewalls), a moat (DMZ), and a drawbridge (Access Control).
However, with the escalation of militancy in Ukraine, increased activity by cybercriminal groups, and increased attack surfaces caused by businesses migrating to the cloud and employees working remotely, Zero Trust has become cybersecurity's most valuable change agent.
Zero Trust is the New Focus Among Executives
According to a recent survey, "Zero Trust Strategies for 2022 Report, "conducted by iSMG, everyone said that Zero Trust is critical to reducing their cybersecurity risk (100% among all respondents chose somewhat to extremely critical).
Also, nearly half of them (46%) said Zero Trust is the most crucial security practice in 2022. Another survey of over 300 large organizations by Forrester indicated that 78% of security executives plan to raise their use of Zero Trust in 2022.
There is no doubt that Zero Trust is a new priority among executives responsible for cybersecurity strategy. But if we take a closer look at the survey, there is an execution problem.
Forrester's survey places full deployment of Zero Trust at only 6%. Another 30% said Zero Trust in partial deployment or production, and 63% said their Zero Trust projects are now in the assessment, strategy, or pilot phases. So, as a result, despite C-level are planning, most of them are just planning.
If you are looking for an introduction to Zero Trust Architecture:
With A Little Help From My Friends (NIST, CISA, OMB)
In response to the EO, the Office of Management and Budget (OMB) released the official federal strategy to move ahead to zero trust architecture, which includes a detailed road map that not just government agencies and contractors but any organizations can use as a model. Moreover, CISA released its Zero Trust Maturity Model last fall, a roadmap for agencies to transition to a zero-trust architecture.
For example, when it comes to Zero Trust, the NIST National Cybersecurity Center of Excellence (NCCoE) has guided that maps relevant Zero Trust components to CSF functions, categories, and subcategories (i.e., NIST SP800–27). These are core Zero Trust components, such as policy engines, administrators, enforcement points.
Another helpful resource is the whitepaper from NIST — Planning for a Zero Trust Architecture, which describes how to leverage CSF and the NIST Risk Management Framework (RMF) (SP800–37) to migrate to a Zero Trust Architecture.
Below are some best practices to start.
1. Understanding the Protection Surface (Yes, Not the Attack Surface)
It is a norm to begin a risk assessment with attack surface analysis. For example, security professionals usually start looking at the potential attack surface:
With Zero Trust, things are a little bit different. According to NIST's Planning for a Zero Trust Architecture, starting from the data and applications - the highest value and highest risk users and assets are recommended. The protection surface is also much smaller than the attack surface or the perimeter, thus easier to defend.
In ZTA, you will not find any perimeter to safeguard but put a "micro-perimeter" around assets. Those are the best areas to start adopting Zero Trust principles. As a result, you have complete control over who accesses the critical assets, how they access them, and when they access them. Secure each protection surface in a method appropriate to protect the surface.
Prioritize what to protect based on criticalness against your business goal. After you implement Zero Trust on one or more non-critical protection surfaces, you may not know all of the applications in your data center when you start, but you know your most critical applications. After that, move on to the next set of protection surfaces on the priority list until you reach your cybersecurity goals.
2. Maximizing Visibility - You Can't Protect What You Can't See
According to CISA's Zero Trust Maturity Model, before organizations can implement Zero Trust around four enforcement points (identities, devices, networks, applications, and data), they need complete visibility - to understand how everything connects to everything else.
Users, devices, and services are all connected to data centers. It's a complex environment that is only made more complicated by the cloud if organizations try to implement enforcement without understanding how this environment behaves, which results in security gaps or broken workflows.
Once they get complete visibility, they can begin to understand what trust and enforcement policies they need. Many essential technologies might already be used and need modernizing with orchestration and policy engines.
3. Building The New Boundary: Micro-segmentation
Data centers are traditionally good at managing networks and surrounding environments. But according to NIST SP800-207: Zero Trust Architecture, a differential segment is how to create a "micro-boundary" in the data center; Only pre-approved traffic flows can pass. This is similar to the allowlist of the legacy system.
In the case of building a Zero Trust Architecture (ZTA), the principle is the same, but the network segment and boundary will be much more miniature. Therefore, the micro-segmentation policy should be de-coupled from the existing network architecture and have the capability to scale at ease.
Besides that, the allowed list is based on policy, not IP Addresses. Maintaining a network, firewalls, and rules are busy enough to try to preserve across micro-segments. As a result, manual work can no longer solve this problem. For example, modern Zero Trust Network Access (ZTNA) solutions use machine learning (ML) or artificial intelligence (AI) to understand the traffic pattern and access logic to help organizations create automated access policies.
4. Aligning Identities
No matter which framework or model you choose to follow, identity is the foundation of Zero Trust security. It requires pivotal components, such as identity origination and role-based access controls. Identity origination means knowing where all the identities come from. Not only user identities, but also:
- service accounts
- application sessions
- ephemeral identities
- cloud assets
Zero Trust mandates authenticating the identity before providing secure access, which is impossible with legacy solutions like VPNs. A Software-Defined Perimeter (SDP) or ZTNA goes beyond validating the IP address, continually evaluating security risk based on device posture, location, time, roles, and permissions before granting access.
Moreover, as the size and shape of our digital footprint are changing, we no longer have a "digital network" or "digital services." Still, we now have a whole "digital ecosystem" that keeps expanding. Suppose we want to remain secure while realizing these new channels or efficiencies or agility. In that case, we need to adopt Zero Trust Architecture — using the lens of identity to see potential risks and inform where we draw the "perimeter."
Identity-based Zero Trust continually monitors every access request made by all users to any resource in the system. The Zero Trust model ensures a thorough audit trail for compliance and policy enforcement, whether on-premise or cloud. Every time an identity – human or machine – attempts to access an asset, a risk analysis is performed based on its behavior during the session and other contextual parameters.
To efficiently and effectively manage the entire security posture, it makes more sense to have a single, holistic view of organizational identities to determine policy, view posture, enact compliance, and respond to risk.
5. Reducing Attack Surface
Remote workers accessing your network increase the attack surfaces on a new scale. Before any security incident happens, the security team should find ways to reduce the attack surface to minimize exposure. It is also the core of the non-threat-based security operation (or you can think about what the fireman does when there is no fire?)
Internally, a micro-segmentation approach gives a secure 1:1 connection to authorized resources. Anything unauthorized to the identity in question is invisible and inaccessible. Thus, reducing lateral movement and preventing insider threats.'
We can also apply Zero Trust security outside the organization to protect against external cyber threats and attacks. For example, your mobile and connected workforce are flooded with phishing attempts, the root cause of most cyberattacks during COVID. We can further reduce the attack surface by:
- proactively mapping your digital footprint (mentioned above),
- monitoring communication channels for attack indicators (optimal with threat intelligence), and
- rapidly mitigating identified threats (including patching).
Final Words: Cybersecurity vs. Cyber-Resilience
Among all Zero Trust models - Google's BeyondCorp, Gartner's CARTA, NIST SP800–207, and ZTX by Forrester, which assumes that being compromised is inevitable. This brings the idea of cyber-resilience, and I would like to finish this article with this concept.
The main difference between Cybersecurity vs. Cyber-Resilience is the focus of response. In cybersecurity, we have DR/ BCP to ensure organizations can resume operations as fast as possible. However, the main focus of cybersecurity is still on preventive controls. In response to this concept, NIST released a special publication SP800–160 volume 2, "Developing Cyber Resilient Systems — A Systems Security Engineering Approach." It is the first in a series of specialty publications developed to support NIST SP 800–160 Volume 1 — the flagship Systems Security Engineering guideline.
Achieving cyber-resilience is not the endgame but an endless journey. Organizations must push their limits, prepare for the worst, and hopefully, although near impossible, identify vulnerabilities before adversaries. Like the fighter who will face multiple opponents who take different approaches to beat him, he will spar with those who emulate his upcoming opponent.
A resilient security architecture is one where defenders maintain maximum visibility across their enterprise:
- attacks are detected early, contained, and expelled before attackers realize their objectives;
- and rapid response and recovery from any incidental damage.
It's an approach more adaptable to today's dynamic business factors of today's enterprise where digital and cloud transformation, as an example, are generally more cost-effective.
Doing all the above does not immediately turn your organization into the most secure one but helps you embrace most executives' security goal in 2023 - Zero Trust Architecture. Today, we have to admit that the question is no longer how to keep bad actors out although this stays important. Instead, the priority should be how to recover as quickly as possible to "business as usual" once an attack occurs.
Thank you for reading. May InfoSec be with you🖖.