If you ask any of security leader today about what the most challenging factors are, that keep them concerned about the security posture of their organization, and impact the level of confidence they have in their implemented security controls, the most common feedback you would hear revolves around the below four main points:
- The complex dynamics in the cybersecurity landscape and the increasing sophistication of adversaries, their techniques and strategies
- Digital transformation is accelerating the adoption of cloud computing and bring-your-own-anything
- The lack of effective breach detection and lateral movement prevention at the very early stages of a compromise
- The shortage in the cybersecurity talent, the alert fatigue and the complexity of managing and operating multiple tools and solutions
All the above-mentioned have contributed to the fact that we hear headlines in the news about high profile breaches taking place daily without any indication of slowing down any time in the foreseeable future. Although many organizations invest heavily in many cybersecurity solutions across the board, there is still a fundamental flaw in the way security leaders and practitioners design and architect their environments.
Traditional Perimeter Based Architecture is Not Enough
The legacy perimeter centric architecture is facing serious challenges and is slowly heading towards an end; the reason being, it won’t be able to cope with the new evolutions taking place in the digital transformation and cloud generation era. There is a fundamental and strategic flaw in the approach of the perimeter centric design, and this resides in the trust that is inherently assumed and granted to whatever asset (device, network, application, service,..etc) lives behind the corporate perimeter (Firewalls, Proxies, and so on) while considering everything outside the perimeter as hostile and malicious. Therefore, this model is believed to fail and here are some of the reasons that support this narrative:
- All networks have evolved to hybrid architectures of on-prem, cloud, mobile and remote systems. So essentially what used to be known as a corporate perimeter is now vanishing
- Through the adoption of SaaS, PaaS, IaaS services, a lot of the data and information is being processed and accessed outside the boundaries of the corporate perimeter using any device from anywhere in the globe
- Networks are mainly flat in nature, meaning anyone in the enterprise has access, to a certain extent, to other users’ information, data, and applications
- Limited mechanisms exist to prevent network lateral movement, once a breach is inside a network. This is due to the absence of segmentation on data, device, identity, application and network levels.
What is Zero Trust Security?
The Zero Trust Security approach was initially created in 2010 by John Kindervag, who used to work at Forrester at the time. The concept has been promoted by Forrester ever since, where they focused their efforts to create awareness and increase adoption within the industry. Due to the increasing interest in this concept, Google in 2014 and NIST in 2019 followed suit and raised their different versions of Zero Trust Security frameworks (BeyondCorp & NIST SP 800-207-Draft 2).
The Zero Trust Security model is not a set of technologies or solutions that can be thrown together and achieved in a one-time engagement. Zero Trust security should be looked at as a journey and should be driven based on the set goals for each organization. Therefore, it is very crucial to have a strategy first, that outlines the objectives and outcomes of implementing a Zero Trust model (i.e. Need to implement Zero Trust using crypto-segmentation, or to enable Zero Trust Security for the mobile workforce, and so on). Based on the strategy, the required capabilities can be identified and defined, which will eventually lead to selecting the right technology set with the necessary features.
Why Zero Trust Security?
Considering the limitations and flaws of the legacy perimeter centric security approach (highlighted earlier in this article), customers are advised to consider the Zero Trust security model – a data-centric and identity-driven model – to secure their environments. The Zero Trust security model:
- Assumes that threats are existing, internal and external to the environment and that the network is always hostile and can’t be trusted. Therefore, any user, device, or application on the network must be authenticated, and verified, before it is authorized and granted access to any data or information
- Leverages micro-perimeters/micro-segmentation concepts to build secure communities within the environment. The segmentation can be implemented on a device, user, application or network levels, to enforce granular access controls based on the least privilege and need to know/have basis
- Ensures data security via obfuscation or encryption techniques
- Enhances prevention capabilities of lateral movement, once a breach has already infiltrated the environment
- Enhances threat detection by employing extensive visibility and analytics over external and internal assets in association with the surrounding internal and external threats
- Accelerates incident response capabilities using automation and orchestration
The Zero Trust eXtended Ecosystem – ZTX
In 2018 Forrester has released an updated version of the original Zero Trust security model and called it “The Zero Trust eXtended Ecosystem – ZTX”. There are seven pillars that compose the ZTX ecosystem. For customers who are interested in implementing the ZTX framework, to build their zero trust capabilities in threat detection and response, and in threat prevention, they can refer to the below exclusive list based on my suggestions:
- Data: Data Rights Management, Data Access Governance, Data Classification, Encryption, FIM
- People: IAM, Privileged Access Management, Multi-Factor Authentication, Remote Browser Isolation, Phishing Simulation & Training
- Device: Enterprise User Mobility, EDR, MTD, EPP
- Network: NGFW, NTAs, Deception Platforms, Email Anti-Spoofing & Anti-Phishing, Mail Encryption Gateway
- Workloads & Applications: CASB, Cloud and Virtual Workload Security, WAF, VRM, RASP
- Visibility and Analytics: Attack Surface Management, UBA, SIEM, Security Analytics, TIP, Threat Intelligence Feeds,
- Security Orchestration and Automation: SOAR, MDR, aiSOC, Network Security Policy Management
Benefits of Zero Trust Security
The interest and hype around the Zero Trust security approach and the reason behind its acceleration in its adoption globally by many government entities and enterprises boil down to the benefits that this approach provides to security and risk leaders.
The Zero Trust Security Approach:
- Builds on top of what customers might have in terms of security investment, and helps in putting a framework or a methodology to make the existing security controls and the one to be implemented work in an aligned, a structured, and an organized fashion to achieve zero trust security objectives
- Enables and empowers security teams to be open and supportive of any new business requirements that are needed to accelerate the digital transformation journey, without having to go into complex infrastructure upgrades, or to accept or deal with any elevated risk.
- Zero Trust helps in achieving compliance with mandates and regulations because due to its secure architectural and methodical concept, the Zero Trust approach indirectly implements many of the controls required by most of the common standards.
Customers who are looking for an efficient, secure and low-risk architecture to operate their businesses in this rapidly shifting digital world, should explore the Zero Trust Framework, and take its implementation in a strategic and phased approach to obtain the best results.