Zero trust is an approach to cybersecurity that is garnering a lot of attention, as more organisations move to implement it. Although transitioning to a zero trust model is a massive undertaking, it is likely to influence how all businesses and organisations think about security.

 

If there was any single, common theme that emerged from last week’s roundup of Caribbean ICT/tech news (for the week ending 20 June 2021) is cybercrime and cybersecurity. There were many reports about increases in cybercrime in the region, and the concern that countries are not as prepared as they should be.

To be fair, there has been a growing awareness of the importance of security in the Caribbean region; but businesses, and even governments, might be challenged to provide the resources needed to effectively maintain the security of their networks and systems. To a considerable degree, security is becoming a fulltime job – both literally and figuratively. IT or security personnel are charged with continually monitoring, testing, upgrading, and maintaining the security of the networks under their care, whilst also keeping up to date on the latest trends and developments, and trying to ensure that network users are exercising the requisite care.

As much as more organisations have been focussing on cybersecurity, there are no guarantees, even with the best effort, that one’s organisations will not be successfully breached. However, there have been concerns that the typical approach to security might be too weak in light of the scale and sophistication of the threats we have been experiencing. Organisations, particularly enterprises appear to be moving towards a ‘zero trust model’ or ‘zero trust architecture, which although created over a decade ago, only now seems to be becoming more mainstream.

In this article, we give a brief primer on zero trust security, and conclude by sharing some views on why this approach to security ought to be taken seriously.

 

Zero trust security: what is it?

Traditionally, network security was conceptualised to ‘keep out the bad guys’, i.e. ‘perimeter security’, through the use of firewalls, passwords and other forms of access controls, virtual private networks, to name a few. Consequently, and as a default, the users inside the network were trusted, and those who provide the required access credentials were granted access – similar to a castle with a drawbridge.

Zero trust security goes by many names, including ‘perimeterless security’, and its premise turns perimeter security on its head. Essentially, no user or device is implicitly trusted, or trusted by default – even if they are (or remain) connected to a managed corporate network. Zero trust security assumes that the network has been compromised, and so continually requires users and devices to prove that they are not attackers.

Although the concept of zero trust might initially have been adopted for remote and cloud-based users and assets, when entities would have needed to connect to their organisation’s corporate network via the internet, for example, it now encompasses all elements and assets on the network, regardless of location. In other words, even if a user, device, asset, etc., are located within an organisation’s own network boundary, and even if is connected directly to the corporate network, that resource is not automatically trusted.

In summary, the United States of America National Institute of Standards and Technology has established the following seven core principles for zero trust architecture:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioural attributes.
  5. The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture.

 

Zero trust security:  pros

Although adoption of a zero trust security approach would effectively result in a paradigm shift from the standard perimeter security approach, it offers a number of benefits, including the following:

First, it offers a more unified and cohesive approach to security, since for all intents and purposes, all resources are treated the same, regardless of their location. It can thus offers a more streamlined model or architecture, which in turn can facilitate an optimised approach to IT/security management.

Second, it strengthens the overall security of a network, as all users/resources must not only prove they are not attackers before access is granted, but also that access is not indefinite or unbounded. On a per-session basis, just-enough access should be given just-in-time.

Third, due to the heightened vigilance and the frequent verifications that zero trust networks must conduct, they are better able to detect a broad range of incidents that potentially could lead to intrusions, for example, stolen passwords and access credentials, or access to a privileged workstation.  

 

Zero trust security:  cons

As previously stated, implementation of a zero trust security approach could require an organisation to overhaul its approach to security, which depending on the size and complexity of the organisation, could be a mammoth undertaking. However, there are also other challenges with zero trust security that ought to be considered, such as the following:

First, a key premise of zero trust security is to limit user access with just-in-time and just-enough-access. However, not all applications and tools can be configured to accommodate tiers of privileges – in order to provide users with just-enough access, i.e. the lowest privilege they need. It can thus result in configuration challenges, which inherently can affect the extent to which zero trust can be successfully implemented.

Second, and although zero trust offers enhanced security and can minimise the threat that can result from stolen credentials and from malicious insiders, it cannot eliminate them completely. Hence if an insider misuses his/her access privileges, or an attacker gets a hold of a legitimate user’s credentials, the security of an organisation’s network could be compromised.

Third, in the zero trust model, a policy administrator and policy engine approves all connections between network resources. It thus mean that the policy administrator and policy engine need to be properly configured and maintained, and potentially could be points of vulnerability for zero trust networks. Possible threat scenarios include unauthorised access to the policy engine, or if an administrator makes mistakes in configuring the policy engine.

 

Zero trust security:  why it should be taken seriously

As is evident in much of the discourse on zero trust security, it has been developed with enterprises in mind. Transitioning to the zero trust approach is not a trivial matter. It requires manpower, expertise, lots of money, and may take years to fully complete; and so is likely to be beyond the reach of micro, small and medium enterprises in particular.

However, the importance of the zero trust concept to all businesses and organisations – regardless of size – is the fact that it has challenged the traditional approach to security. It requires a fundamental re-think of how security can and should be implemented, especially when the complexity of today’s networks, the broad range of demands that are being placed of network resources, and the flexibility with which users still need to be able to access networks, are all considered. Further, and perhaps more importantly, cyberattacks have increased in volume and sophistication; which in turn demands that our approach to security also evolve.

 

 

Image credit: rsch60 (Pixabay)