Link Search Menu Expand Document

So many things have been said and written about Zero Trust, but what does it really mean in practical terms?

Zero trust is an approach to doing business in a hostile environment.

It requires a change of mindset. Acknowledging that we cannot create a 100% secure environment.

PROBLEM

In the old days, security meant deploying solutions such as firewalls, VPN, content filtering, IPS, Sandbox, etc.. then sending all the logs to SIEM. These are security products that we all know and tolerate. In most cases, we are still taking the same old approach.

In the meantime, organizations have adopted cloud offerings such as IaaS, PaaS, SaaS, etc. Applications have migrated from on-premises data centers to the cloud, beyond the control of traditional security solutions.

While the users have moved from the corporate network to remote corners of the world.

VPN is no longer a viable solution as it is inherently insecure. Vulnerable VPN boxes are the entry points of many high profiles breaches. Using VPN to access applications in the cloud introduces significant delay, resulting in a bad user experience.

The challenges to the traditional security solution:

  • Migration to the cloud.
  • Expectation to work from anywhere in the world.

To solve this challenge, organizations started to adopt Identity Centric Security. Using Identity Access Management (IAM) to control users’ access to private resources that are hosted in the public cloud. Identity became the new Firewall.

Identity Centric Security model solves a business problem. It allows remote users directly access private data and applications via the public internet. However, it creates a new problem. Applications and data that are supposed to be private are now accessible publicly.

Historically, the bad guys need to breach a private network before they can access private data. Now, using their skills to exploit vulnerabilities, purchase stolen credentials from the black market, or leverage misconfigurations, they have a direct way to attack.

Researchers and bug bounty hunters continue to find creative ways to bypass security measures that have been implemented by respected companies. Nation-state-backed hackers are formidable adversaries with seemingly unlimited time, resources, and tools.

Organizations spend a significant amount of money and time deploying shiny security products. However, even in the best possible configuration, these security measures have limitations.

No matter how many security solutions we implement, even with an unlimited budget, it is impossible to 100% secure your environment.

side note: instead of trying to be secure, an organization should strive to be resilient. As it is not a matter of whether an organization will be breached but when.

CHANGE OF MINDSET

This is where Zero Trust comes into the picture.

Zero Trust simply resets back to the reality that we cannot create a 100% secure environment.

In practice, Zero Trust is essentially resetting security back to where it should have been, acknowledging that we cannot create a 100% secure environment.

Zero Trust is a transition from implicit trust and broad access - assuming that everything inside the corporate network is safe - to the model that:

  1. Explicitly verifies the security status of the user’s identity, endpoint, and network.
  2. Limits access based on business needs.
  3. Assumes the possibility of a breach.

Zero Trust requires all users/clients, inside/outside the organization’s network, to be:

  • Authenticated
  • Authorized
  • Continuously validated for security posture before being granted or keeping access to applications/data.

A change of mindset is required. We must accept that legacy security solutions are no longer sufficient. There was never a guarantee we could create a secure environment.

IT’S ABOUT BUSINESS NOT SECURITY

Start with the business needs: who needs to access what to do their daily job?

The beauty of Zero Trust is not only about security. It is about allowing an organization to conduct business in a hostile environment.

Zero Trust can and must be tightly integrated with the organization’s business. At the end of the day, it is the growth and the sustainability of the business that matters most, not the IT security.

Side Note: Zero Trust facilitates business in a hostile environment is not a marketing gimmick. An interesting observation that I stumbled upon while deploying ZPA. As with all new approaches, there is always resistance at the beginning. At a certain point when finally, the customer made the mental switch to Zero Trust the light bulbs started to turn on. They started to see opportunities to solve problems that they couldn’t properly solve using old security solutions such as FW and VPN. For example, they can their third-party partner to have restricted access to specific resources, without the worry of lateral movement. They can retire their complex and expensive VDIs.

How can we implement a security framework when we acknowledge that even the internal corporate network cannot be considered as secure?

WHERE TO START?

Implementing Zero Trust is a journey, and it starts with the acknowledgment that is simply impossible to 100% secure the IT environment. The Internet is a hostile environment, no matter how many best-of-breed security products are deployed, the network can be breached. Corporate network should be considereda as untrusted network.

To conduct business in this hostile and untrusted network we need to focus on three core principles of Zero Trust:

  1. VERIFY EXPLICITLY

Examine all aspects of the access request:

  • Verify the user’s identity using strong MFA.
  • Verify the device’s compliance using multiple posture checks.
  • Do not assume trust based on weak assurance such as network location.
  1. USE LEAST PRIVILEGE ACCESS

Permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices:

  • Limit user access with just-in-time and just-enough-access to perform job functions.
  • Do not simply restrict access just because we can - take a step back and think what are our objectives?
  1. ASSUME BREACH

Build processes and systems assuming that a breach has already happened or soon it will:

  • Create segmentation, minimizing the attacker’s opportunities for lateral movement.
  • Configure logging to detect breaches in a timely manner.

We can and should consider the internal network as a hostile environment.

But, it is important not to become overzealous. Do not simply restrict access just because we can - take a step back and think what are our objectives?

Remember, the main objective is to allow business. Not making it hard for the employees to do their job.

Meeting the customer where they are at - assure the customer that deploying Zero Trust does not necessarily mean they have to change how the users currently work.

To successfully deploy Zero Trust, ask two questions:

  • WHAT the customer is trying to do?
  • WHY the customer is trying to do?

Zero Trust needs to be deployed in such a way as to enable the business with as minimum end-user disruption as possible, improving their productivity.