No exceptions: Authenticate everyone and everything
The zero-trust model is a powerful authentication framework for today’s untrustworthy digital age. In this model, every human, endpoint, mobile device, server, network component, network connection, application workload, business process, and flow of data is inherently untrusted.
As such, they each must be authenticated and authorized continuously as every transaction is performed, and all actions must be auditable in real time and after the fact. Zero trust is a living system, with all access rules under continuous review and modification, and all allowed transactions under constant re-inspection. Gartner, Inc. predicts that by 2026 10% of large enterprises will have a mature and measurable zero-trust program in place, up from less than 1% today.” So, why does it seem like it’s taking the world so long to adopt zero trust? Because it’s difficult to integrate at an enterprise-wide, scalable level.
Zero trust isn’t just a isn’t just a talking point about the state of things in five years time – it’s a necessary and fundamental change to how an organization approaches access, authentication, authorization, auditing, and continuous monitoring. A robust identity and access management (IAM) program is a starting point for each and every security organization trying to stay ahead of malicious actors.
You won't adopt zero trust overnight, but you can begin the journey today, knowing that you're on the path to helping your organization protect itself from all manner of current and future threats.
Zero trust works by helping security organizations realize the power of least privileged access (LPA) – the concept that individuals and components should only have the most minimal access necessary to perform a required action. It initially applies a second authentication factor to a user previously verified by a preliminary set of credentials.
The entire authentication attempt is risk-assessed in real time to see if, for example, an individual's connection is in an allowed geofence, that the access time is within the usual operating mode of that person, and that the individual does not already have an established session.
Even if an attacker managed to obtain multi-factor codes via – for example – a weaker SMS 2-factor authentication (2FA) that was all an organization could afford to implement – they may achieve a successful connection, but would not have general access to all intranet systems and services. In fact, the VPN connection would only grant them access to a defined set of applications or services. If the attacker makes any attempt to try a network scan or perform other behavioral network actions, monitoring systems would be alerted and that individual and connection would be quarantined for investigation.
Each transaction has a defined set of authentication, authorization, and behavior-auditing rules that continually let the overarching zero-trust system ensure the safety of the interactions.
The zero-trust security methodology can really apply to any device, application, or human connecting to the internet or connected systems. Authentication applies in all cases – especially those of a sensitive nature – in order to best protect the business. Let’s take a look at some specific use cases:
Internet of Things (IoT) devices are constantly sending and requesting data from any number of applications on a company’s network. In more traditional security models, IoT devices were imparted a certain level of trust based on a multitude of factors. As the number of these devices – and the attack surface of their users – expands, it’s critical to implement zero trust so that security is hardened and everything is authenticated.
The pandemic was a gift for attackers due to companies around the world scrambling to set up a remote workforce to mitigate productivity downturns. Attack perimeters expanded almost overnight as proper security became secondary to keeping businesses running.
Emerging from the pandemic, much of the global workforce is hybrid – a few days in the office, a few days at home – so solutions like zero trust should remain in place in order to protect businesses in this new normal. Each worker must authenticate their access to corporate network applications, every day.
Relying on third party suppliers and vendors is the baseline in today’s economy. No business or security organization can be entirely independent and thrive. Stakeholders must assume that any access to its network by a third party is a vulnerability. Therefore, those outside vendors must continuously validate and authenticate their network presence in order to mitigate cyberthreats that may emerge from that supplier’s own environment.
Root causes of ransomware are attributable to a multitude of errors: misconfiguration, human, weak authentication protocols, and general lack of cybersecurity awareness. Ok, so lots of those are human-attributable. That’s why a zero-trust architecture is a crucial weapon in the fight against ransomware – it requires authentication of access to only the area where a human or application needs to take action.
While this section could fill an entire book, let's talk about the scenario of the beginning of a zero-trust journey. To make the initial move, you'll need to pick at least one business process or service-access scenario to move to this new model.
Every component and individual responsible for enabling a business process or service must be identified and the architecture fully documented. At this point, you may find you need to reimagine the architecture to ensure you have the necessary control and audit points in place.
You'll then need authentication, authorization, auditing, risk-assessing, and enforcement solutions to support the access decisions at each connection in the process or service. Finally, you'll need staffing to support creation and maintenance of the rules that are enforced, along with traditional patching, mitigation, and configuration management enforcement activities.
Then, repeat for all other processes and services. In other words, it’s quite an effort to get scalable zero trust off the ground.
However, you should not – and, in reality, cannot – move every business process and service to zero trust all at once. Once you've assessed that initial service, begin the groundwork of acquiring the necessary tools and hiring the necessary staff to ensure a successful outcome. Then, you can transition that initial service over to zero trust when funding and time are on your side, and leave it in place for a while as you evaluate what it takes to maintain safety and resilience. Once you’ve adjusted your tooling and staffing plans accordingly, you can get to work on the remaining processes or services.
Thankfully, you may have many of these components and personnel in place within existing security and compliance solutions and processes, and you can finally employ more of your existing investments' capabilities than the 5-15% most organizations generally utilize.
One of the biggest mindset challenges to overcome when introducing zero trust into your organization is the fear that the constraints that the model imposes will reduce productivity and hamper creativity. These fears can be overcome with the right framing of zero trust: