What is a Zero Trust architecture and can you trust it?
11 Mar, 2021 9 min read
The traditional security model wrongly assumes that everything inside the corporate boundary is safe and trusted, and that anything which comes from the outside must be treated with suspicion. We call this the ‘castle and moat’ approach and it’s flawed for three reasons.
Flaw one: No one knows where the network boundary is.
Firstly, the concept of ‘inside’ the corporate boundary is very tricky these days, particularly with the rapidly growing number of remote workers. Customers, partners and the supply chain all expect to use ‘inside’ resources; and cloud services could equally be considered ‘inside’ or ‘outside’ depending on how they are used. The honeycombed nature of corporate networks has been discussed for a long time, and as organisations integrate with each other further, and continue to use more and more cloud services, this discussion is set to continue.
Flaw two: Zero Trust based networks are still susceptible to hacks.
Secondly, it is highly likely that every organisation will get hacked. We need look no further than SolarWinds, FireEye, Malwarebytes and various US Government departments to see that even the best protected networks can be breached.
By recognising this, the CISO must accept that not everything ‘inside’ the network can be trusted.
By recognising this, the CISO must accept that not everything ‘inside’ the network can be trusted.
Flaw three: Rogue insiders will always be inside Zero Trust based networks.
Thirdly, there is the rogue employee. This is an individual who, from an IT security point of view is ‘inside’ the network and is therefore trusted with access to a range of systems and data so that they can do their job. But in many businesses access controls are not up to date and this leaves data open to individuals who no longer have any job requirement for access. According to a Ponemon report, 75% of employees said they have access data which they shouldn’t.
So, if the conventional wisdom of corporate security is flawed, what are our options?
So, if the conventional wisdom of corporate security is flawed, what are our options?
What does Zero Trust really mean?
The idea of Zero Trust stems from the realisation that trust in the digital world represents a vulnerability. That means, trust in this context is a bad thing. In the traditional architecture, access to an asset is granted simply because the user is logged on to a system on the inside and they are therefore trusted.
A true Zero Trust model therefore turns this on its head by eliminating trust from the IT architecture. So, whenever an attempt is made to access an asset, for example a network segment, the user must authenticate to prove their identity and check their authority to be granted access. With this identity-aware approach to IT asset access, any successful cyber-attack has only limited scope.
In a Zero Trust architecture, it is assumed that nothing on the inside can be trusted implicitly. Each asset – like endpoints, applications and data stores – has a defined ‘protect surface’ that forms a security shield. To get through this shield, a transaction must conform to a policy that defines legal transaction flows which result in an access request, plus authentication and authorisation requirements.
A true Zero Trust model therefore turns this on its head by eliminating trust from the IT architecture. So, whenever an attempt is made to access an asset, for example a network segment, the user must authenticate to prove their identity and check their authority to be granted access. With this identity-aware approach to IT asset access, any successful cyber-attack has only limited scope.
In a Zero Trust architecture, it is assumed that nothing on the inside can be trusted implicitly. Each asset – like endpoints, applications and data stores – has a defined ‘protect surface’ that forms a security shield. To get through this shield, a transaction must conform to a policy that defines legal transaction flows which result in an access request, plus authentication and authorisation requirements.
What’s the business value of a true Zero Trust approach?
This all sounds very complicated and expensive, so here’s an analogy to make it easier. Rather than having just one security guard on the front door, a Zero Trust architecture effectively places guards at every door in the building. Not only that, each guard has their own list detailing what people are authorised to do IF they are allowed to enter. Now that protection is part of the IT asset itself, users can make use of assets from any location, using any device. The Zero Trust principle therefore enables people to work in the most efficient and convenient manner, which in turn increases business efficiency and productivity. If commentators are correct, post-pandemic businesses will continue to offer workplace flexibility to their staff, so a Zero Trust architecture provides the tools to support this in a more secure manner.
Business agility is also improved. Applications, data, and services can all be moved, modified, and merged without needing to be concerned about the security of its containing environment. The protected surface is an attribute of the asset, not where it happens to be.
Finally, risks are reduced, leading to a lower likelihood of an extensive cyberattack or data breach. This is achieved because Zero Trust limits the scope of any damage.
Business agility is also improved. Applications, data, and services can all be moved, modified, and merged without needing to be concerned about the security of its containing environment. The protected surface is an attribute of the asset, not where it happens to be.
Finally, risks are reduced, leading to a lower likelihood of an extensive cyberattack or data breach. This is achieved because Zero Trust limits the scope of any damage.
With a true Zero Trust model, risk-return is balanced
Much like our very real and current balance during the pandemic between public health and the economy, all cybersecurity measures – Zero Trust included – must balance usability and security.
As an example, most Zero Trust implementations go hand-in-hand with some kind of Single Sign-On solution. This balances convenience and efficiency against the strength of security as users are not constantly pestered for their user credentials - authentication is managed behind the scenes on their behalf.
Without a Zero Trust model, if you tip the balance one way, productivity takes a dive, while the other way increases the risk of data theft and disruption.
As an example, most Zero Trust implementations go hand-in-hand with some kind of Single Sign-On solution. This balances convenience and efficiency against the strength of security as users are not constantly pestered for their user credentials - authentication is managed behind the scenes on their behalf.
Without a Zero Trust model, if you tip the balance one way, productivity takes a dive, while the other way increases the risk of data theft and disruption.
Implementing a true Zero Trust model
Fortunately, a Zero Trust architecture is something that can be deployed in a piecemeal fashion. By gradually segmenting a network and placing controls such as multi-factor authentication, principles of least privilege and the validation of all endpoint devices, an organisation can grow the Zero Trust architecture from a small base, to eventually cover their entire network.
However, this is often as far as organisations get . What if some external party manages to evade all these controls, then accesses IT assets? What if a member of staff decides to go rogue? What if a software vulnerability is exploited, leading to data theft? SolarWinds springs to mind.
The problem with most Zero Trust implementations is that they don’t take the concept far enough. They end up with a network that has many ring-fences, each with their own controls. However, the data inside the fences is not secured, so anyone that manages to get inside will have free reign over information stored.
It’s a little like security boxes inside a vault, where the individual must identify themselves at the bank, pass through locked doors then use their key plus a bank key to open the box. Once through all these layers of security the individual can simply walk out with the contents of the box. Which is fine, but only if they are the true owner.
However, this is often as far as organisations get . What if some external party manages to evade all these controls, then accesses IT assets? What if a member of staff decides to go rogue? What if a software vulnerability is exploited, leading to data theft? SolarWinds springs to mind.
The problem with most Zero Trust implementations is that they don’t take the concept far enough. They end up with a network that has many ring-fences, each with their own controls. However, the data inside the fences is not secured, so anyone that manages to get inside will have free reign over information stored.
It’s a little like security boxes inside a vault, where the individual must identify themselves at the bank, pass through locked doors then use their key plus a bank key to open the box. Once through all these layers of security the individual can simply walk out with the contents of the box. Which is fine, but only if they are the true owner.
It must be assumed that your organisation will be hacked
In implementing true Zero Trust, it is common for an organisation to segment the network, identifying the most sensitive data and assets, separating them from the rest of the network protected behind secure fences.
Leaving aside the significant problem of accurately defining, identifying, and segregating this most sensitive data, there’s one major pitfall with this concept. That is that humans are involved. The inconvenient truth is humans do what’s most convenient rather than what’s expected from an IT security point of view.
However, playing cat and mouse with the company IT security is a risk no business can afford. A ransomware attack that is becoming more prevalent is where a specific senior executive is targeted. Once the cybercriminal has gained system access, they look for information that will cause maximum embarrassment. This could be corporate – like legal action against the company – or personal. Either way, the information tends to be held locally and not in the supposedly secure vaults established by the IT department. I wonder what information was on Nancy Pelosi’s laptop that was stolen in Washington’s Capitol riots?
Organisations must implement an additional layer of technology in their Zero Trust architecture that builds security right into data – all data in all locations. This can be achieved by enforcing data authentication, and by encrypting every data file. This way, the ‘crown jewels’ that a Zero Trust architecture is built to protect, are being protected inherently, whether stored in the ‘secure vaults’ or anywhere else.
Leaving aside the significant problem of accurately defining, identifying, and segregating this most sensitive data, there’s one major pitfall with this concept. That is that humans are involved. The inconvenient truth is humans do what’s most convenient rather than what’s expected from an IT security point of view.
However, playing cat and mouse with the company IT security is a risk no business can afford. A ransomware attack that is becoming more prevalent is where a specific senior executive is targeted. Once the cybercriminal has gained system access, they look for information that will cause maximum embarrassment. This could be corporate – like legal action against the company – or personal. Either way, the information tends to be held locally and not in the supposedly secure vaults established by the IT department. I wonder what information was on Nancy Pelosi’s laptop that was stolen in Washington’s Capitol riots?
Organisations must implement an additional layer of technology in their Zero Trust architecture that builds security right into data – all data in all locations. This can be achieved by enforcing data authentication, and by encrypting every data file. This way, the ‘crown jewels’ that a Zero Trust architecture is built to protect, are being protected inherently, whether stored in the ‘secure vaults’ or anywhere else.
File-level data encryption
At the end of the day, it’s the information itself which we’re trying to protect. If the infrastructure can be organised so that, when data gets stolen, it’s in a form that is complete garbage to the thief, then the information remains protected even though it’s in the wrong hands.
Data encryption is traditionally seen as something complex, expensive and scary, so we tend to toy with it rather than embrace it. For example, full disk encryption is easy – we leave it up to the OS vendor and just forget about it. The catch is that full disk encryption doesn’t actually stop anyone stealing data from a live system. And Transparent Data Encryption for databases is also fit-and-forget – all it does is create another security silo outside of which data becomes unprotected.
File-level encryption seems to be treated as something dangerous; something a bit edgy that needs to be applied with care only to the most sensitive information. Which is odd, since modern file-level encryption, like the SecureAge Security Suite, should be applied universally.
The problem with only encrypting the most sensitive information is that it’s difficult to work out exactly, and reliably, what ‘sensitive information’ really is. And importantly, where it is. As previously mentioned, people will run reports, write documents and manipulate potentially sensitive information in spreadsheets, often storing them in unexpected and unprotected locations.
Don’t forget test environments – they aren’t safe either? Just look at how Equifax lost control over their users’ plaintext passwords? The reality is, you may think that you’re sure you’ve identified all sensitive data. But how sure can you possibly be?
Our data encryption solution is a tried and tested technology that balances security with useability and makes universal data encryption a reality.
Should we trust Zero Trust?
Yes… and no. If all a Zero Trust implementation does is to chop up a network, then it will reduce the scope of some cyber-attacks. What about insiders? Or compromised user accounts? Or socially engineered attacks? The list goes on.
The truth is, many data breaches are due to someone using a valid user account to access information. These so-called legitimate users have access to data that can then easily be stolen because the data has no inherent, built-in protection.
While the concept of Zero Trust is valid, the implementation must be taken right down into the data – all data, everywhere. Simply building more fences around data is just beefing up the old castle and moat architecture. By extending protection inside data itself we can truly say that Zero Trust is trustworthy.
