Security gurus and analysts often come up with novel ways to make cybersecurity more manageable. Over the years, we have had all sorts of ‘approaches’ to fix security issues. This includes, ‘Defence in Depth’, “layered security’, “Walled Garden’, the NIST Risk Management Framework, and so on. They all have merit and are attempts to break security down and get on top of the problem with practical advice.
But things change. Especially the tactics used by cybercriminals as our technology environment evolves. Zero Trust security is a reflection of the changing times. We talk here about what Zero Trust security is and what this means in real terms.
What is a Zero Trust Security Model?
Zero Trust security is currently in its second version. The first version of Zero Trust, which was formulated by Forrester analyst, John Kindervag, was a reaction to the changing enterprise perimeter. This first version, published back in 2009, came about as a reaction to the start of Cloud computing. This new paradigm in computing changed the fabric of work by placing data storage and applications creating, sharing, and utilising data, on Cloud-based servers. This meant that perimeter walls were no longer a valid way of preventing threats.
The mainstay of the original Zero Trust model was to place data as the centre of the security universe; aka a ‘data-centric’ model of security. What does that mean? To secure data you have to know what it does, where it goes, and how it is used. In other words, you need to have a map of the data lifecycle and flow. You can then more accurately and sensibly use security to protect these data
To ensure security flowed with the data, you had to have a starting point of not trusting any network traffic – aka ‘Zero Trust’.
Five Steps to Security
Zero Trust Security sets out a five-step plan. This plan has certain prerequisites upon which the security flows. One of the most important steps is the creation of ‘microperimeters’ and the notion of “Never Trust, Always Verify”.
The security issues that Cloud computing created was down to the breaking of the traditional enterprise perimeter. Therefore, you could replace traditional perimeters with what were essentially decentralised perimeters instead. In a nutshell, you are talking about knowing what data you are dealing with and placing it into its own perimeter; using encryption and similar techniques to secure data; making sure you control who access it; then monitoring its use.
The five steps then fall out of this baseline exercise:
- Know your data: Forrester suggested starting by classifying data into various levels of sensitivity. These data are then represented in a microperimeter – with the appropriate security.
- Map your data: Another step to ensure you know what data is and where it goes. The plan suggests you create ‘micronetworks’.
- Architect Zero Trust microperimeters: This allows you to make sure that you implement the most appropriate security. This step applies both physical and virtual security controls.
- Security automation and orchestration: Apply rules to the data creation and its use, based on your analysis and where you apply the microperimeters.
- Continuously monitor: An important aspect of the Zero Trust model is continuous auditing to look for malicious events across the microperimeter ecosystem.
The thinking behind all of the above is that:
- You know where everything is and what it is all about
- Enforce access on a need to knowbasis
- You verify and never automatically trust
- You always check network traffic
- The network is designed from the ground up around trust
Zero Trust eXtended Ecosystem – Next Gen Trust
The newest flavour of Zero Trust is the Zero Trust eXtended Ecosystem. This takes the first version and expands it to focus on identity and access control more. This extended model of trust adds to data, devices, and people.
Why is this so? Well, again, this update to the Zero Trust model has been as a result of our changing technology environment. The increased of the use of the Internet of Things (IoT), mobile computing, and ever-more Cloud-based applications, has meant the model had to morph to reflect this.
In a Zero Trust eXtended ecosystem, every single point in that system has security applied to it. In reality, this means using a highly flexible identity management system that can be used to apply Privileged Access management (PAM). To achieve this, you have to verify who is accessing data across the entire expanded ecosystem, right out to edge devices like IoT and mobiles. This requires robust authentication, such as Multi-Factor Authentication (MFA) and risk-based authentication to upgrade/downgrade privileges. It gets more complicated when you add in external users such as customers and vendors.
Is Zero Trust the Ultimate Security Model?
As we have seen, security models come and go. Some, like Zero Trust, are built on solid foundations reflecting how systems and data actually works. However, even these models still end up being built-on, as our technology environment and/or cybercrime tactics change. Zero Trust has, at its heart, people, devices, and data.
By doing so, it has natural extensibility baked into its ethos. The way we work is likely to change again as automation and data analytics, incorporating Artificial Intelligence techniques, continue to be used. This will most certainly see a change again in the Zero Trust model. However, the basis of Zero Trust security is sound, so it is likely to be an addition or ‘upgrade’ in the areas it covers.
Perhaps adding in more elements of privacy and consent and expanding it outside of a corporate-only view on security, to a more global one, which also places external users under the same care.