ZERO TRUST (ZT) is a concept that sounds remarkably straightforward. By trusting no one, it’s possible to protect everything, right? Not so fast. Like almost everything else in the world of cybersecurity, it’s complicated. For channel pros, sorting through zero trust and putting a zero-trust framework into motion for customers can be daunting. But with the right tools and solutions, it’s possible to turn zero trust from concept to reality for your customers.
Today the term “zero trust” is much hyped, carries a variety of definitions, and comprises a remarkable array of moving parts and pieces that intersect IT systems and departmental lines. “The complexity of zero trust makes it difficult to understand,” states Robert Boles, president of cybersecurity firm BLOKWORX.
For channel pros, a starting point for navigating zero trust is to understand what it is—and what it isn’t. Zero trust is not a product or technology; it’s a framework. It does not revolve around any single vendor or approach. Although many vendors promote their hardware and software as “zero trust”—and their products address key elements of cybersecurity—they are simply a piece of a very large and complex ecosystem.
Zero trust revolves around a key concept: An organization trusts only the people, devices, and data it must trust, and it constantly verifies everything that must be trusted. The framework discards the idea that it’s critical to protect a perimeter, and instead focuses on establishing fine-grained user and data controls. It incorporates continuous risk assessment, the ability to understand network and data in context, and the provision of legitimate access to assets from any place and at any time.
Developing a zero-trust model requires a long-term perspective. “Zero trust is not a destination. It’s a journey that involves constantly reviewing and analyzing an IT framework for appropriate protections and segmentation,” explains Bruce McCully, chief security officer at cybersecurity firm Galactic Advisors. “There are vendors with great tools and technologies for tackling zero trust, but it’s ultimately about people, processes, and continuous monitoring.”
What ZT Looks Like
The origins of zero trust date back to 2009. That’s when former Forrester analyst John Kindervag, now senior vice president at zero-trust managed security provider ON2IT, introduced the idea that all network traffic should fall into the category of “untrusted.” His original model focused on three key components: accessing all resources securely regardless of geography, providing access only as it’s needed, and inspecting and logging all traffic to verify that users are doing what they are supposed to be doing.
Not surprisingly, zero trust has evolved considerably—partly in response to the cloud, mobility, and the Internet of Things. In 2017, Gartner introduced the Continuous Adaptive Risk and Trust Assessment (CARTA) framework, which builds upon the original Forrester zero-trust model. It shifts the focus away from singular security gates to a comprehensive fabric of protection that’s adaptive and depends heavily on context. It relies on analytics to match risks and risk-tolerance to real-world protection and the everyday needs of users.
While ZT is now a mainstream concept, implementation lags. A January 2022 report from Forrester and security firm Illumio, Trusting Zero Trust, found that while more than three-quarters of business leaders recognize the value of ZT, only 6% say their firm’s plan is complete. In fact, only 36% of respondents’ organizations have started to deploy their solutions and 67% face challenges in getting stakeholders to understand and accept ZT.
Putting Zero Trust into Motion
Protecting assets and data within a zero-trust model ultimately involves four key areas: policies and procedures, identity management, network access, and data protection. Not surprisingly, weakness in any of these pillars can make a business vulnerable. Yet, the overall complexity of ZT means that it’s not a single-step process. “It’s wise to start with the biggest and most consequential risks and then expand the process,” McCully advises.
Here’s a look at these four areas and how channel pros can play a role in building a zero-trust framework:
Policies and Procedures
A ZT framework must deliver definitive rules for what people should and shouldn’t be doing—and what access they should or shouldn’t have. This isn’t a decision solely for IT and security groups who, left to their own devices, “may create unrealistic standards that make it difficult or impossible for people to get their work done,” says Jason Slagle, president of IT consulting firm CNWR. “It’s important to include business and legal groups in the process. They need to define what the policies will be and then the IT and security people can put the proper technologies in place to protect systems and data.”
At a broad scale, an organization must consider regulatory and compliance issues, such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act, as well as industry standards. It must also conduct a detailed analysis of data value and data types to develop policies and procedures that make identity management, network access, and data protection possible at a zero-trust level. The policies serve as the foundation for network segmentation, microsegmentation, and more advanced forms of authentication.
It’s critical to build a secure zero-trust model that taps technology to support the way people work. Policies and procedures must consider how people use personal devices and software, including smartphones and removable storage media. “These cannot be long and complex policies that cause people’s eyes to glaze over,” Slagle cautions. “They must be achievable and enforceable.” Adds Boles: “Policies and procedures are only as good as your adherence to them. If you don’t audit, test, and enforce them, it’s a fool’s errand.”
Identity Management
Knowing who people are is at the foundation of zero trust. The problem is that existing authentication systems, such as passwords, are woefully obsolete and subject to compromise. Even more advanced multifactor authentication and biometric systems can’t guarantee a high level of protection. It depends on how they are designed and used.
For example, an organization might rely on text codes to authenticate users, but these can be intercepted, particularly if crooks have already compromised a user’s credentials and account. Sophisticated token devices such as YubiKeys are easily bypassed if a user doesn’t have the device on hand and the system reverts to a text code. Once the thief has the code—and entry into the account—an entire network may be at risk.
“You have to put some serious thought into the authentication process,” McCully says. “MFA and more advanced biometrics often appear to be easy to implement on the surface, but you can easily find yourself in the weeds sorting out practical realities. You have to balance easy access with strong protection. Otherwise, you risk people bypassing the system and defeating other security protections.”
What does best-practice identity management look like? It’s best to use rolling codes from apps such as Microsoft Authenticator or Google Authenticator for MFA and migrate to more advanced forms of biometrics, including selfies with QR codes and voiceprint technology that can match the information with a time and location stamp. Forrester senior analyst Sean Ryan recommends that organizations begin moving to passwordless through clouds and SaaS-based applications and ensuring that directory services and identity and access management (IAM) systems can support it.
Several major vendors are leading the charge to passwordless. For instance, Microsoft supports the more advanced FIDO2 authentication standard, which is built around biometrics and digital tokens. Every Windows device now supports passwordless access both locally and in the Azure public cloud. Google and Apple are also incorporating FIDO2 into various processes.
Meanwhile, though massive cloud adoption is changing IAM requirements, it doesn’t eliminate the need for IAM because many databases, file shares, and data access points intersect with conventional systems. As a result, it’s critical to focus on a unified IAM strategy that can identify needed changes, translate access management from legacy systems, and incorporate SSO and MFA within a zero-trust model.
Network Access
A core tenet of ZT is network segmentation. This typically involves least-privileged access by ensuring that people, devices, and data match roles and requirements. For instance, someone from human resources shouldn’t have access to finance data that isn’t necessary for the job, and finance teams shouldn’t have access to HR records or any other nonessential data. Network segmentation means that people working in different departments aren’t on the same network, and they don’t have direct access to the servers.
Many organizations use Active Directory for managing access, but it’s well acknowledged that’s just a starting point. Complex IT frameworks and multicloud environments often require more advanced identity management tools. What’s more, the default settings for Active Directory—as well as many cloud services—can put an enterprise at grave risk. There are millions of daily attacks on Active Directory, many of which involve privileged access.
Making matters worse, virtual private networks (VPNs) and MPLS technologies introduce additional security layers that can complicate cloud deployments. As a result, it’s wise to move to faster, direct-to-cloud access whenever possible. It delivers a private connection between dedicated infrastructure and a public cloud provider, often through a cross connect within a colocation data center.
Contextual network access is a crucial element within zero trust, Slagle notes. It can determine if and when a user meets a critical threshold for security. Those that fall beneath the line—such as a person logging in from an unusual IP address or at an odd time—may have to authenticate further before gaining access to network resources. It’s also possible to temporarily deny the logon until a human can review the situation.
Clouds, containers, and virtual environments make it easier to manage network access, but they don’t eliminate all risks—especially as physical networks and environments intersect with them. That’s why microsegmentation is important, McCully says. “Phones and laptops that access networks wirelessly require additional focus. Configurations can become very complicated. It’s critical to apply policies rather than using default configurations.”
Slagle says identity management and network access “are very closely linked” and should be considered together. It’s also vital to adopt the latest standards. This includes the 802.1x authentication protocol and various forms of Extensible Authentication Protocols (EAP), which help control and manage network access, including wireless devices. The end goal, Slagle says, “is to stop trusting the device and instead focus on trusting the user attached to the device.”
Finally, Boles warns that organizations must update onboarding and offboarding processes and have audit technology in place to find shadow IT, unused devices, and employees who should no longer have access to the enterprise. Watching for position creep is vital too, he adds. “People start in one role and change, but the permissions and authorizations don’t change with them.”
Data Protection
At the end of the day, all security paths point to data. Unfortunately, though individual programs and tools may do a great job of blocking unwanted access to it, other applications fall short. “There are many great vendors that offer excellent tools for protecting [their own] data, but it’s important to take a broader view,” McCully says. In addition, the intersection of applications, clouds, and various other systems introduces potential gaps and problem points. While it may be possible to use application whitelisting and other methods to boost data security, these too are only part of the zero-trust picture.
Encryption at rest and in motion are baselines for safeguarding data in a ZT world. Not only does encryption improve data protection, but it can also boost trust levels among business partners and customers. Computers, especially laptops, should be configured for full disk encryption out of the gate, McCully says. VPNs are critical for home-based and other remote workers. In addition, various platforms and applications such as Microsoft 365, Dropbox, Google Drive, and Adobe Acrobat offer encryption with built-in permission controls that can determine how a document is used and shared.
It’s also wise to analyze data governance policies. Not all data is created equal—and not all of it requires the same level of protection. Data retention is important too. Keeping unneeded and outdated files and data can increase risk. Finally, backup sets should be separate, segmented, and on a network that no one can access except an authorized agent of the organization. “This a critical protection against a ransomware attack,” McCully explains.
Putting the Pieces Together
In the end, one thing is clear: A cookie-cutter approach to zero trust is a recipe for failure. ZT is different for every business, and it’s constantly changing. Channel pros and consultants can serve as a valuable source of information and expertise as organizations sort through policies, procedures, and technologies en route to a comprehensive strategy. “Ultimately, everything must be interwoven into a framework that involves people, processes, and technology,” Slagle says.
When zero trust is used effectively, companies can finally evolve beyond monitoring security through a tangle of point solutions and relying on haphazard methods to detect threats. A zero-trust framework addresses the real-world risks associated with users, devices, applications, network access, and the context of data, making it possible to identify actual threats and respond with appropriate actions.
At that point, “it’s possible to elevate zero trust from a buzzword to a valuable resource,” Boles explains. Moreover, with a strong foundation in place, it’s possible to extend zero trust deeper into the organization as budgets, time, and resources permit. “An organization can finally evolve beyond the antiquated notion of protecting the perimeter, which no longer exists, and instead take a more granular and dynamic approach based on assets, permissions, and access that directly affect security,” Boles concludes.
Image: iStock