Zero Trust Security – A new model to enable secure digital transformation

Why are Security Leaders concerned?

If you would ask any of the security leaders nowadays about what are the most challenging factors, that keep them concerned about the security posture of their organizations, and the direct impact it has on their confidence about the implemented security controls within their organizations, the most common challenge you would hear, revolves around the below main points:

·        The complex dynamics in the cyber security landscape, the increasing sophistication of adversaries, their techniques, and strategies and the importance of gathering the right intelligence about them

·        The digital transformation momentum which is accelerating the adoption of cloud computing and bring-your-own-anything

·        The lack of effective breach detection and lateral movement prevention at the very early stages of a compromise

·        The shortage in the cyber security talent, the alert fatigue, and the complexity of managing and operating multiple tools and solutions

·        The expanding attack surface for every organization, and the lack of visibility and control around this attack surface (shadow IT, orphaned IT, cloud assets, IoT devices, etc)

·        The Identity Sprawl issue whether it is being used or consumed by a user, a device, or an application, and how to manage it securely and effectively

·        The lack of visibility and control around data, where is it located, accessed by, and shared with whom based on the least privileged concept

In many of the cases and most of the time, the above challenges/issues are the precursor of high-profile breaches that takes place on daily basis without any indication of slowing down any time in the foreseeable future. Although many organizations invest heavily into many cyber security solutions across the board, there is still a fundamental flaw in the way security leaders and practitioners design and architect their environments.

Traditional Perimeter Based Architecture is not Enough

The legacy perimeter-centric architecture is facing serious challenges and is slowly heading towards its downfall as it won’t be able to cope with the new dynamics of the current and future digital businesses along with the evolution taking place on that front. It’s becoming more obvious day after day, that there is a fundamental and strategic flaw in the approach of perimeter-centric architectures. This flaw lies essentially in the implicit trust that is inherently assumed in identities, assets (devices, applications, services, etc), and resources, living behind the corporate firewall while considering everything outside the firewall as hostile and malicious.  Most if not all cyber security and risk leaders agree that this model is not meant to be for the digital transformation era, hence is deemed to fail. Here are some of the reasons that support this narrative:

1.     All networks have evolved to hybrid architectures of on-prem, cloud, mobile, remote endpoint, and edge computing systems. So essentially the corporate perimeter does not anymore look like it used to be within the data center only. The corporate perimeter is now becoming almost everywhere and anywhere, and there is no clear demarcation of its boundaries.

2.     Through the adoption of SaaS, PaaS, IaaS services, many of the data and information are being processed and accessed outside the boundaries of the corporate perimeter using any device from anywhere in the globe

3.     Legacy networks are mainly flat in their design and architecture; meaning anyone in the enterprise has access, to a certain extent, to other user’s information, data, and applications without any major controls and restrictions based on the least privilege principle

4.     Limited mechanisms exist to prevent network lateral movement, once a compromise or a breach is already inside the network. This is due to the absence of proper segmentation at all layers - data, device, identity, application, and network.

What is Zero Trust Security?

Zero Trust Security approach was initially coined as a concept in 2010 by John Kindervag. The concept has been enthusiastically promoted by Forrester ever since, which led to increased awareness and adoption around this principle/approach industry-wide. Well, due to the increasing interest in this concept, Google in 2014 and NIST in 2019 followed suit and raised their different versions of Zero Trust Security frameworks (BeyondCorp & NIST SP 800-207-Draft 2). Recently CISA drafted the Zero Trust Maturity Model in June 2021 to assist agencies in complying with the Executive Order, and soon a final version of the maturity model should be released soon after the conclusion of the public comment phase.

I know there is a lot of confusion around the Zero Trust Security model; whether it is a technical control that can be implemented or a philosophy or something theoretical that we usually read and get educated about in books? Can it be achieved via a product, is it one solution or multiple, how to achieve it, how long does it take and how much does it cost? All those questions and inquiries are valid and need to be answered and addressed adequately.

In layman’s terms, the Zero Trust security model is not a set of technologies or solutions that can be thrown together and achieved in one-off single-time engagement. Zero Trust security should be taken as a journey and should be driven based on the set business goals of each organization. Therefore, it is very crucial to have a strategy first, that outlines the objectives and outcomes of implementing a Zero Trust model (i.e. Need to implement Zero Trust using micro-segmentation, to ringfence critical cloud-based services, or to enable Zero Trust Security for the mobile workforce, etc.). Based on the corporate strategy, the required capabilities can be identified and extracted, based on which the right technology set with the necessary features can be selected and implemented.

Why Zero Trust Security?

Considering the limitations and flaws of the legacy perimeter-centric security approach, highlighted earlier in this article, customers are advised to consider the Zero Trust security model - a data-centric and identity-driven model - to secure their environments. The Zero Trust security model:

·        Assumes that threats are existing internally and externally to the environment and that the network is always hostile and can’t be trusted. Therefore, any user, device, or application on the network must be authenticated and verified before it is authorized and granted access to a resource (data, systems, apps, etc)

·        Leverages the micro-perimeters concepts to build secure communities within the environment. The segmentation can be implemented on a device, user, application, or network levels, to enforce granular access controls based on the least privilege and need to know/have basis

·        Ensures data security via obfuscation or encryption techniques

·        Enhances prevention capabilities of lateral movement, once a breach has already infiltrated the environment

·        Enhances threat detection by employing extensive visibility and analytics over external and internal assets in association with the surrounding internal and external threats

·        Accelerates incident response capabilities using automation and orchestration

The Zero Trust eXtended Ecosystem - ZTX

In 2018 Forrester has released an updated version of the original Zero Trust security model and called it “The Zero Trust eXtended Ecosystem - ZTX”. There are seven pillars that compose the ZTX ecosystem. For customers who are interested in implementing the ZTX framework, to build their zero trust capabilities in threat detection and response, and in threat prevention, they can use the below list as a good reference point to enable a Zero Trust capability, are missing. This is an initial draft list, which I would personally recommend and is prone to change and amendments as the market dynamics change and evolve:

·        Data: Data Rights Management, Data Access Governance, Data Classification, Encryption, FIM, Data Discovery, Data Activity Monitoring, Digital Rights Management, File Integrity Monitoring, File Analysis, Secure File Transfer, Encryption Key and Certificate Management, Hard Disk Encryption, File & Folder Encryption, Hardware Security Modules (HSM)

·        People/Identity: SSO, MFA, Password Management, Access Governance, Privileged Access Management, Phishing Simulation & Training, Cloud Infrastructure Entitlement Management (CIEM), Zero Trust network Access (ZTNA), Externalized Authorization Management (EAM), Attribute-Based Access Control, AD Security, User Behavioral Analytics (UBA), Identity Detection & Response (IDR)

·        Device: Enterprise User Mobility, EDR, Mobile Threat Defense, Endpoint Protection Platforms, IoT & OT Security, Asset Management, Patch Management, Cyber Asset Attack Surface Management (CAAST),

·        Network: NGFW, NDR, NAC, DNS Firewall, Secure Web Gateway, Secure Email Gateway, SSL Decryption, DMARC Enforcement, Network Compliance and configuration Management,

·        Workloads & Applications: CASB, Cloud Workload Security, Runtime Application Security Protection, Cloud Security Posture Management, Runtime Container Security, Micro-segmentation, SAST, IAST, Risk-Based Vulnerability Management, Web Application Firewall,

·        Visibility and Analytics: Attack Surface Management, User and Entity Behavior Analytics, XDR, SIEM, Security Analytics, Threat Intelligence Platforms, Threat Intelligence Feeds, Digital Risk Protection,

·        Security Orchestration and Automation: SOAR, MDR, XDR, Network Security Policy Management, Breach and Attack Simulation, Deception Platforms

Milestones to Implement a successful Zero Trust Architecture

Benefits of Zero Trust Security

The interest and hype around the Zero Trust security approach and the reason behind the acceleration in its adoption, globally by many government entities and enterprises, boils down to the benefits that this approach provides to security and risk leaders.

The Zero Trust Security Approach:

·        Builds on top of what customers might have in terms of security investment, and helps in putting a framework or a methodology to make the existing security controls and the one to be implemented work in an aligned, structured, and organized fashion to achieve the zero-trust security objectives

·        Enables and empowers security teams to be open and supportive of any new business requirements that are needed to accelerate the digital transformation journey, without having to go into complex infrastructure upgrades or to accept or deal with any elevated risk.

·        Zero Trust helps in achieving compliance with mandates and regulations because due to its secure architectural and methodical concept, Zero Trust indirectly implements many of the controls required by most of the common standards.

Customers who are looking for an efficient, secure, and low-risk architecture to operate their businesses in this shifting digital world, should explore the Zero Trust Framework, and take its implementation in a strategic and phased approach to obtain the best results.