In a perfect world, all organizations would implement Zero Trust for its inherent security benefits. In today’s uncertain environment, every security strategy that mitigates risk is critical, and the role of Zero Trust is even more relevant in the work-from-home era. By nature, employees’ home environments are more vulnerable with a higher likelihood of compromise.
But striving for 100% Zero Trust is overwhelming and may not align with business goals. Still, companies should strive to adopt the Zero Trust framework whenever possible, especially when the average cost of a data breach is almost $4 million. Thankfully, the process doesn’t have to be intimidating.
The Foundations of Zero Trust
Zero Trust is a hot topic in the cybersecurity world and has gained momentum ever since Google adopted the architecture almost a decade ago. The foundation of a Zero Trust network is based upon granular rules to enforce access to resources. Zero Trust governs trusted access, depending on the user, location and other access details. If the security status of an endpoint cannot be verified, it won’t authenticate. If it does get authenticated, the endpoint connection is allowed, but with a restrictive policy.
Implementing a Zero Trust security strategy is not a quick-fix solution; careful planning and strategy are essential prerequisites. Independent security researcher Rod Soto has been advocating for Zero Trust starting almost from its introduction in 2010. According to Soto, Zero Trust is not exactly zero in the literal sense.
“Zero Trust is an operationalization of the least privilege principle and segregation of duties by the use of different technologies. This can go from high privileges and full access to no access rights at all,” he says. “It can be applied to applications, devices and users within and outside the perimeter.”
For Soto, the Zero Trust concept has evolved, as there are now a number of driving technologies that allow its feasibility. However, he warns that Zero Trust can be challenging to implement and may become counterproductive in some environments.
The biggest hurdle facing the enterprise is maintaining privacy, protection and security while keeping resources available so employees can be productive. The number of remote users and devices requiring access isn’t going to decrease anytime soon. To that end, the internet of things (IoT) can also be problematic for Zero Trust implementations.
“Zero Trust has always been important, but the challenge of Zero Trust is usually its planning and implementation,” Soto says. “Zero Trust may not be applicable in environments where the nature of the technologies does not allow it, like legacy applications or architectures, for example. [This is] where the strict use of it may break them and present challenges to users in environments of expansive growth, acquisitions and disparate technologies. I do not think Zero Trust is applicable in all environments.”
When you think about Zero Trust, the benefit that first comes to mind is the strengthening of security posture when defending the enterprise. However, it also produces several corollary benefits for your company, such as:
- Enhanced network performance due to reduced traffic on subnets.
- Abbreviated breach detection times.
- Improved ability to address network errors.
- Much more simplified logging and monitoring process due to granularity.
Additionally, according to Soto, the application of Zero Trust can actually help defenders have more precise and granular visibility of their threat surface.
A Quick Roadmap
As a first step, you’ll need to consider network segmentation, or partitioning your network into smaller networks. This keeps hosts and services with sensitive data isolated from the rest of the network. Microsegmentation also can add an additional preventative measure in mitigating lateral (east to west) movement across your network. With segmentation, an attacker hacking into your systems would only have the data from the network segment to which they have access. In the Zero Trust model, no threat actor would be able to authenticate to a segment containing sensitive data.
Soto strongly advises that environments, resources and assets are clearly separated, otherwise it could lead to further compromise and greater damage should they be accessed by malicious actors.
“This requires, first and foremost, asset management, network mapping and an access policy based on segregation of duties,” he says.
This means you’ll need to get a handle on defining system boundaries, as well as making sure you can account for every single point on your network. Your access policy also should clearly state which users can access resources and to what extent. This access should be based on the premise that users are limited to access relevant to their required tasks and privileges.
How Much Zero Trust Do You Need?
There is really no magic percentage of a company’s networks for which organizations should incorporate this architecture.
The state of North Dakota boast one of the most robust cybersecurity infrastructures and estimates they’ve implemented Zero Trust on about 70% of their networks. For Lexmark®, going all-in on Zero Trust was a two-year endeavor to completely overhaul its network.
Security experts like Soto don’t expect organizations to achieve 100% Zero Trust. The feasibility of that type of commitment is unattainable, and the rewards may not be as significant. Someday soon tools may emerge to simplify the process.
“Until then, Zero Trust is a desideratum, something you wish for, but in reality, it is extremely challenging to apply,” Soto says. “I hope new technologies allow enterprises to get a higher number of successful applications.”
As challenging as it may seem, the concepts here aren’t exactly difficult. We’ve been talking about them for decades. Now, we just need to apply them more diligently.