While the approach of zero trust may become a reality to some organisations over the course of 2022, for most organisations, it will mostly exist as an aspiration. Others will claim success simply by applying a few of the many principles of zero trust in practice. That said, it will almost undoubtedly be a slow journey to get there.
What is zero trust and why do we need it?
The theory behind zero trust fundamentally changes how we perceive threats. Conventionally, we perceived bad actors as being on the external side of the network (or rather, the untrusted side) and viewed everyone sitting on the inside (or trusted side) to be both known and therefore trusted.
In today’s cyber security climate, this a very dated mindset. Unfortunately, it is still the status quo for many organisations. This thinking goes back in time to the days where clear perimeters existed, and the only way into the network was through tightly controlled channels. And even those ‘tightly’ controlled channels were not always secure or even the only way in. But the model worked to a degree and defence-in-depth was born. Based on the continuous growth in the number of vulnerabilities and increased sophistication of both hackers and TTP (tactics, techniques and procedures) that we see today in our complex digital ecosystem, clearly something needs to change. Enter zero trust.
‘Trustworthy’ users can inadvertently let the bad actors in
Evidence of successful data breaches and cyber attacks has shown us that bad actors can operate from within the network on the so-called “trusted” side. This design is something that attackers can leverage to their advantage and can often go undetected until it is too late. Often, the so-called ‘trusted’ users are unaware that an attacker may have used their user identity. The actors may be silently in the background relying on the users’ privileges to infiltrate and move across the network to access sensitive data and critical systems, undetected, as it might otherwise seem normal.
Zero trust is an approach that flips this on its head. It changes the model to one that applies the “least-privilege” principle by default, categorising all users as automatically untrusted from the outset. Therefore, to access any resource, the user must be identified and authenticated before gaining access and privileges for that application, system or resource.
See how Skybox Security can help you with zero trust
Government entities increase pressure to adopt zero trust principles
Zero trust is not going away. In fact, government entities are increasing the pressure. For example, The Executive Order on Improving the Nation’s Cybersecurity, issued by the White House in May 2021, made the federal government’s position clear on the need to advance zero trust. Just a few months ago, it also announced the Federal Strategy to move the US government itself towards a zero trust architecture.
As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cyber security,” said CISA Director Jen Easterly. “Zero trust is a key element of this effort to modernise and strengthen our defences. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”(1) Office of Management and Budget Releases Federal Strategy to Move the US Government Towards a Zero Trust Architecture. The White House Briefing Room, January 26, 2022.
Read our point of view on the Biden Executive order
The same goes across Europe where EU organisations are equally being encouraged to adopt zero trust principles with the latest revision of the European NIS directive, NIS2.
Concern about maintaining business operations stunts zero trust framework adoption
We can’t deny that a methodology designed to establish different levels of trust as additional access and movement is required and is entirely logical. However, implementing a complete zero trust model successfully, as it is defined, is largely impractical in the real world, thereby an unrealistic objective for many organisations.
That’s not to say zero trust is unrealistic to achieve because it’s flawed or doesn’t work, but applying the theory to practice in the real world is just difficult. In the real world, enterprises face many challenges: fragmented infrastructures, legacy systems, bespoke applications, visibility, cloud environments, existing transformation, migrations and more.
Businesses are reticent to make changes that impact important organisational operations. This impact must be considered when changing how an infrastructure behaves and how users (employees, customers, partners) interact with these services.
When considering operational impact, redefining and redesigning access and privileges is extremely complex. Thus, zero trust has often been considered “hype” instead of “reality” due to the difficulty level of implementation.
Zero trust will become the new best practice benchmark
Enterprises should look to identify areas of their networks and critical assets where zero trust is achievable. They can then apply zero trust principles to make solid improvements to increase their security posture efficacy overall. Those that make inroads – even incrementally – will be much more successful in preventing a security breach over the next few years.
Over the next few years, many enterprises will set zero trust security objectives in their strategy, with established metrics to evaluate and measure success. The organisations that fail to take this initiative will continue to leave parts of their critical infrastructure open and susceptible to sophisticated attacks, not to mention the steady increase in cost for managing and operating a suboptimal defence strategy over time.
Zero trust will become the new best practice benchmark, particularly for organisations undertaking cloud transitions and migrations to cloud services. In this case, defining trust models and data access within cloud environments becomes more practical and achievable.
Advance your zero trust network strategy with the Skybox Security Posture Management Platform
Skybox Security can help you establish and maintain a zero trust framework, by providing visibility and a continuous understanding of your hybrid networks and the attack surface across all environments. You need to model and analyse your network, cloud and security configurations together. This context helps you make informed decisions about what critical assets to protect with zero trust, how to properly design the network environments, and what specific policies need to be applied. Once the zero trust architecture is established, continuous and adaptive modelling of the hybrid networks is necessary to effectively maintain the zero trust posture.
Skybox can help you advance these five key areas of developing and executing a zero trust strategy:
1. Determine where to focus your zero trust efforts
With Skybox you can aggregate and consolidate data sets that reflect the current configurations of your hybrid infrastructure, all your security controls and endpoints. You can then identify the critical assets, applications, data repositories and infrastructure that will comprise your zero trust zone.
By understanding your network connectivity, combined with your network and security configurations, you will know what you are starting with. Then you can visualise and assess your security efficacy and develop your zero trust strategy.
3. Architect for zero trust
Develop and optimise segmentation strategies, as well as configure and optimise your network and security technologies.
4. Establish and validate zero trust policies
With Skybox, you can automatically assess policies for exposure risk and compliance. Validate policies using a network model.
5. Monitor and maintain
Leverage a network model to continually monitor your hybrid networks. Validate changes before they go live to ensure compliance. Automate change management processes and align with your zero trust architecture.
Visit www.skyboxsecurity.com for more information.
Share