The long-held misconception of keeping “the bad guys” out gave us the false sense of security that inside of our business we were safe from the nefarious entities that lurked in the deep, dark corners of the Internet. We spent ridiculous amounts of time and money building our castles, ever focused on the “before” of cybersecurity incidents and how to prevent them without a second thought of what to do during and after one if it, goodness forbid, ever came to be.
We sat like kings and queens on our swivel-chair thrones, smugly believing bad things only happened to other businesses and people; never to us. Our castles were invulnerable to the evil masses that gathered outside. We think that all those shiny boxes and blinking lights protect us and we’ve built a veritable fortress out of our security budget. Well, under your crown of smugness, you’re no longer a king or queen; you’re a joker.
What Is It?
Developed a decade ago, the Zero Trust framework has recently gained more attention due to the collective castle walls of many organisations crumbling and the owners of information systems and data becoming usurped by malicious entities. There is plenty of proof and anecdotal evidence to assure us that cybersecurity incidents are a matter of “when” and not “if”. When you look at it, threat actors tend to come in three varieties: Malicious Outsiders, Malicious Insiders, and Well-Intended Insiders.
It should be worth noting that these three are not absolutes. For example, if a Malicious Outsider gains access through a compromised perimeter or stolen credentials, they effectively become a Malicious Insider. Even the Well-Intended Insiders can become Malicious Insiders or Malicious Outsiders under the right circumstances.
The commonality of the three is that they’re all threats but worryingly, two of them are “insiders”. The traditional security model of “inside is good, outside is bad” falls on its face. Depending on what you read and who you talk to, the majority of threats are internal, so why we continue to focus so much on the “before” and keeping the bad guys out is beyond me. Enter the Zero Trust framework.
A false assumption I hear from people when discussing the Zero Trust approach is they liken it to conspiracy theories and basement-dwellers with tinfoil hats. While at the outset, it sounds like Dr. No (just to throw in a James Bond 007 reference), it should be thought of more like “Yes, but.” Instead of universally saying no to everything, it becomes yes ONLY WHEN conditions have been met. Everything gets verified, inside and out. Never trust, always verify is another way to look at it.
Where Do I Start?
I would suggest starting with a consultative approach from an agnostic perspective to fully understand why you need Zero Trust and how it can work for you. There are no shortage of products masquerading as “solutions” that can have effects from a negligible impact to “bricking” your entire network. Get the right people involved from the start and ask the right questions. You need to figure out why Zero Trust before you can approach the “how”.
You will probably discover that not every aspect of your environment needs a Zero Trust approach, but some surely does. You might have a public Wi-Fi network for internet access only that is segregated from the rest of your systems. On the other hand, the corporate Wi-Fi network should be secured with connected devices and users verified with certificates and multi-factor authentication logons, for example. A good starting point is understanding what are your critical and important systems and data.
Your source of truth for authentication and authorisation should be squeaky clean, clearly defined, and well maintained. Perhaps a clean-up of your Active Directory (if you use Microsoft) is a good place to start by reviewing roles and responsibilities before defining what they can actually access. After this, a full inventory of devices and services is helpful to understand what will be accessing the systems and data. Being able to identify authorised devices in addition to authorised users is going to be critical, especially when trying to avoid the threat of spoofing. Oh yeah – PLEASE get rid of generic accounts and ban any type of credential sharing.
The approach actually reminds me a bit of Application Whitelisting because in that case, I also recommend getting everything in order and understand exactly what you are trying to do and why before beginning.
I would also make sure you have complete support across the business, management and executive buy-in (having a champion of this at the C-level is gold), and that there is clear communication to all stakeholders to ensure they know not just WHAT you are doing, but clearly WHY and HOW it will benefit them.
How do I make It Work?
Rather than a one-size fits all whizbang application or appliance, Zero Trust relies on a more strategic approach using a number of technologies and controls, both technical and administrative. At the core of it, as I mentioned above, you should have your house in order and visibility and control of all objects in the infrastructure, from users to computers and all points in between. Review file shares and permissions. Review Group Policy Objects. Apply the principal of least privilege.
In terms of technology, Multi-Factor Authentication (MFA) is a big one. Applied to important systems and data, it provides a great layer of defence although there may be a little resistance from users if it involves using their personal mobile device. Not everyone wants to install an authenticator app, and SMS only isn’t the most secure, but it will depend on your accepted level of risk.
If you’re curious why I suggest getting the house in order, it will help if you decide to look at Identity and Access Management (IAM) solutions that rely heavily on your source of truth. There are plenty of other solutions you can look to like orchestration, analytics (especially behavioural from user and computer actions) and never overlook one of the longest-established controls: encryption. Encrypted data in transit, data in use, and data at rest as well as using certificates for verification is invaluable.
The actual execution of implementing zero trust should be done on a case by case basis to ensure that the solution chosen works best for the organisation it’s intended to protect. After reading all this, though, you’re probably thinking, “Oh good grief. Now I have to buy a whole lot of stuff to make this work!” Ah, but probably not!
As part of the consulting phase, I recommend understanding what you have via an inventory and you will probably find you already have a lot of the building blocks you need. Remember the big box of Lego we had as kids that had hundreds or thousands of pieces in it and you could build almost everything you wanted? That’s likely your information systems – just don’t go putting Lego wheels on Lego boats – be sure what you have IS, in fact, what you need.
If you’re heavily invested in the Microsoft space, for example, you likely have a lot of controls available. MFA, IAM, Microsoft System Centre Orchestrator, Microsoft Analytics, Sentinel, Microsoft Cloud App Security, Advanced Threat Protection, and on and on. It’s also a great way to leverage the Microsoft Ecosystem to implement Just In Time (JIT), and Just Enough Administration (JEA) to knuckle down on that “Never Trust, Always Verify” approach.
Depending on your systems, you may have other vendors and tools, but just be aware you have options and to make sure you get the most out of your existing investments before you spend more money. Ask questions, get answers, and then decide. After all, these are YOUR systems and it is YOUR data.
I would also suggest reviewing the governance around your information systems and data to ensure that you have policies and procedures that articulate what a Zero Trust framework is, why you are using it, and how it will be used. A regular review of your documentation to this effect is always a good idea; doubly so when rolling out Zero Trust.
One of the bigger pitfalls I have encountered to date with the application of Zero Trust has been the overzealousness of those implementing it to the point where systems availability, performance, and productivity has been hindered. In some cases, almost like a self-imposed Denial Of Service. Your information systems and data may not be available to untrusted entities, but if they’re not available to trusted ones, then it’s not much good at all, is it? Be cautious about the application of controls and mindful that the systems you’re protecting are there to enable your business.
This is why we suggest a consultative approach in implementing Zero Trust to clearly define requirements and objectives and to have a clear vision of desired outcomes and measures of success. It needs to be simple and sustainable or else you’ll find shadow IT popping up as users create work-arounds to just get their work done.
Technical controls, in this manner, are not the be-all and end-all of a Zero Trust project. Administrative controls, enforced governance, clear policies and procedures, and management buy-in and support are crucial to a successful engagement.
Ghosts in The Machine?
No matter how many controls you put in place, there will always be ghosts in the machine in the form of people. Be mindful of those you trust and the level of access they have because being human, we can and do make mistakes and do stupid things, even if we have been fully verified. People can be exploited through manipulation and social engineering, coerced to take malicious action, or become disgruntled and abuse their privilege. I once consulted to an organisation where their main administrator had a domestic situation and ended up abusing his privileged access to key systems to take it to whole new level of ugliness. Sometimes additional checks and balances are needed, and sometimes you can only sort it out after the fact.
Technology, being technology, is subject to failure and errors, so the mechanisms used to authenticate can fail, rendering the whole system unusable because Zero Trust worked too well. Ensure this is planned for to avoid those “oh no” moments. Sometimes this ghost in the machine is more like a demon. Forget the Ghostbusters; call in the Exorcist!
It’s easy to overlook something in the beginning stages of a Zero Trust implementation, but a clear understanding of the objective up front, an inventory of your systems and data, and a review of existing controls you can leverage can fill in a lot of gaps. You should also try to break it down into short-term tactical actions that lead towards long-term strategic objectives so that you gain benefit at every stage of a Zero Trust implementation rather than waiting until the end.
Stay safe out there!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock