Zero Trust has transitioned from a buzzword to the centre of most cyber resilience strategies far more rapidly than many CISOs ever predicted. According to Grand View Research, Inc, the global Zero Trust security market size is expected to reach USD 59.43 billion by 2028, registering a compound annual growth rate (CAGR) of 15.2% from 2021 to 2028. The rising need to protect digital enterprise environments underpins the rapid Zero Trust adoption. Solutions such as preventing lateral movement, leveraging network segmentation, simplifying user access control, and implementing layer 7 threat prevention work to protect computers, programs, and networks from unauthorized access.
In this blog, co-written with one of CLIs distinguished Alumni, Ashwin Ram (Cybersecurity Evangelist, Office of the CTO at Check Point), we simplify Zero Trust, discuss its benefits and offer practical ways CISOs can deploy to cost-effectively bake Zero Trust into their strategies.
What is Zero Trust?
Zero Trust is a security framework or model, not a specific technology. While many vendors tout their products as panaceas to Zero Trust, it’s important to remember, as one expert put it, that “Zero Trust isn't a single piece of software you can install or a box you can check, but a philosophy, a set of concepts, a mantra, a mindset.”
At its core, Zero Trust eliminates implicit trust within an organization’s IT infrastructure. Access is granted or denied based upon the access and permissions assigned to a particular user according to their role within the organization. But as most CISOs have learnt the hard way, no single framework, including Zero Trust, can stop high-profile cyber incursions. A recent article states that “When prevention fails, (and it will), this approach will contain the spread of a breach, and minimize the impact and consequence for a business.”
Under Zero Trust, users, devices, and applications are granted the minimum access permissions required to carry out specific functions. Under the traditional security model, a VPN user is granted full access to the network. Assuming this user’s credentials are compromised, as was the case in the Colonial Pipeline breach, the threat actors can easily traverse the networks and compromise several unrelated assets. But the principle of least privilege and ‘default deny’ advocated by Zero Trust limits the damage to a specific system the user is authorized to access.
Why Should CISOs Build Zero Trust into their Cyber Resilience Strategies?
For the first 20 years or so of the internet, our networks were simple; companies invested in perimeter defences (firewall, proxy servers, email security gateways, intrusion prevention systems, etc.) to limit their exposure to internet threats. Any traffic emanating from outside the network was untrusted and potentially harmful, while anything inside this perimeter was considered safe and trusted. This approach worked for a while, but times have changed.
Historically protected by firewalls, antivirus software and segmented networks — the traditional enterprise network perimeter is fast dissipating. More and more enterprises are migrating mission-critical applications into the public cloud, fuelled by the promise of greater financial flexibility, the ability to deliver infrastructure on the fly and faster time to market. COVID-19 has changed everything — employees are working remotely and logging into enterprise networks from their mobile phones, home computers and other unknown devices. Furthermore, the supply chain keeps getting more complex, with businesses looking beyond their geographies to address supply chain issues.
Simply put, the traditional perimeter security approach can no longer keep up with the demands of today’s fast-changing digital environment, let alone stealthy cyber threats that can easily evade traditional security defences. Zero Trust offers three formidable benefits:
- The primary role of any CISO is to improve the cyber risk profile. Zero Trust helps accelerate this mandate by focusing on prevention, as it’s far more cost-effective to reduce the likelihood of high-impact attacks than recover from their messes.
- Done right, Zero Trust can boost cyber resilience by shifting from the one-size-fits-all cybersecurity investment models and prioritizing the protection of crown jewels — the most critical information assets, which, if compromised, could severely undermine the enterprise’s bottom line, competitive advantage, reputation, or even threaten its survival.
- Developed in conjunction with enterprise architecture, Zero Trust can simplify security, reduce overheads and, most importantly, help safely accelerate digital transformation. Microsoft confirms this notion, stating, “A Zero Trust approach empowers people to work productively and securely when, where, and how they want.”
The Seven Essentials Of Zero Trust
1. Zero Trust Network
One of the biggest challenges for CISOs over the last decade was limiting lateral threat actor movement. Cybercriminals keep exploiting weaknesses in one system and quickly move across to compromise crown jewels. So, the first essential we recommend is that CISOs redesign their network infrastructure to isolate digital assets into different segments based on risk.
A segmented network makes it significantly harder for an attacker to compromise one system and hop on to others. This requires physically or logically separating high-value digital assets, such as industrial control systems (ICS), systems that hold payment card data or those that process high-value payments. Once this is achieved, restrict access to high-risk network zones based on a strict need to-do/know basis, opening connections only to those systems and users. Furthermore, CISOs must deploy advanced security threat prevention controls at the application layer to inspect the flow of traffic between segments. Performing deep packet inspection in the core of your network offers an additional critical control to detect and deter attacks.
2. Zero Trust People
According to the Ponemon Institute’s 2021 Cost of a Data Breach Report, compromised credentials was the number one attack vector successfully exploited by cybercriminals. Humans will always make mistakes, intentionally or otherwise. Therefore, it is essential that CISOs complement their cyber awareness with technical controls to minimize the threats associated with stolen credentials. For example, minimizing the number of complex passwords users should maintain through single sign-on, reinforcing access control through MFA, protecting superuser credentials through a commercial privileged access management solution, and context-aware security policy enforcement.
Here are additional questions CISOs should ask to ascertain the effectiveness of their controls:
- Are our Active Directory and any other centralized identity stores hardened to prevent takeover?
- Do we have systems in place to detect and fix material Active Directory misconfigurations?
- Have we baked the principle of least privilege within business operations, specifically employee onboarding and lifecycle management?
- Have we enforced MFA across all high-risk access points to mitigate credential theft?
3. Zero Trust Data
Needless to say, Zero Trust is fundamentally designed to protect data, whether in use, at rest or in motion. Here are five primary controls CISOs should consider when building Zero Trust into their strategies.
- Publish an easily digestible data classification policy and associated tools to help users tag data/documents according to their level of sensitivity and automate restrictions according to sensitivity levels.
- High-value data, such as health records, passwords, and board papers, must be encrypted at rest and in transit using industry-grade encryption tools. End-user device hard drives must also be encrypted to minimize the risk of unauthorized data leakage should the device fall into the wrong hands.
- Deploy data loss prevention controls to prevent the exfiltration of confidential data into unsanctioned cloud environments or removable drives.
- Encrypt any confidential data backed up to tape and ensure decryption keys are adequately protected.
- Deploy a commercial mobile device management solution (MDM) to enforce data protection policies (authentication, encryption, remote wipe, etc.) on personal devices with access to corporate data.
4. Zero Trust Devices
At its core, the Zero Trust security model recommends treating every device connected to the network as untrusted and potentially hostile. This includes not only laptops and servers but also mobile phones, IoT (Internet of Things) and OT (operational technology) devices. It is critical that you have the ability to isolate compromised devices in your environment as quickly as possible. This requires designing a network infrastructure to isolate your digital assets into different segments based on risk and implementing a context-aware security policy that adapts to the posture of devices in your environment. For instance, you could ask the following questions:
- Do we have the ability to control the flow of traffic to and from IoT devices based on device posture, such as firmware versions that are known to have high-risk vulnerabilities?
- Can we trust the mobile phones our employees are using to access and process corporate data?
5. Zero Trust Workload
Most enterprises struggle to protect their cloud-based workloads due to cloud ecosystems’ dynamic and ephemeral nature, especially when moving from IaaS (infrastructure as a service) to serverless and containers. Cloud assets are stood up at the click of a button, which can lead to a host of misconfigurations issues. Unsurprisingly, cloud misconfiguration was cited as the third most exploited attack vector by the Ponemon Institute's 2021 Cost of a Data Breach Report.
To minimize this risk, CISOs must place a heightened focus on cloud security visibility and adaptive policy enforcement. Automated controls must continuously monitor cloud infrastructure for gaps in security policy enforcement, while adaptive security controls must enforce the principle of least privilege. Furthermore, cloud security teams must enforce segmentation and micro-segmentation using advanced threat prevention security controls. For instance, the team can implement a hub and spoke network in which traffic from each spoke traverses through a hub, which enforces advanced security controls.
Here are some important questions to consider as part of the cloud transformation journey.
- Are we leveraging ‘just-in-time’ security to control privilege access?
- Can we automatically remediate misconfiguration and security oversights in our public cloud?
- Are we validating that third-party code used within our cloud applications are safe from threats?
- Do we have a way to enforce security best practices across all our cloud environments?
6. Automation and Orchestration
The 2020 Devo SOC Performance Report: A Tale of Two SOCs, reported that three out of four SOC (Security Operations Center) analysts reported that increased workload is the number one reason for burnout. The same report also found SOC analyst stress, burnout, and turnover is getting worse. To combat this, the study recommended introducing automation into workflows.
This aligns with Zero Trust principles, which recommend the use of automation and orchestration to reduce human error and improve security posture. Leading CISOs are implementing Security Orchestration, Automation and Response (SOAR) platforms, which utilize a combination of human and machine learning to analyze this diverse data in order to comprehend and prioritize incident response actions. The advantages are threefold: automate mundane tasks and free up resources to focus on other strategic initiatives; prioritize alerts that could result in material harm from noise; and boost compliance by creating repeatable and auditable processes.
7. Visibility & Analytics
As the research giant Forrester put it, "You can't combat a threat you can't see or understand." It goes without saying that one of the anchors of a robust Zero Trust strategy is building situational awareness. It is essential for cybersecurity teams to have 24/7 visibility into their networks, endpoints, mobile devices, public/private clouds, IoT and OT. Alerts from these systems must be correlated into credible threat intelligence and inform practical strategies to detect and prevent cyber incursions. These alerts should be promptly triaged to relevant teams to contain any threats and minimize downstream customer and business harm. Ensuring that their security logs are constantly shipped and centralized 24/7 must be a non-negotiable before new systems are commissioned.
Is Zero Trust enough?
A robust Zero Trust strategy builds on the foundations an organization has put in place over the years. Done right, it helps dismantle the fort mentality, accelerate digital transformation, and boost cyber resilience. As Microsoft summarized, “Today’s organizations need a new security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located.”