Zero trust: Taking back control of IT security

Who do you trust?

For Walsh and Grannells, zero-trust default security means that nothing is trusted outside or inside an organisation’s network, so controls must be put in place to reduce risk to an acceptable level. In other words, defence in depth.

They say: “Zero trust changes the traditional model of ‘trust, but verify’ – where you assume that any device or asset attached to your internal network is likely to be permitted and safe to access internal-only resources, but still verify that this is the case. Instead, that becomes ‘never trust, always verify’ – where every device must pass authentication and security policy checks to access any corporate resources, and to control access only to the extent required.”

Trust involves an interplay between people and technology. According to Walsh and Grannells, the starting point for these trust factors is a well-thought-out and up-to-date set of policies, standards, procedures and work practices, supplemented by detailed, up-to-date network documentation and asset inventories covering information, software licences and hardware.

The pair believe zero trust enables IT security to regain control. “The shift to zero trust is where information security is taking back control of the many new perimeters of the corporate ecosystem,” they say. “It shifts security from the address and location layer to a data-centric model. Zero-trust network segmentation also provides visibility into traffic, and allows you to understand the ‘who, what, when, where, why and how’, which are important for managing access, security, monitoring and compliance.”

According to Forrester report authors McKay, Cunningham and Lannopollo, non-security executives think zero trust is just a network security architecture. Forrester’s research found that network security decision-makers have driven zero trust adoption in Europe so far, with little discussion above chief information security officer (CISO) level. The analysts note: “This could be a result of the high proportion – 42% – of senior-most enterprise security decision-makers reporting into the CIO in Europe.” But they warn that if CISOs do not elevate zero trust, their implementation efforts will not achieve their business and security goals.

Looking at the technical implementation of a zero-trust security stance, in January this year, the Zero trust progress report for Pulse Secure found that most investments in zero-trust access technologies are directed towards multifactor authentication (59%), identity management and governance (48%), and single sign-on (44%). This is followed by network access control and web application firewall (43%), privileged access management and micro-segmentation (41%), and virtual private networks (VPNs) (35%).

BCS volunteer Petra Wenham urges CISOs to start with traffic incoming to a network from an external source (such as the internet or a partner network). She says this typically would initially be controlled at the perimeter by a combination of firewalls architected with demilitarised zones (DMZ) supporting proxies, reverse proxies and terminating equipment that offer email, VPN and client access termination from external networks and web browsing of the internet from the internal network.

These proxy and terminating devices would typically run anti-virus, malware and spam prevention technologies and, where needed, provide access authentication and authorisation (AAA) services (proxied from an internal AAA system). Application-level firewalling (such as HTML or SQL) might also feature in the services offered on the DMZ.

According to Wenham, a new generation of security devices are now coming to market that integrate some or all of these features and so can, in turn, offer network managers a unified view of their operation. “The design of the internal network can then add further controls, such as network segregation and additional anti-virus and malware detection technologies, together with AAA controls over system and file access,” she says.

For instance, in network segregation, Wenham says the recommended practice is that key servers and services (such as network-attached storage and storage area networks), company and guest Wi-Fis, are given their own networks and larger organisations can give thought to putting some departments (such as human resources, finance and R&D) on their own networks.

“All these networks would then be connected together via firewall technology, which could be discreet firewalls, or utilise the firewall capabilities found in enterprise-level Ethernet switches, or be connected to an enterprise-level, multi-ported firewall, or a mix of all three approaches,” she says.

Forrester has found that one of the concerns about the adoption of zero trust is the cost of implementing the model. The analyst firm has developed a core zero-trust model that it says emphasises gradual evolution towards the zero-trust principles by starting with identity and other foundational security controls and reducing the attack surface using your existing control footprint.

Forrester analysts McKay, Cunningham and Lannopollo urge CISOs to follow a gradual approach to deploying zero trust across their organisations by starting with their existing security systems. “As you master those areas, you can then invest in new areas, like enhancing the range of security monitoring use cases to gain greater visibility and automate manual security tasks and increase your zero-trust maturity,” they say. “If you can demonstrate that zero trust is not yet another excuse to buy lots of shiny new security widgets, you’ll gain further trust in the boardroom.”

In fact, the Zero trust progress report found that a quarter of organisations are augmenting their current secure access infrastructure with software-defined perimeter technology, which effectively provides zero-trust network access.