deepagopi2011 - Fotolia

Zero trust: A 21st century security model

Traditional corporate security models date back to a time when there were fewer, lower-level threats, but a zero trust model is better suited to the 21st century, according to the originator of the idea

Almost 10 years after beginning research into a security model that eliminates the concept of “trust”, former Forrester analyst John Kindervag, who is now a field chief technology officer at Palo Alto Networks, says the demand from businesses is ramping up as interest and support for the model gains momentum.

“Traditional corporate networks typically give too many people too much access for no particular purpose, but Palo Alto is giving me the opportunity to re-educate people about why a zero trust approach is important as a strategic security initiative and general best practice,” he told Computer Weekly.

Abuse of trust is at the heart of many of the data breaches making news headlines on an almost daily basis, he said, and it is what essentially enabled whistleblowers Edward Snowden and Chelsea Manning to access thousands of confidential files that were not directly related to their jobs without there being any monitoring in place for potentially malicious actions on the internal network.

“At its core, the zero trust model is about eliminating the concept of trust and trusted systems because [in the context of digital systems] trust is a vulnerability. It provides no value to an organisation, so we need to mitigate trust, just like any other vulnerability, and control access on a need-to-know basis,” said Kindervag.

“The key thing [for organisations] to know, is that if anyone says the goal of zero trust is to make a system trusted, then they don’t understand zero trust, because the goal is to eliminate the concept of trust -- a human emotion that we have applied to digital systems for no reason.”

Kindervag said the problem with talking about systems being “trusted” is that it encourages people to do “unique and dangerous things” such as not stopping to do proper validation checks and allowing that system to access things it should not be allowed to access.

While Kindervag is pleased by the fact that his concept is gaining traction around the globe, partly driven by new data protection legislation such as the EU’s General Data Protection Regulation (GDPR), he notes that some security suppliers are trying to capitalise on the growing interest by using the term zero trust, but applying it inaccurately.

Zero trust cannot be achieved overnight

He emphasises that zero trust cannot be achieved overnight and is not about deploying specific security products, but about understanding that trust is a vulnerability.

“The way to achieve zero trust is through zero trust architectures, where you deploy controls close to the ‘protect surface’ or the specific asset you are protecting. You design the network from the inside-out instead of from the outside-in. It’s about building zero trust networks around particular sensitive data or assets.”

Read more about zero trust security approach

According to Kindervag, organisations that are aiming to implement a zero trust model need to focus on three initial areas.

“First, building a zero trust ‘centre for excellence’ – including business and IT leaders – where everybody is talking to each other about the problems they are facing, because what’s missing from a lot of cyber security is the involvement of the business.

“There is typically a chasm between the engineering and business side of the house, and zero trust is a strategy that can help bridge that gap,” he said, adding that this perspective comes from working in both worlds as a network and security engineer, architect, and a pen tester before becoming an analyst and a field chief technology officer.

Second, said Kindervag, is doing a zero trust workshop so that everybody understands the goal and has a common understanding, as well as a guide for their trajectory.

“Third, ‘start small’. The key concept of zero trust is the idea of a ‘protect surface’ -- the data, assets, applications and services you need to protect. Most people are trying to protect a massive network perimeter, which is the attack surface.

“In applying zero trust, we shrink it down to the protect surface, which could be a single device or a single data store for credit card data that needs to be protected to comply with the PCI DSS [payment card industry data security] standard. Once you have defined that, you build over time in small incremental steps and an iterative fashion -- a zero trust environment.”

This will typically take the form of putting the data into its own segment on the network, mapping the transaction flows of the system using that data, which identifies where to put security controls, architecting the network accordingly by putting a network segmentation gateway with the necessary functionality in front of the protect surface; defining a micro perimeter and policy around that using the Kipling Method, and then monitoring and maintaining that using data analytics to refine the approach.

Quick hit wins

Approaching zero trust in this way, said Kindervag, means organisations are able to realise some “quick hit wins” and at the same time begin practising how to go about implementing the approach. “Practice is important, so organisations should look for ways of enabling their security teams to do this in low-risk environments to gain confidence and competence.”

Faced with a growing body of data protection and privacy legislation, Kindvag said business leaders can see the benefits of a zero trust approach. “It is an idea and methodology that solves a lot of fundamental problems, and yet it can be done incrementally, without disrupting the business.”

Other benefits of the model, he said, include smaller rule sets that are easier to maintain, monitor and update; improved visibility of what is going on in the IT environment; improved blocking of data exfiltration by bad actors because there are not implicit outbound connections that are allowed in legacy network topology; and improved data for auditing and compliance.

“All these things taken together become a huge benefit for the organisation, and make cyber security a business enabler instead of a business inhibitor by helping to keep the business operational because it is not having to contend with disruptive cyber security events,” said Kindervag.

Read more on IT risk management

Data Center
Data Management