Security Think Tank: How zero trust lets you take back control

Zero trust. It’s not just a new buzzword, or perhaps the name of a questionable action film, but instead a real set of principles, procedures and methods for tackling the changing IT security landscape, and modernising approaches to IT infrastructure security from the ground up.

In recent years, the elimination – or at least reduction – of trust on the network has been critical for businesses to defend against multiplying security threats emerging from modern computing.

Mobile computing, remote working and the prevalence of software-as-a-service (SaaS) solutions has meant that traditional perimeter-based security is easily penetrated: trust is therefore a security risk and additional authentication strategies need to be implemented to ensure that each source of data or device has an appropriate level of security.

This is not just common sense from a technological perspective, but it is arguably necessary. The General Data Protection Regulation (GDPR) and other industry-specific laws and regulations mandate that appropriate technical and organisational security measures are implemented by organisations to ensure a level of security of data and systems that is appropriate to the risk.

While zero trust is not yet specifically mandated in many common information security standards, it is increasingly becoming reflective of the start of the art in terms of security.

Zero trust changes the traditional model of “trust, but verify”, where you assume that any device or asset attached to your internal network is likely permitted and safe to access internal-only resources, but still verify that that is the case, to “never trust, always verify”, where every device must pass authentication and security policy checks to access any corporate resources, and to control access only to the extent required.

Thankfully, this shift to zero trust is where infosec teams take back control of the many new perimeters of the corporate ecosystem. It shifts security from the address and location layer to a data-centric model. Zero trust network segmentation also provides visibility into traffic, and allows you to understand the “who, what, when, where, why and how” which are important for managing access, security, monitoring and compliance.

Zero trust typically combines control elements to manage the device, user and trust level for anyone wanting access to corporate resources:

• Unified endpoint management: the ability to enforce and monitor the compliance of all endpoint devices whether corporate owned, bring your own (BYOD) or contractor provided. This means you understand your device estate and specific security threats that might arise, such as operating systems falling out of date.
• Single sign-on (SSO): One sign-on point, passing fully validated credentials from system to system. A single version of the user ID truth and a single point of entry which validates a user’s credentials, and logs access in and out of corporate systems, is an important part of an easy user experience in a zero trust environment.
• Multifactor authentication (MFA): a trusted device, a hardware security key, a biometric measure, behavioural analysis, location data, time-based restrictions, and so on – all can be combined to make a “profile” of multiple factors to establish a user’s credentials. When every user must be validated, relying on a single factor is no longer an option.

The new mantra for managing IT security is still to make it as hard as possible for an attack to get through your defences, but understand that this is not a case of “if” an attacker gets through, but “when”. You need to know how best to log, track and trace access paths and data exfiltrated, and limit cross-system contamination, segmenting assets and access to restrict any attackers’ movements, even when they do manage to get inside.

While zero trust has its benefits, it also has its challenges. Many businesses still run customised or legacy software systems that may have been designed with more traditional perimeter defences in mind. They can be difficult to move to zero trust. Digital transformation to achieve zero trust can therefore be costly and time consuming. When implementing zero trust solutions, often new technologies are required for segmentation and authentication, meaning that supply chain risk also needs to be managed.

Our top tips for CISOs trying to move to zero trust are:

1. Ensure that data assets and systems are correctly identified and assessed in terms of the sensitivity of data

Organisations need to have a record of all systems and the reasons and scope of their access to corporate assets and data. Without such asset registers and identifiers, it can be difficult to understand corporate network topology, and identify risks and mitigations through understanding data flows and access points into and out of the network.

A proper up-to-date, regular assessment of sensitivity of stored data can also feed into network security prioritisation, ensuring that the most sensitive systems and data are appropriately protected. This relates strongly to data mapping, and can assist in demonstrating appropriate technical and organisational security measures and ensuring accountability for the purposes of regulatory compliance.

2. Identify problematic systems such as legacy or customised software that may be difficult to migrate to zero trust

Many organisations need to implement a hybrid approach that allows them to manage the risk of trust and verification systems in legacy and customised software until those systems are ready to be refreshed, rather than just updating them in order to change to zero trust security.

A hybrid approach may be the only option for older mission-critical systems that cannot be easily replaced. Understanding what devices and resources interface with trust-based systems will help to identify where else zero trust should be deployed to ensure gaps are minimised.

3. Consider what level of protection is appropriate to the risk of the data, map data transactions flows fully, design security measures appropriately and develop and deploy a policy designed to support this design and classification

For some data assets that are less sensitive than others, retaining a level of trust might be appropriate, provided that other, more sensitive data assets are protected using a zero trust approach.

4. Select suppliers in the zero trust ecosystem carefully, undertaking appropriate diligence and testing on the products that they offer

Data breaches and downtime have been known to occur where there are failures in third-party solutions and so having a rigorous process to assess suppliers is key. For example, a security flaw in authentication software or services could undermine the whole approach to zero trust (as we saw recently with a major MFA provider).

5. Build zero trust solutions carefully into business continuity and disaster recovery procedures and test them

Workarounds that are relied on in disaster recovery situations where data assets or authentication processes are offline often rely on trust and can therefore undermine zero trust solutions that may be implemented. For example, single sign-on solutions are typically deployed across all corporate resources acting as the gateway, validator and authenticator for all systems whether accessed or located on or off-site.

Ensuring that IT administrators have documented emergency procedures and local authentication fallbacks ensures the impacts of critical systems failures are minimised.

6. Ensure zero trust compatibility is mandated for all new software and system procurements to facilitate the journey towards zero, not just partial, trust

Zero trust is clearly a necessary development to secure data and assets in an increasingly fragmented IT ecosystem. For many, hybrid solutions will be required until legacy and customised systems can be updated.

It may be an uphill battle for some organisations to achieve, but the realities of failing to pursue it will likely involve higher risks to information security and greater risks of regulatory non-compliance and reputational damage in the future.

Research assistance for this article was provided by Robert Grannells, technology team associate at FieldFisher.