Maksim Kabakou - Fotolia
Security Think Tank: Zero trust – just another name for the basics?
In theory, the elimination of trust on the network simplifies IT security, but zero trust also brings new complications and new challenges. How should CISOs go about moving their organisations from traditional network security to a zero-trust architecture?
Zero trust is, to me, yet another name for what cyber security professionals should already be doing. I still find it ludicrous that while I carry out a penetration test, I can just plug my laptop into a company’s network and pretty much see everything on it, no questions asked. I can sniff password hashes off the wire, access vulnerable systems and generally play all sorts of well-intended havoc.
So, zero trust sums up what you should NOT be doing. That is, entrusting that all your users, bring-your-own devices and systems on the network won’t hack you. This mantra is still being played back to me today, by companies that should know better, with more than enough budget, resource and common sense to sort this all out.
The whole point of a penetration test is to gain unauthorised access to systems, so part of the test will usually involve spoofing a system and/or pretending to be somebody else. If I can be that system or that person, then I’m trusted to do what that system or person is expected to do.
Thus zero trust has to be infallible. Networks should be built on the principle that all machines are publicly exposed on the internet. Then you’ll soon get the idea of what needs doing. Intra-system communication should be encrypted, just as your connection to Office 365 or other cloud services is encrypted. That would stop me dead in my tracks as network sniffing would just spew out garbage.
I could still try to spoof people, applications and systems, but if multi-factor authentication (MFA) is enabled on internal systems, then there’s no chance of that happening without me somehow compromising MFA key fobs or public key infrastructures (PKIs).
On enterprise networks, this does present challenges; and it is likely a single-sign on (SSO) solution would start reaping rewards, even more so if tied to MFA.
However, not all systems will work with encrypted traffic, or support SSO or MFA integration. Some won’t work with PKIs as they don’t support certificates. But all key user-facing technology pretty much supports web enablement and HTTPS. A standard Windows Server environment will also quite happily support internet protocol security (IPsec) communication between all servers.
So while implementing zero-trust architectures will undoubtedly cost money and take time and valuable resource away from other projects, it does make sense; and only needs to be done once.
If systems and users are definitely 100% who they say they are, then the chances of a data breach drop significantly. Ransomware can’t easily spread. Critical systems aren’t knocked down by an attack, as attackers won’t be able to access them.
But whilst zero trust will help organisations evolve their defences, criminals will always try to stay one step ahead. Once networks are implicitly secured through zero trust, then applications and people will just be targeted instead. So expect to see an increased demand for secure applications and increased levels of phishing and social engineering attacks on your users.
Good security doesn’t stop at zero trust!
