"Never trust; always verify." Sounds like common sense, right? That's the motto behind a strategy called Zero Trust, which is gaining traction in the world of cybersecurity. It involves an IT department verifying all users before granting access privileges. Effectively managing access to accounts is more important than ever with 58 percent of small to midsize businesses (SMBs) reporting data breaches in 2017, according to the 2018 Verizon Data Breach Investigation Report.
Continue Reading Below
The Zero Trust concept was founded by John Kindervag, a former analyst at Forrester Research and now a Field CTO at Palo Alto Networks. "We need to start doing a real strategy, and that's what Zero Trust enables," Kindervag told the audience on Oct. 30 at the SecurIT Zero Trust Summit in New York City. He added that the idea of Zero Trust originated when he sat down and really considered the concept of trust, and how it's the malicious actors that generally benefit from companies trusting parties that they shouldn't.
Dr. Chase Cunningham became Kindervag's successor as a Principal Analyst at Forrester in championing a Zero Trust Access approach. "Zero Trust is what's entailed in those two words, meaning trust nothing, don't trust password management, don't trust credentials, don't trust users, and don't trust the network," Cunningham told PCMag at the Zero Trust Summit.
Kindervag used the example of the US Secret Service to illustrate about how an organization should keep track of what they need to protect and who needs access. "They continuously monitor [the protect surface] and update those controls so they can control what transits the micro perimeter at any given time," Kindervag said. "This is a Zero Trust method of executive protection. It is the best visual example of what we are trying to do in Zero Trust."
John Kindervag, Field CTO at Palo Alto Networks (Credit: Centrify)
Zero Trust Lessons Learned at OPM
A perfect example of how Zero Trust can work to benefit organizations came from the former CIO of the US federal government. At the Zero Trust Summit, Dr. Tony Scott, who held the office of US CIO from 2015 through 2017, described a major data breach that occurred at the US Office of Personnel Management (OPM) in 2014. The breach occurred due to foreign espionage in which personal information and security clearance background info was stolen for 22.1 million people along with fingerprint data on 5.6 million individuals. Scott described how not only a combination of digital and physical security would have been necessary to ward off this breach, but also an effective application of the Zero Trust policy.
When people would apply for a job at the OPM, they filled out an exhaustive Standard Form (SF) 86 questionnaire, and the data would be guarded at a cave by armed guards and tanks, he said. "If you were a foreign entity and you wanted to steal that information, you would have to breach this cave in Pennsylvania and get past the armed guards. Then you would have to leave with truckloads of paper or have a very fast Xerox machine or something," Scott said. "It would have been monumental to try to escape with 21 million records," he continued. "But slowly, as automation came into the OPM process, we started putting this stuff in computer files on magnetic media, and so on. That's made it a lot easier to steal." Scott explained that the OPM failed to find the equivalent type of effective security as the armed guards when the agency went digital. Following the attack, Congress released a report calling for a Zero Trust strategy to protect these types of breaches in the future.
"To combat the advanced persistent threats seeking to compromise or exploit federal government IT networks, agencies should move toward a 'Zero Trust' model of information security and IT architecture," the congressional report stated. Former US Rep. Jason Chaffetz (R-Utah), then the Chairman of the Oversight Committee, also wrote a post about Zero Trust at the time, originally published by Federal News Radio. "The Office of Management and Budget (OMB) should develop guidelines for executive departments and agency heads to effectively implement Zero Trust along with measures to visualize and log all network traffic," Chaffetz wrote.
Zero Trust in the Real World
In an real-world example of a Zero Trust implementation, Google deployed internally an initiative called BeyondCorp intended to move access controls from the network perimeter to individual devices and users. Administrators can use BeyondCorp as a way to create granular access control policies for Google Cloud Platform and Google G Suite based on IP address, device security status, and a user's identity. A company called Luminate provides Zero Trust security as a service based on BeyondCorp. Luminate Secure Access Cloud authenticates users, validates devices, and offers an engine that provides a risk score that authorizes application access. "Our goal is to securely provide access for any user, from any device, to any corporate resource regardless of where it's hosted, in cloud or on premises without deploying any agents in the endpoint or any appliances such as virtual private networks (VPNs), firewalls, or proxies on the destination site," Michael Dubinsky, Head of Product Management at Luminate, told PCMag at the Hybrid Identity Protection (HIP) Conference 2018 (HIP2018) in NYC.
A key IT discipline in which Zero Trust is gaining rapid traction is identity management. That's likely because 80 percent of breaches are caused by misuse of privileged credentials, according to the "Forrester Wave: Privileged Identity Management, Q3 2016" report. Systems that control authorized access to a more granular degree can help prevent these incidents.
The identity management space isn't new, and there's a long list of companies that offer such solutions, with likely the most pervasive being Microsoft and its Active Directory (AD) platform, which is embedded in the still-popular Windows Server operating system (OS). However, there's a slew of newer players that can offer not only more functionality than AD, but can also make identity management easier to implement and maintain. Such companies include players such as Centrify , Idaptive, Okta, and SailPoint Technologies.
And while those who have already invested in Windows Server might balk at paying more for technology they feel they've already invested in, a deeper and better maintained identity management architecture can make for big dividends in thwarted breaches and compliance audits. Plus, the cost isn't prohibitive, though it can be significant. For example, Centrify Infrastructure Services starts at $22 per month per system.
How Zero Trust Works
"One of the things Zero Trust does is define network segmentation," Kindervag said. Segmentation is a key concept both in network management and cybersecurity. It involves splitting a computer network into subnetworks, either logically or physically, to improve performance and security.
A Zero Trust architecture moves beyond a perimeter model, which encompasses the physical location of a network. It involves "pushing the perimeter down to the entity," said Dr. Chase Cunningham, Principal Analyst at Forrester Research. "The entity could be a server, a user, a device, or an access point," he said. "You push the controls down to the micro level rather than thinking you've built a really high wall and that you're safe." Cunningham described a firewall as part of a typical perimeter. "It's a problem of approach and strategy and perimeter," he noted. "The high walls and the one big thing: they just don't work."
To gain access to a network, an old aspect of security was using routers, according to Danny Kibel, the new CEO of Idaptive, an identity management company that is spinning off from Centrify. Before Zero Trust, companies would verify and then trust. But with Zero Trust, you "always verify, never trust," Kibel explained.
Idaptive offers a Next-Gen Access platform that includes Single Sign-On (SSO), adaptive multifactor authentication (MFA), and mobile device management (MDM). Services such as Idaptive provide a way to create the necessarily granular controls on access. You can provision or de-provision based on who needs access to various applications. "It gives that fine-grained ability for the organization to control its access," Kibel said. "And that is super important for organizations that we're seeing because there's a lot of sprawl in terms of unauthorized access."
Kibel defined Idaptive's approach to Zero Trust with three steps: verify the user, verify their device, and only then allow access to applications and services for just that user. "We have multiple vectors to assess the user's behavior: location, geo-velocity [the distance between your current location and where you last logged in], time of day, time of week, what type of application you're using, and even in some cases how you're using that application," Kibel said. Idaptive monitors successful and failed login attempts to see when it needs to rechallenge authentication or block a user altogether.
On Oct. 30, Centrify introduced a cybersecurity approach called Zero Trust Privilege in which companies grant the least privileged access necessary and verify who is requesting the access. The four steps of the Zero Trust Privilege process includes verifying the user, looking into the context of the request, securing the admin environment, and granting the least amount of privilege necessary. Centrify's Zero Trust Privilege approach involves a phased approach to reducing risk. It also brings a transition from legacy Privileged Access Management (PAM), which is software that lets companies restrict access to newer types of environments such as cloud storage platforms, big data projects, and even advanced custom application development projects running in business-grade web hosting facilities.
A Zero Trust model assumes that hackers are already accessing a network, said Tim Steinkopf, President of Centrify. A strategy to combat this threat would be to limit lateral movement and apply MFA everywhere, according to Steinkopf. "Whenever someone is trying to access a privileged environment, you need to immediately have the right credentials and the right access," Steinkopf told PCMag. "The way to enforce that is to consolidate identities, and then you need the context of the request, meaning the who, what, when, why, and where." After that, you grant just the amount of access necessary, Steinkopf said.
"You're taking the context of the user, in which case it could be a doctor, it could be a nurse, or it could be some other person attempting to access the data," Dubinsky said. "You take the context of the device from which they're working, you take the context of the file they're trying to access, and then you need to make an access decision based on that."
Michael Dubinsky, Head of Product Management at Luminate (Credit: Semperis)
MFA, Zero Trust, and Best Practices
A key aspect of a Zero Trust model is strong authentication, and allowing multiple factors of authentication is a part of that, noted Hed Kovetz, CEO and Co-Founder of Silverfort, which offers MFA solutions. With the lack of perimeters in the era of the cloud, there's a greater need for authenticating than ever. "The ability to do MFA of anything is almost a basic requirement of Zero Trust, and it's impossible to do today because Zero Trust comes from the idea where there are no perimeters anymore," Kovetz told PCMag at HIP2018. "So anything is connecting to anything, and in this reality, you don't have a gateway to which you can apply control."
Dr. Chase Cunningham, Principal Analyst at Forrester Research (Credit: Centrify)
Forrester's Cunningham has outlined a strategy called Zero Trust eXtended (XTX) to map technology purchasing decisions to a Zero Trust strategy. "We really looked at the seven pieces of control that you need to actually manage an environment securely," Cunningham said. The seven pillars are Automation and Orchestration, Visibility and Analytics, Workloads, People, Data, Networks, and Devices. To be a ZTX platform, a system or technology would have three of these pillars along with application programming interface (API) capabilities. Several vendors that offer security solutions fit in various pillars of the framework. Centrify offers products that address the security of people and devices, Palo Alto Networks and Cisco offer networking solutions, and IBM's Security Guardium solutions focus on data protection, Cunningham noted.
A Zero Trust model should also involve encrypted tunnels, a traffic cloud, and certificate-based encryption, Steinkopf said. If you're sending data from an iPad over the internet, then you want to verify that the recipient is entitled to access, he explained. Implementing emerging technology trends such as containers and DevOps can help combat privileged credentialed abuse, according to Steinkopf. He also described cloud computing as being at the forefront of a Zero Trust strategy.
Luminate's Dubinsky agrees. For SMBs, turning to a cloud company that provides identity management or MFA as a service offloads these security responsibilities to companies that specialize in that area. "You want to offload as much as you can to companies and people that are responsible for [security] as their day job," Dubinsky said.
The Potential of the Zero Trust Framework
Although experts acknowledged that companies are turning to a Zero Trust model, particularly in identity management, some don't see a need for big changes in security infrastructure to adopt Zero Trust. "I'm not sure it's a strategy that I'd want to adopt at any level today," said Sean Pike, Program Vice President for IDC's Security Products Group. "I'm not positive that the ROI [return on investment] calculus exists in a time frame that makes sense. There are a number of architectural changes and personnel issues that I think makes the cost prohibitive as a strategy."
However, Pike sees potential for Zero Trust in telecommunications and IDM. "I do think there are components that can readily be adopted today that won't require wholesale architecture changes—identity, for instance," Pike said. "While they are associated [with Zero Trust], my strong feeling is that adoption isn't necessarily a strategic move toward Zero Trust but rather a move to address new ways users connect and the need to move away from password-based systems and improve access management," Pike explained.
Although Zero Trust can be interpreted as a bit of a marketing concept that repeats some of the standard principles of cybersecurity, such as not trusting entrants to your network and needing to verify users, it does serve a purpose as a game plan, according to experts. "I'm a big proponent for Zero Trust, of moving toward that singular, strategic sort of mantra and championing that within the organization," Forrester's Cunningham said.
The Zero Trust ideas introduced by Forrester in 2010 are not new to the cybersecurity industry, noted John Pescatore, Director of Emerging Security Trends at the SANS Institute, an organization that provides security training and certification. "That is pretty much the standard definition of cybersecurity—try to make everything secure, segment your network, and manage user privileges," he said.
Pescatore noted that around 2004, a now-defunct security organization called the Jericho Forum introduced similar ideas as Forrester regarding "perimeter-less security" and recommended only allowing trusted connections. "This is kind of like saying, 'Move somewhere that has no criminals and perfect weather, and you don't need a roof or doors on your house,' " Pescatore said. "Zero Trust at least brought back in the common sense of segmenting—you always segment from the internet with a perimeter."
As an alternative to the Zero Trust model, Pescatore recommended following the Center for Internet Security's Critical Security Controls. In the end, Zero Trust can certainly bring benefits despite the hype. But, as Pescatore noted, whether it's called Zero Trust or something else, this type of strategy still requires basic controls.
"It doesn't change that fact that to protect the business, you have to develop basic security hygiene processes and controls as well as have the skilled staff to keep them running effectively and efficiently," Pescatore said. That's more than a financial investment for most organizations, and it's one companies will need to focus on to succeed.