Every year, thousands of companies are breached and billions of data records exfiltrated by cyber adversaries, leading in extreme cases to business closures, geopolitical setbacks, or citizens’ loss of confidence in the integrity of their countries’ electoral procedures.
When conducting post-mortem analysis, it becomes apparent that none of these breaches were highly sophisticated. Instead, they exploited weak, stolen, or compromised credentials. Identities and the trust we place in them, are being used against us. They have become the Achilles heel of our cyber security practices. To address these shortcomings, the use of a Zero Trust model has gained a lot of industry momentum over the last year. According to IDG’s 2018 Security Priorities Survey, 71 percent of security-focused IT decision makers are aware of the Zero Trust model, with already 8 percent actively using it in their organizations, and 10 percent piloting it.
The Zero Trust model, first introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST), is not a new concept. Based on research findings, Forrester analyst John Kindervag concluded that inherent trust assumptions in traditional security measures leave organizations vulnerable to external and internal attacks. Zero Trust is a security concept centered on the belief that organizations should not inherently trust entities inside or outside its perimeters, and instead should verify all request to connect to its systems before granting access.
The original concept of Zero Trust was a data-centric network design that leveraged micro-segmentation to enforce more granular rules and ultimately limit lateral movement by attackers. Since its inception, the concept of Zero Trust and its benefits have evolved significantly. Nowadays, Zero Trust is being used by organizations to drive strategic security initiatives and enable business decision makers and IT leaders to implement pragmatic prevention, detection, and response measures.
The Zero Trust eXtended Ecosystem
The biggest evolution of the Zero Trust model has been captured by Forrester Research analyst Dr. Chase Cunningham, who published the Zero Trust eXtended (ZTX) Ecosystem report, which extends the original model beyond its network focus to encompass today’s ever-expanding attack surface and the following elements and associated processes:
• Networks – Segment, isolate, and control the network.
• Data – Secure and manage the data, categorize and develop data classification schemas, and encrypt data both at rest and in transit.
• Workloads – Apply Zero Trust controls to the entire application stack, covering the app layer through the hypervisor or self-contained components of processing (i.e., containers, virtual machines).
• Devices – Isolate, secure, and always control every device on the network.
• People (a.k.a. Identity) – Limit and strictly enforce the access of users and secure those users.
Applying security controls to each of the above-mentioned elements provides a roadmap to Zero Trust. However, one driving principle should be the knowledge that the easiest way for cyber-attackers to gain access to sensitive data is by compromising a user’s identity. Things get even worse if a stolen identity belongs to a privileged user who has even broader access, or “the keys to the kingdom”. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research.
The Path to Zero Trust Starts with Identity
To limit an organization’s cyber risk exposure to the #1 cause of today’s data breaches ― privileged access abuse ― consider the following actions:
1. Discover and Vault – Identify all privileged accounts and resources and vault away those privileged credentials so that they are properly managed.
2. Identity Consolidation with Least Access and Privilege – But vaulting alone is not enough. Phase two involves reducing the attack surface by consolidating identities and eliminating local accounts as much as possible, then implementing both privilege elevation controls, as well as workflow for just-in-time privilege access. One of the lowest hanging fruits is to implement basic multi-factor authentication (MFA) for all privileged users.
3. Harden the Environment with High Assurance – The final phase involves hardening the environment by air-gaping admin accounts as recommended in the Microsoft Enhances Security Administration Environment (ESAE) guidelines. In addition, lock down any dangerous workarounds by implementing host-based monitoring and advanced behavioral analytics, as well as adding Assurance Level-3 MFA for the most sensitive environments.
Shifting traditional perimeter-based enterprise security strategies to a Zero Trust approach provides more robust prevention, detection, and incident response capabilities to protect continuously expanding attack surfaces, including cloud, big data lakes, DevOps, containers, and microservices. Following this path allows organizations to defend against advanced threats and limit the impact of breaches, supports new business and operational models, and enables compliance (e.g., FISMA, HIPAA, PCI).