Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Cyber Security’s New Center Point: Zero Trust

Every year, thousands of companies are breached and billions of data records exfiltrated by cyber adversaries, leading in extreme cases to business closures, geopolitical setbacks, or citizens’ loss of confidence in the integrity of their countries’ electoral procedures.

Every year, thousands of companies are breached and billions of data records exfiltrated by cyber adversaries, leading in extreme cases to business closures, geopolitical setbacks, or citizens’ loss of confidence in the integrity of their countries’ electoral procedures.

When conducting post-mortem analysis, it becomes apparent that none of these breaches were highly sophisticated. Instead, they exploited weak, stolen, or compromised credentials. Identities and the trust we place in them, are being used against us. They have become the Achilles heel of our cyber security practices. To address these shortcomings, the use of a Zero Trust model has gained a lot of industry momentum over the last year. According to IDG’s 2018 Security Priorities Survey, 71 percent of security-focused IT decision makers are aware of the Zero Trust model, with already 8 percent actively using it in their organizations, and 10 percent piloting it. 

The Zero Trust model, first introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST), is not a new concept. Based on research findings, Forrester analyst John Kindervag concluded that inherent trust assumptions in traditional security measures leave organizations vulnerable to external and internal attacks. Zero Trust is a security concept centered on the belief that organizations should not inherently trust entities inside or outside its perimeters, and instead should verify all request to connect to its systems before granting access. 

The original concept of Zero Trust was a data-centric network design that leveraged micro-segmentation to enforce more granular rules and ultimately limit lateral movement by attackers. Since its inception, the concept of Zero Trust and its benefits have evolved significantly. Nowadays, Zero Trust is being used by organizations to drive strategic security initiatives and enable business decision makers and IT leaders to implement pragmatic prevention, detection, and response measures.

The Zero Trust eXtended Ecosystem

The biggest evolution of the Zero Trust model has been captured by Forrester Research analyst Dr. Chase Cunningham, who published the Zero Trust eXtended (ZTX) Ecosystem report, which extends the original model beyond its network focus to encompass today’s ever-expanding attack surface and the following elements and associated processes: 

• Networks – Segment, isolate, and control the network.

• Data – Secure and manage the data, categorize and develop data classification schemas, and encrypt data both at rest and in transit. 

Advertisement. Scroll to continue reading.

• Workloads – Apply Zero Trust controls to the entire application stack, covering the app layer through the hypervisor or self-contained components of processing (i.e., containers, virtual machines). 

• Devices – Isolate, secure, and always control every device on the network.

• People (a.k.a. Identity) – Limit and strictly enforce the access of users and secure those users.  

Applying security controls to each of the above-mentioned elements provides a roadmap to Zero Trust. However, one driving principle should be the knowledge that the easiest way for cyber-attackers to gain access to sensitive data is by compromising a user’s identity. Things get even worse if a stolen identity belongs to a privileged user who has even broader access, or “the keys to the kingdom”. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research. 

The Path to Zero Trust Starts with Identity 

To limit an organization’s cyber risk exposure to the #1 cause of today’s data breaches ― privileged access abuse ― consider the following actions:

1. Discover and Vault – Identify all privileged accounts and resources and vault away those privileged credentials so that they are properly managed. 

2. Identity Consolidation with Least Access and Privilege – But vaulting alone is not enough. Phase two involves reducing the attack surface by consolidating identities and eliminating local accounts as much as possible, then implementing both privilege elevation controls, as well as workflow for just-in-time privilege access. One of the lowest hanging fruits is to implement basic multi-factor authentication (MFA) for all privileged users.

3. Harden the Environment with High Assurance – The final phase involves hardening the environment by air-gaping admin accounts as recommended in the Microsoft Enhances Security Administration Environment (ESAE) guidelines. In addition, lock down any dangerous workarounds by implementing host-based monitoring and advanced behavioral analytics, as well as adding Assurance Level-3 MFA for the most sensitive environments.

Shifting traditional perimeter-based enterprise security strategies to a Zero Trust approach provides more robust prevention, detection, and incident response capabilities to protect continuously expanding attack surfaces, including cloud, big data lakes, DevOps, containers, and microservices. Following this path allows organizations to defend against advanced threats and limit the impact of breaches, supports new business and operational models, and enables compliance (e.g., FISMA, HIPAA, PCI).

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...