Zero Trust or Bust?

Implementing a Zero Trust Model Represents a Dramatic Change and Requires a Well-planned Transition

The use of a Zero Trust model to minimize cyber risk exposure has returned to the spotlight after a report by the U.S. House of Representatives’ Committee on Oversight and Government Reform detailed the events leading up to the sweeping hack of the U.S. Office of Personnel Management (OPM). One of the report’s recommendations was for Federal information security efforts to move toward a Zero Trust model, in which users inside a network are treated as no more trustworthy than users outside a network. However, is this alternative approach really an effective measure to minimize cyber risk or does it just create new challenges?

In June 2015, the OPM, which is responsible for checking the backgrounds of a large majority of Federal government job applicants and contactors, revealed that 4.2 million personnel records of former and current Federal employees had been compromised. A month later, the true scope of the data breach came into focus when the agency reported that background investigation data for 21.5 million individuals as well as the fingerprint data for 5.6 million of them had been exfiltrated. This made the OPM breach one of the largest in government history.

The U.S. House of Representatives’ Committee on Oversight and Government Reform conducted a year-long investigation to identify the root cause of this massive data breach and produce recommendations that would allow OPM and other government entities to minimize their cyber risk exposure in the future.

According to the committee’s report, the OPM data breach can be attributed to a longstanding failure to implement basic cyber security measures (e.g., multi-factor authentication), botched usage of existing security tools to streamline the mitigation of the agency’s extensive vulnerabilities, and lack of applying new security methods to secure sensitive data. Ultimately, the committee outlined the following recommendations:

• Reprioritize Federal information security efforts toward Zero Trust.

• Ensure agency CIOs are empowered, accountable, and competent.

• Reduce use of social security numbers by Federal agencies.

• Modernize existing legacy Federal information technology assets.

• Improve Federal recruitment, training, and retention of Federal cyber security specialists.

These recommendations as well as the continued number of almost daily reports of new data breaches make it abundantly clear that traditional, perimeter-centric security strategies are no longer effective. Instead, the committee’s report promotes the Zero Trust model as an alternative approach.

The Zero Trust model is not a new concept. It was first proposed a few years ago by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST). Instead of using the traditional approach of “trust, but verify”, the Zero Trust model implements “never trust, always verify” as its guiding principle. With Zero Trust there is no default trust for any entity — including users, devices, applications, and packets. The Edward Snowden data leak is a good example for validating the Zero Trust model, since he was a privileged user that accessed otherwise compartmentalized network segments to exfiltrate sensitive data.

The Zero Trust model as propagated by Forrester Research is based on three main pillars:

1. Ensuring that all resources are accessed securely, regardless of location (in other words, there is no longer a trusted zone).

2. Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted.

3. Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious, and is analyzed and logged just as if it came from the WAN.

These fundamentals are closely aligned with the newer NIST concept of Continuous Diagnostics and Mitigation, as it builds upon the concept of near real-time analysis of all transactions, be it on the network, application, database, or human layer. However, increasing the frequency of data collection and analysis, further exasperates the challenges associated with processing a huge volume, velocity, and complexity of data to identify imminent cyber risks.

As a result, implementing a Zero Trust model represents a dramatic change and requires a well-planned transition that should be complimented by efforts to operationalize cyber risk detection, prevention, and response. By doing so, the potential for Zero Trust to enhance enterprise security and thwart both insider and outsider cyber-attacks can be unlocked.