Enterprises are accelerating digital transformation initiatives in response to the rapidly evolving business landscape and increasingly remote workforce. Successfully implementing business-critical digital transformation efforts requires an efficient, effective workforce that has access to every application and tool they need to get their job done.
However, security leaders are faced with the difficult challenge of balancing securing the organization while keeping employees productive with access to resources from anywhere, at any time. Maintaining this balance requires an organization to have full confidence in the identity of the employee requesting access to ensure only the right users access the corporate resources they are authorized to use.
In response, organizations are moving toward a new identity-centric approach rather than a security strategy that relies on the corporate network to enable a productive, secure and agile enterprise. Zero Trust is a strategic concept that encourages security teams to rely less on the safety of a network perimeter and more on the identity of the user and the secure processes and technologies that can be applied directly to corporate resources, irrespective of where they’re located.
O’Reilly Media’s Zero Trust Networks, has perhaps the most succinct description of the principles underlying the Zero Trust approach:
What is Zero Trust
The network is always assumed to be hostile.
External and internal threats exist on the network at all times.
Network locality is not sufficient for deciding trust in a network.
Every device, user and network flow is authenticated and authorized.
Policies must be dynamic and calculated from as many sources of data as possible.
Read on to learn why enterprises are adopting a Zero Trust strategy to enable digital transformation initiatives and how your organization can take the first steps toward an identity-centric approach to securing corporate resources.
Where Did Zero Trust Originate?
Before Zero Trust had a name, the concept of de-perimeterization was promoted as early as 2004 by the Jericho Forum. This working group of Chief Information Security Officers ultimately compiled the Jericho Forum Commandments which defined “areas and principles to be observed when planning for a de-perimeterized future.”
In the fall of 2010, the term Zero Trust was first introduced by Forrester Research Analyst John Kindervag in a series of reports, beginning with “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security.” A series of three reports were published describing the concept, architecture and case studies for Zero Trust along with a primary directive:
“In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic”
From a practical standpoint, this means that all forms of implied trust and resulting entitlements are no longer valid. Instead, organizations must rely on explicit assessments of trust which are dynamic, rooted in as many sources of data as possible before deciding whether a user should be granted access to a resource or should be allowed to perform a transaction.
Today, Zero Trust has taken on a life of its own. Multiple analyst firms regularly provide guidance on the concept, organizations like Google have published case studies on their experience transitioning to Zero Trust, and solution providers each have their own take. All parties, however, agree that the world has changed, and our approach to security must change with it.
Why Start Adopting Zero Trust Now?
In the first half of 2020, enterprises saw their offices go vacant as employees shifted to working remotely in response to the global COVID-19 pandemic. Organizations had to quickly evaluate if their identity and access management (IAM) systems could handle remote employees accessing corporate resources while outside of the network perimeter.
Unfortunately, the long-time default option of using a virtual private network (VPN) to give a legitimate employee remote access to every corporate resource is outdated, and doesn’t provide enough security when an entire workforce is remote. Using VPNs, organizations can’t trust that the employee requesting access is who they say they are and that they are authorized to use that resource.
Enterprises are now fast tracking digital transformation initiatives to adapt to changing business requirements and the new remote workforce. These actions are not short-term investments but part of a long-term strategy, as evidenced by a Gartner survey of executives showing that 74% of CFOs intend to keep a portion of their workforce permanently remote post-COVID.
A Zero Trust strategy can help organizations secure remote access for employees by shifting reliance on the corporate network to an approach where a user’s identity is always verified before accessing any resource. Adopting Zero Trust ensures that an organization has confidence in the identity of the user requesting access,enabling a productive remote workforce while keeping the enterprise secure.
Why is Implicit Trust Based on a Network Perimeter Insufficient?
Company-wide work-from-home, cloud adoption, BYOD and other trends are increasingly creating scenarios where routing traffic through a corporate perimeter (e.g. firewall, VPN) is only necessary to establish that an access request originated from a “secure” IP address.
This process, known as backhauling, reinforces the myth that perimeter based security was effective in the first place. The countless ways bad actors breach corporate networks are well understood, as is the lateral movement they take through those networks to steal data and disrupt business. Granting trust of any kind to a user who was somehow able to gain access to a network weakens an organization’s security posture in four ways:
Symantec's 2019 Internet Security Threat Report found that “one in 36 devices used in organizations were classed as high risk. This included devices that were rooted or jailbroken, along with devices that had a high degree of certainty that malware had been installed.” Legitimate users on compromised devices can incidentally expose sensitive resources to bad actors through their own access to the corporate network.
Ignores changes in context:
IP addresses help establish that a user is requesting access from a “trusted network.” But relying on this data point alone isn't enough as 30% of breaches involve internal actors. Insufficient protection of corporate resources ignores other sources of risk based on the type of user (department, seniority, privilege), the context of the request (time of day, device, geo-location), as well as the risk of the resource (finance app. vs. holiday calendar) requested.
Creates a facade of security:
The myth of safety behind the firewall is a dangerous one. Without the assumption that the network has already been breached, common security best practices can be delayed or ignored because “no one will access this resource externally, and in any case it’s behind the firewall.”
How Does Zero Trust Improve Security?
The weaknesses of an implied or discreet perimeter based approach outlined above quickly disappear when a Zero Trust approach is taken. Compromised credentials and devices, as well as changes in context are each addressed by capabilities which should underpin any Zero Trust strategy. And when the assumption of safety behind a firewall is removed, resource owners and security teams tend to evaluate the security and risk profile of each resource quite carefully and on a regular basis to ensure sufficient protection.
Figure 2: Zero Trust shrinks network perimeters to microperimeters, which apply security measures to each class of resource based on risk.
Zero Trust ensures the right questions get asked based on the risk profile of the user, device and the resource to which they’re requesting access:
Is this user legitimate?
Was this user identified in a manner that is acceptable to the task being performed?
Is their device healthy enough for the task they are performing?
Is this user who they say they are?
Should this user have access under any circumstance?
Should this user have access given their current circumstances?
Is this session still driven by the real user?
Does the amount of trust in the user identity match the level of risk associated with this transaction?
Has the request been verified?
During Data Access
Did the user provide consent for access, and to whom?
What transactions (READ, MODIFY, DELETE) did they consent to?
Should this data be encrypted?
The Role of Intelligence in Zero Trust
Mature Zero Trust deployments go beyond removing trust in the network. They also remove the notion of binary trust (I trust you, or I don’t), and negate the idea of trust for a predetermined period of time. O’Reilly’s fifth Zero Trust principle states that “Policies must be dynamic and calculated from as many sources of data as possible,” a concept which mandates what is commonly known as the use of risk signals, or intelligence.
Zero Trust architectures assess digital risk using a variety of signals and enforce access control decisions based on the output of those signals. The variable level of confidence provided by those signals can lead a user down a number of adaptive access paths which can include:
Allow access after reauthentication
Allow access after step up authentication
Allow access, but with certain constraints
The removal of binary trust has the added benefit of improved user experience, as adaptive access paths make it increasingly likely they’ll be able to access the resources they need with less friction overall. And the evaluation of trust at the point of each access request, as well as the continuous observation of session behavior ensures that trust is never long lived, nor is it binary, improving security in scenarios where a session or valid account may have been hijacked by a bad actor.
What Other Benefits Does Zero Trust Provide?
Organizations stand to gain more than just improved security by replacing network trust with a Zero Trust strategy. Enterprises can enhance workforce productivity with Zero Trust by standardizing access controls across all corporate resources as more and more employees shift to working outside of the network. By taking into account the risk profile of the employee, device and resource accessed, rather than determining only if the employee is on the corporate network, organizations can have greater confidence opening up access to remote employees to empower them with the resources they need to get their job done.
Adopting a Zero Trust approach enables business agility to ensure enterprises can quickly adapt and leverage new technologies to successfully meet digital transformation initiatives. Organizations are able to take advantage of the full spectrum of deployment options for infrastructure, applications and data without the need to backhaul traffic through their network. With Zero Trust, enterprises can choose from on-premises data centers, private clouds, public clouds and everything in between, depending on what is most appropriate for the particular resource. In selecting which deployment is best for each resource, organizations can save costs by optimizing hosting and management fees and reduced licensing outlays for VPN and other perimeter-based tools. Finally, compliance “micro-segments” can be set up to ensure everything hosted within that segment has the controls required by each compliance regime applied in a standard fashion.
What Are Key Capabilities Required to Architect Zero Trust Security?
The capabilities framework below was constructed with input from industry analysts, customers, thought leaders and partners to guide conversations around Zero Trust and help organizations mature their approaches to security.
Six categories of controls are critical to architecting Zero Trust security. Together, they provide a defense in depth approach to securing corporate resources no matter where they’re deployed and who needs access to them.
Strong Identification & Authentication: Verifying and authenticating user identity from the moment of registration to each request for access is critical to improving security. These capabilities ensure that all users (privileged and not) and all resources are protected no matter where they’re deployed.
Network Security: Preventing lateral movement between segments is often the most effective way to minimize the impact of a breach. These capabilities ensure that breaches are contained with access terminated as soon as malicious behavior is detected or a risk threshold is exceeded.
Data Security: Whether its sensitive IP or user data covered by one of the many privacy regimes popping up around the globe, data security has become paramount for many organizations. These capabilities ensure that data is encrypted where it needs to be, and that users are always in control of their data.
One item to note in the diagram above is the perceived lack of a strong binding between a user and data which they own. In Zero Trust, ownership of data is paramount and access to this data should not be granted unless consent has been explicitly provided. Additionally, access to a user’s data must be based on digital trust which is constantly reevaluated based on context, as well as digital risk which exists as a variable level of confidence. Both of these evaluations are ephemeral, and only exist within the context of an individual request, which complies with O’Reilly’s fourth and fifth principles:
#4 Every device, user and network flow is authenticated and authorized.
#5 Policies must be dynamic and calculated from as many sources of data as possible.
Where Should I Start My Zero Trust Journey?
Chase Cunningham, Principal Analyst at Forrester recently wrote about a question he gets asked at least weekly, and in some cases almost daily:
“Where do we start for Zero Trust?”
His response? “Fix your IAM and user side of the equation.” Unsurprisingly, starting and/or improving identity and access management programs is where many organizations begin their Zero Trust journey. The low hanging fruit most commonly taken advantage of by bad actors is a complete lack of, or misconfigured authentication and authorization controls. Just a few weeks ago this vulnerability was highlighted yet again with a breach of 885M title insurance records which could have been accessed by anyone with no authentication required.
Clearly, strong identification and authentication make the most sense as a starting point to ensure that all access is authenticated access. But identity and access management technologies also represent the control plane for Zero Trust architectures. Enterprises need to start with a strategic deployment of global, adaptive authentication and using this capability as the policy administration and decision point for which all risk signals and policy decision points integrate is how many are architecting their Zero Trust environments today.
Are there any Zero Trust Case Studies?
Similar to other approaches to enterprise security, there is no finish line when it comes to Zero Trust. And putting the pieces in place to adopt just the first principle (the network is always assumed to be hostile) can take an organization years to accomplish. Luckily, there are some examples of organizations who have already spent years shifting away from the perimeter based model toward Zero Trust security.
Netflix identified that the network perimeter wasn’t enough to meet their needs to provide secure access to corporate resources for employees and partners. Now, the streaming service is embarking on their Zero Trust journey by adopting identity-defined microperimeters for users, devices and applications to enable corporate users secure access from anywhere.
In modernizing their sprawling authentication systems, Gates Corporation found that using an identity-centric approach was necessary to ensure their growing mobile workforce had secure access to the resources they needed. “The security perimeter left a long time ago...but now so many people are remote, so many people are offsite, so many people are off network,” says Sam Masiello, CISO for Gates. “You need to expand your perimeter to where your people are. How they are accessing applications in your organization is really how you need to think about the perimeter of how you are securing your digital assets.” By adopting a central authentication authority, Gates was able to give their employees secure and seamless access to resources, no matter where they resided.
Enterprises are doubling down and accelerating Zero Trust initiatives to ensure their organizations remain secure during this time of digital transformation and the rapid shift to remote work. You can take the first step to adopting an identity-centric security by transforming your organization’s approach to workforce identity.