What CISOs Are Saying: Zero Trust, Not a One-Size-Fits-All Approach
Published On: September 25, 2020
This edition of "What CISOs Are Saying" looks at the controversial topic of Zero Trust. Before diving into the benefits and barriers of this model, it's important to note the varying definitions that follow this framework. Regarded as a marketing buzzword in previous years, Zero Trust has increasingly been making its way into mainstream security programs. Coined in 2010 by John Kindervag, this model has three core principles: verify and secure all resources, limit and strictly enforce access control, and inspect and log all traffic.
In other words, Zero Trust security means that no one is trusted by default whether they are inside or outside the network, and verification is required for access. Let's look at what leading security professionals have to say about this topic:
Why Zero Trust?
A shift in most workforces now working remotely and an uptick in threats directly targeting the new work environment has caused Zero Trust to be more prevalent than ever before.
The 2017 Annual Cybercrime Report from Cybersecurity Ventures predicts that by 2021, cyber crime will cost the world $6 trillion, up from $3 trillion in 2015. Meanwhile, the 2017 Data Breach Study conducted by Ponemon Institute revealed that the average cost of a data breach is around $3.6 million. Notably, these figures are rising despite an increased global spend on cyber security efforts. Gartner calculated global spending on information security products and services at $86.4 billion in 2017, and predicts spending will hit $93 billion in 2018.
Recognizing that existing approaches aren’t keeping up with the pace of cyber crime and attacks, leading security professionals are on the hunt for models and frameworks that are more efficient and better equipped to handle the growing threat landscape. On page 5 of our September 2020 Issue of Feats, Kathy Hughes, CISO & VP at Northwell Health, states that the concept of Zero Trust "has really gained momentum because that dynamic has changed significantly. Previously it was a buzzword, but now it's something that people really need to start paying attention to because working from a physical location from one device is no longer the norm. Now people are working from multiple locations, including home, and they're accessing systems from multiple devices... So this has introduced a number of challenges because the concept of securing an office building and making sure that you have firewalls to protect your perimeter has become an outdated concept.”
While Zero Trust is simple at its core, its lack of uniformity across the industry makes it appear too radical for most organizations.
The Zero Trust model rejects the old castle-and-moat mentality where organizations focused on defending their perimeters while assuming everything inside didn’t pose a threat. Abiding by the Zero Trust principles stated above, security is ubiquitous within an organization as its users, devices and applications need to regularly re-establish trust to an organization’s assets.
While the idea is straightforward, its simplicity is deceptive; there is no single technology to help organizations achieve Zero Trust. As Kathy Hughes states on page 5 of this quarter's issue, "Zero Trust is a process, approach and methodology - not a product or technology solution."
This framework is controversial in some circles because many models for implementation assume systems are being built from scratch, as is the case in Google’s notoriously costly and time-consuming Zero Trust initiative, BeyondCorp. Google reinvented its architecture through a lengthy process and its complexity left security leaders wondering whether it's an achievable model for most organizations.
The NIST Zero Trust report recommends organizations gradually apply Zero Trust principles while recognizing that companies will likely operate in a hybrid Zero Trust model indefinitely. In other words, while the specifics of a Zero Trust framework are unique to each organization, following a well-defined set of guidelines and questions helps approach this method with ease.
Anthony Siravo, CISO at Lifespan, agrees with this approach as stated on page 11 of the same issue of Feats of Strength: "Our approach here in healthcare and probably other sectors as well is a hybrid approach because for healthcare, we're required to use systems, applications and devices that don't support even basic antivirus, never mind advanced security tools. So no matter what, we need a hybrid approach because we won't be able to do host-based security, Zero Trust security on these devices since we're not even allowed to install security tools on them."
Zero Trust is not a one-size-fits-all approach: implementation varies depending on the individual organization's needs and business goals.
What is the network's most critical and valuable data, assets, applications and services?
How does traffic move within the organization in relation to the protect surface?
Does the organization have an up-to-date asset inventory?
In addition to those questions, organizations can follow these steps to guide their program:
1) Identify the organization’s protect surface
2) Gain visibility into the organization’s network’s activity and current solutions
3) Map the flow of the organization’s sensitive data
4) Create micro-networks and implement access control
5) Continuously monitor and authenticate
Before implementing certain solutions, organizations should assess what elements of Zero Trust are already in place in their security architectures. They should first consider their Identity and Access Management (IAM) implementations and assess what roles are already defined.
Another consideration is the current level of visibility into user activity — the greater the understanding of data and user access, the easier it will be to develop adaptable policies to provide employees the right access to perform their job functions.
Zero Trust is a starting point on the path to the larger goal of establishing comprehensive trust. Once organizations have solidified trust in their expansive amount of users, security teams can then ensure users have access to the appropriate data they need to do their job. CISOs should work closely with their executives to educate them on the vital importance of Zero Trust and the positive benefits from a holistic, organization-wide perspective.
When it comes to implementing Zero Trust, CISOs and groups such as NIST agree that starting early and moving incrementally is the best way to tackle this seemingly monumental task. While many organizations approach Zero Trust at varying levels, the overarching goal is the same: trust is a vulnerability that needs to be consistently verified.
As many of the CISOs above state, there is no one-size-fits-all approach for Zero Trust. CISOs who deeply understand their businesses, have robust visibility into their security programs and who think strategically are able to construct an actionable plan to address Zero Trust that correlates directly with their business goals and risk tolerance. Zero Trust is a methodology that must be ingrained into a security practice and organization as a whole, it cannot be solved by technology solutions alone. K logix works with customers who are looking to develop, strengthen or assess their Zero Trust approaches through our white glove, strategic security consulting services. Drop us a line or check out our page on Zero Trust for additional insight.