![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
7 Steps for Navigating a Zero-Trust Journey
Don't think of zero trust as a product. Think of it as "how you actually practice security."
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltdccae487115c4277/64f0a79a15ed140c76ad5d21/Slide_1_CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Zero trustAdobe Stock: Oliver Le Moal
Few technology concepts have been more confused and distorted as zero trust. The Biden administration has endorsed zero trust. The security industry has endorsed it. Yet security pros are still left wondering whether it’s a concept and philosophy – or simply a product a company can install?
Vendors continue to muddy the waters by talking about their “zero-trust solution,” but as Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, explains: “Think of zero trust as a way to operate the business in a secure way. It’s about how you actually practice security. There may be products with zero-trust-like features, but all you’ve done is implement a feature that applies a zero-trust principle.”
So for this feature we talked to security pros, and they all agree: Zero trust is not a product a security team can purchase and install. While tools like single sign-on (SSO), multi-factor authentication (MFA), and identity management enable zero trust, it’s important to view zero trust as a move away from perimeter security based on firewalls and to a modern approach that uses cloud-based mobile authentication tools that let people securely work from anywhere.
The following seven tips offer a road map for understanding the shift in mindset and what companies need to start their zero-trust journey.
Jasson Casey, chief technology officer at Beyond Identity, tells people to think of zero trust as a “mindset.” For several years, he says, security pros divided security into safe zones and unsafe zones, where firewalls guarded the bridge and decided whether traffic was good to let through or not.
“But how does a firewall know a link in an email could launch malware?” Casey poses. “Firewalls have improved, but with so many different ways of getting content to a user, they have limitations. For example, firewalls don’t help in a watering hole attack.”
Rather than have safe and unsafe zones, with zero trust we assume it’s an unsafe world – that there’s no such thing a safe zone, Casey says.
“Today, there are only safe operations and safe transactions,” Casey says. “Anytime someone wants to access a service or do a transaction, they have to authenticate. Security teams then create a data trail so they can bring in analytics and analyze what’s happening.”
People get confused about zero trust because they think it’s something they can install, says ThycoticCentrify’s Carson.
“There’s no end to zero trust. You never finish,” explains Carson. “It’s a mindset on how the company wishes to operate the business in a secure way. It’s about how the security team actually practices it. In a zero-trust setup, every time an employee comes to a gate in front of the company, the security badge gets checked and reverified for security.”
With a vast majority of office employees working from home some or all of the time, the public Internet has become an extension of the corporate network, says ThycoticCentrify’s Carson.
“So we need to treat the Internet as an untrusted network,” Carson says. “In many ways, I like the phrase ‘zero assumptions vs. zero trust.’ We assume nothing. Every access, every request, every privacy elevation, every request for an application needs to have continuous verification. This is also true for the internal network.”
Beyond Identity’s Casey says this means security teams have to validate and authenticate every time. He says this gets done by evaluating the following three parameters: the device’s posture, the likelihood of the claimed ID, and the criticality of what the user wants to access.
“So maybe a user is authenticated to retrieve critical data,” Casey explains. “But maybe it’s jailbroken or has malware on it. Every time a user wants to authenticate those three variables may have changed, so in zero trust we base our decision on the specific parameters being presented at that specific time. Then we run analytics to gauge continuous improvement.”
The pandemic accelerated digital transformation — mainly the reality that most companies are getting out of the data center business because they now have cloud options that are cheaper, more efficient, and more secure.
In moving to cloud apps, it’s now easier to manage the concept of least privilege access, which is assigning access to only the people who need an application, says Dan Petro, lead researcher at Bishop Fox.
“So if an [engineer] doesn’t need a certain application, the IT teams doesn’t give him a login,” he explains. “Least privilege is kind of baked in from the start with cloud technologies. It’s like when you get a key at a hotel. You only get the key to your room only.”
Zero trust centers on the concept of least privileged access and moving users toward having the fewest number of privileges needed to complete their work safely, adds Kevin Dunne, president at Pathlock. This is critical as more business processes across the enterprise focus on critical applications for enterprise resource planning, human capital management, and customer relationship management, he says.
“As these applications move to the cloud amid digital transformation, they become prime targets for bad actors who look to cause business disruption and gain access to critical data,” Dunne explains. “Companies must work diligently to reduce the attack surface by eliminating unnecessary accounts, reducing unused privileged, and monitoring all accounts for any unusual activity, like configuration changes or data exfiltration.”
Think you're secure because a partner you work with said so? Again, the concept of zero assumptions comes into play, says ThycoticCentrify’s Carson. Security teams can’t assume security has been satisfied unless they do it themselves.
“We can’t assume a third party, supplier, or contractor is doing the security you expect,” Carson says. “Security teams always need to be rechecking security.”
It used to be that users were trusted because of their network location, Bishop Fox’s Petro says. While that can work for a “truly” air-gapped network, like a secure Defense Department or Energy Department network, in the era of work-from-home, nobody has a privileged network position anymore, Petro says.
“In ordinary corporate security, most people work from home, so we have to bring authentication to every service, Petro says. “The system has to trust the endpoint and assure that it has zero malware.”
Security teams are always searching for ways to reduce friction for users when it comes to applying security. Improved authentication tools such as SSO, MFA, and identity management have been a big enabler for zero trust, says Bishop Fox’s Petro. For users especially, mobile-based tools like Authy and Google Authenticator have made security more usable with much less friction.
Years ago, users just had a password. Then hardware security tokens came on the scene, but they grew cumbersome. Petro says that as a consultant, there was a time he had a dozen different hardware tokens and was concerned what would happen if he lost one.
“The application-based authentication model hits home for most people,” Petro says. “Everyone has a phone. And it’s better than SMS, and I’m not a big fan of biometrics for everyday users. Biometrics work well at an airport or a government building, but not for everyday users. The authentication tools are surely much better than the days when we had DLP solutions that would slow down users and people couldn’t get their work done. SSO has also helped. The user needs one good password and can authenticate each time he or she access an app.”
Users should never know zero trust is in place, says Beyond Identity’s Casey, unless a severe risk get identified.
“So if something gets identified as untrusted, the system can stop the user and ask them to put their finger on a biometric reader or some other biometric access,” Casey says. “But if you have the proper infrastructure, 90% of the time the requests go right through.”
As security teams monitor traffic, they should set a baseline risk model that continuously has them analyzing traffic based on zero assumptions. For example, ThycoticCentrify’s Carson says if an employee has been accessing a financial system in Estonia for the last six months from Estonia but then a month later is accessing it from Belarus, has the risk changed?
“When the situation changes, by applying zero assumptions you can then apply additional security controls to verify security,” Carson says. “Maybe the person is on travel or going to a customer. But it’s also possible that the device was stolen and it’s an attacker. When organizations apply security based on risk — what we call contextual security — the security becomes a living organism where it’s flexible, dynamic, and adaptive.”
“You can try quantifying risk. It might work to a degree, but there’s always something that’s not predicted,” Bishop Fox’s Petro says. “The CryptoLocker attacks have evolved to the point where the malware people figured out how to monetize ordinary compromises that you can monetize taking over computers.”
Petro views quantifying risk as an optimistic endeavor, mainly because risks change every day and there are often attacks that security teams didn’t consider before they actually happened.
On the other hand, in certain cases, like in the financial industry, security teams tend to know who the fraudsters are and can weigh the risks. Petro says companies can also weigh technical risks that, for example, the odds a specific Exchange server or database server would get attacked.
“But say your company takes a political stance and attackers all of a sudden come in,” Petro says. “In most situations, not everyone knows who their adversaries are and it changes from day to day.”
When explaining zero trust to top management, security pros have to keep it simple. Bishop Fox’s Petro advises telling top management that the security industry has operated in reactive mode for years. Every day, we respond to the latest CVE, patch, and breach, and people can’t keep up, especially with all the patches.
Businesses need to take a more proactive approach.
“A lot of companies were flat-footed with the pandemic. Many didn’t even have VPNs, and if they did, not for ordinary workers,” Petro says. They needed a way to get workers productive again but do it in a secure manner, and zero trust became a good option. “So with zero trust, people could use their own home computers and authenticate using the mobile apps.”
Beyond Identity’s Casey boils it down to two main jobs companies have as the world transform to the cloud and hybrid work: Companies have to enable the workforce to get work done and do it in a secure manner, wherever they are and whether it’s for employees, business partners, or contractors.
When explaining zero trust to top management, security pros have to keep it simple. Bishop Fox’s Petro advises telling top management that the security industry has operated in reactive mode for years. Every day, we respond to the latest CVE, patch, and breach, and people can’t keep up, especially with all the patches.
Businesses need to take a more proactive approach.
“A lot of companies were flat-footed with the pandemic. Many didn’t even have VPNs, and if they did, not for ordinary workers,” Petro says. They needed a way to get workers productive again but do it in a secure manner, and zero trust became a good option. “So with zero trust, people could use their own home computers and authenticate using the mobile apps.”
Beyond Identity’s Casey boils it down to two main jobs companies have as the world transform to the cloud and hybrid work: Companies have to enable the workforce to get work done and do it in a secure manner, wherever they are and whether it’s for employees, business partners, or contractors.
Few technology concepts have been more confused and distorted as zero trust. The Biden administration has endorsed zero trust. The security industry has endorsed it. Yet security pros are still left wondering whether it’s a concept and philosophy – or simply a product a company can install?
Vendors continue to muddy the waters by talking about their “zero-trust solution,” but as Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, explains: “Think of zero trust as a way to operate the business in a secure way. It’s about how you actually practice security. There may be products with zero-trust-like features, but all you’ve done is implement a feature that applies a zero-trust principle.”
So for this feature we talked to security pros, and they all agree: Zero trust is not a product a security team can purchase and install. While tools like single sign-on (SSO), multi-factor authentication (MFA), and identity management enable zero trust, it’s important to view zero trust as a move away from perimeter security based on firewalls and to a modern approach that uses cloud-based mobile authentication tools that let people securely work from anywhere.
The following seven tips offer a road map for understanding the shift in mindset and what companies need to start their zero-trust journey.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024