Zero trust is growing in popularity in enterprise security because not trusting users by default works really well to reduce risk. However, people start having unrealistic expectations when they conflate reducing risk with eliminating risk, says Nabil Zoldjalali, VP of technology innovation at Darktrace. There is a subtle difference between the two that security teams can’t overlook.
“I can eliminate risk entirely if I have absolute no trust,” Zoldjalali says. What’s more realistic – and attainable – is to try to lower the amount of default trust to as close to zero as possible. Zero trust should be treated as “an ideal end-state,” he adds.
As long as people have access to applications, tools, and different pieces of software, there’s always going to be a level of inherent risk. The idea behind zero-trust architecture is to set up context-based access for each identity so that users only see and access the applications that are relevant to them.
Context-aware access takes into account different factors. A user logging in may see only three applications when logging in as opposed to all the applications belonging to the organization. That list may change depending on time, especially if there are certain times or dates when the user is not expected to use that application. Or a user logging in from a different location would also get a different level of access.
Zero Trust Requires Business Visibility
Zero trust makes sense for security practitioners because they focus on attacker behavior and all the way things can go wrong, Zoldjalali says. But focusing on the attacker too much can make it easy to forget to think about what is being protected.
“We’re saying, ‘I don’t want to inherently trust anyone in my business because if something goes wrong, I want to lower the blast radius that’s associated to it,’ and that’s meaningful to us,” he says. “But it sounds funny to a nonsecurity person when we say, ‘Listen, the company doesn’t trust anyone.’”
For zero trust to really work, both approaches – lowering trust and developing a strong understanding and awareness of the business – are critical. Having that business awareness and wall-to-wall visibility gives security teams the context necessary for zero trust. It also allows them to verify that the zero-trust architecture is working as planned. For instance, if the organization’s rules for conditional access aren’t working when they should be, it would be hard for security teams to even know that is the case if they don’t understand the business, Zoldjalali says.
Zero Trust Beyond Authentication
The beauty of zero trust is that its effects go beyond authentication. Security teams can combine identity data with information about what happened in the environment after authentication to detect and actually stop attacks, Zoldjalali says. Security teams can look at incidents and trace digital activity back to see what the authentication prompt looked like and how the user was identified. Based on that information, security staff can make changes to the group policy or adjust permissions.
Darktrace’s self-learning artificial intelligence (AI) learns the business so that it knows what activities would be considered part of normal operations, Zoldjalali explains. Because the AI technology looks for deviations from the norm, it doesn’t need to know what historic attacks looked like or understand what kind of attacks are currently ongoing. It just looks for something that is different.
“With zero trust, we allow people to do what they normally do,” he says. The AI assesses significant deviations from the person’s normal behavior to determine whether there is a threat to the business. If there is, the AI takes action to address the threat.
This mindset is extremely useful when considering the insider threat.
“Insiders don’t just wake up one morning and say, ‘Today I’m going to be a big threat to the business.’ There’s usually some kind of context and back story,” Zoldjalali says. There may be a specific incident that acts as a trigger or a pattern of issues that contributes to a sense of unhappiness.
So at that point, the user action – such as an act of sabotage or data theft – looks “very, very different from how they normally behave,” he says. The user may be logging in at unusual hours, using different devices, going down different folder paths, or downloading more data than usual.
“Having an approach that’s fundamentally based on understanding the business is one of the best ways to have accurate anomaly detection,” Zoldjalali says. And with early detection, security teams can adjust context-based access policies to block the user’s activities.
“When you combine different approaches, that's where you start getting closer and closer to an ideal state [for zero trust]," he adds.