Zero trust is the latest buzzword thrown around by security vendors, consultants, and policymakers as the panacea to all cybersecurity problems. Some 42% of global organizations say they have plans in place to adopt zero trust. The Biden administration also outlined the need for federal networks and systems to adopt a zero-trust architecture. At a time when ransomware continues to make headlines and break new records, could zero trust be the answer to ransomware woes? Before we answer this question, let's first understand zero trust and its core components.
What Is Zero Trust?
The concept of zero trust has been around awhile and is most likely an extension of least privilege access. Zero trust helps to minimize the lateral movement of attackers (i.e., techniques used by intruders to scout networks) through the principle of "never trust, always verify." In a zero-trust world, there is no implicit trust granted to you (regardless of where you're logging in from or the resources you are trying to access) just because you're behind the corporate firewall. Only authorized individuals gain access to select resources as needed. The idea is to shift the focus from a perimeter-based (reactive) approach to a data-centric (proactive) one.
Core Components of Zero Trust
To effectively implement zero trust, organizations must understand its three core components:
- Guiding principles: Four guiding principles serve as a foundational element to a zero-trust strategy. These include defining business outcomes(organizations can only defend themselves effectively once they know what they are trying to protect and where they are); designing from the inside out (identifying resources that need protection at the granular level and building security controls that work in close proximity with those resources); outlining identity access requirements (providing a more granular level of access control management to users and devices); and inspecting and logging all traffic (comparing authenticated identities against predefined policies, historical data, and context of their access request).
- Zero-trust network architecture: ZTNA is made up of the protect surface (data, assets, applications, and services resources that are most valuable to the company); microperimeters (granular protection that protects a resource rather than the network environment as a whole); microsegmentation (segregating the network environment into discrete zones or sectors based on different functions of the business); and context-specific least privilege access (resources are granted access in line with the job role and associated activities as well as through enactment of the principle of least privilege).
- Technologies enabling zero trust: There isn't a single solution that enables zero trust. Having said that, technologies such as identity access management, multifactor authentication, single sign-on, software-defined perimeter, user and entity behavior analytics, next-generation firewalls, endpoint detection and response, and data leakage prevention can help you get started on zero trust.
Zero Trust and the Ransomware Problem
Zero trust isn't a silver bullet for ransomware, but if implemented well, it can help create a much more robust security defense against ransomware attacks. This is because, fundamentally, human error is the root cause of all cyberattacks, and zero trust puts the spotlight back on user identity and access management. Zero trust also helps reduce the attack surface significantly as internal and external users only have access to limited resources and all other resources are completely hidden away. Additionally, zero trust provides monitoring, detection, and threat inspection capabilities, which are necessary to prevent ransomware attacks and exfiltration of sensitive data.
There are also some misconceptions surrounding zero trust that must also be highlighted:
- Zero trust will not eliminate the ransomware threat in its entirety, though it will significantly reduce its possibility.
- No single technological solution can help you achieve absolute zero trust. Many vendors will try to sell you one, but this is not in your best interest.
- Zero trust isn't designed to solve all your security problems. It's designed to reduce the probability of security incidents, limit lateral movement, and minimize damage in case of a security incident like ransomware.
- Segmentation of users and resources sounds great in theory, but it's quite difficult to implement. Zero trust isn't a quick fix but a well-thought-out, long-term security approach.
Zero trust is a strategy much like digital transformation. It needs a commitment from the entire organization (not just IT teams); it requires a change in mindset and a radical shift in architectural approach; it needs to be executed with care and a great deal of thought, keeping a long-term perspective in mind; and, finally, it must be a perpetual, evolving process that changes in line with the evolving threat landscape. Nearly half of cybersecurity professionals still lack confidence in applying the zero-trust model and rightfully so — one wrong move can leave the organization in a worse position. That said, businesses that implement zero trust successfully will be in a much stronger position to combat evolving threats like ransomware and emerge as a truly cyber-resilient organization.