Dirk Geeraerts | Security Evangelist
As World Password Day comes around again this May 6th, how much has changed in the year since we last marked the occasion? With more employees working remotely than ever before due to COVID-19, businesses are at greater risk from a cyber-attack with workers accessing systems outside of the usual company network. As such, this year’s World Password Day is in fact a timely reminder for businesses to drop passwords forever, and instead rollout access management solutions such as passwordless authentication.
In our previous blogs we have discussed the many challenges that organizations face as they are seeking to embrace the Zero Trust security model. Obstacles are there not to deter us, but to make us seek solutions and become eventually better. Just like Hercules and the road of Virtue, Zero Trust is a path leading to better security.
While NIST has developed a blueprint for Zero Trust - you can read about it in this whitepaper - which can serve as a great start for your journey, organizations need to understand that Zero Trust is above all a mindset. While strong identity authentication might seem like obvious advice, you will have to change how you view your security, placing the human element at the core of your gradual build-up. Before even starting to discuss policies and practices, you should define measurable objectives and have a deep understanding of your business processes and workflows.
Businesses should be looking to adopt a Zero Trust model in their approach to authenticating users and certifying their authorisation to access data. We have asked leading information security professionals to offer us their valuable advice on how organizations and people can achieve a Zero Trust mentality. Here is what they told us.
Angus Macrae, Head of Cyber Security
I would strongly advise anyone who is contemplating a move to Zero Trust models or architecture to read and consider the many valuable points made in the current documents, such as NIST Special Publication 800-207. Subsequently, if you do not have the time to read the full 59-page treatise, I have written a short introductory blog about the publication: “Zero Trust Architecture: What is NIST SP 800-207 all about?”
Jenny Radcliffe, People Hacker & Social Engineer
From a social engineering perspective, Zero Trust is a good mindset to have, mostly because it avoids the “guard the perimeter”, the "castle and moat" idea of security. Trust might already be compromised considering that our threats can already be on the inside or find some way inside. A malicious social engineer might gain access to a system through compromising an insider. Limiting and monitoring what any individual can do, and continually verifying users helps limit lateral movement, and ultimately slow down a people-based attack.
To be successful, Zero Trust efforts need to be consistent, including a process that’s constantly updated to reflect what's necessary in terms of IAM. The system needs to also take into account user trends and shifting requirements, rather than looking solely at least privilege access. Attacks can be patient and happen over time, so we need to monitor shifting patterns of use and "scope creep" in terms of what people have been requesting access to, and actually using.
Sarah Clarke, Data Protection & Security GRC, Infospectives
My best piece of advice is that the ideal end-state is a fully monitored world of automatically on-boarded, access-minimized, scanned, security-baselined, auto-updated, data flow-mapped, and audit-enabled resources. However, if you are yet to feel round the edges of this, you need to know where to start. You can’t scrimp on discovery, but no standard risk assessment scales. You need to get everyone in the organisation to help you get the most Zero Trust bang for your buck. The answer is a triage step. Asking key stakeholders the simplest possible questions to flag inherently risky characteristics of connections, data, data processing, software and devices. Questions that can be answered as early as possible in development, change, procurement processes. For example, how much data, how sensitive, how available must it be, user access levels, what kind of internet connection, access to and from where? If you do it right, in a simple and engaging way, with standardised responses that enable analysis, answers will breathe life into context-lite diagrams, help to refine trust boundaries, and clarify where policy-driven rules should apply.
Ross Moore, Cyber Security Support Analyst
You will need project approval, which can be tough to obtain. One way to achieve this is to build a roadmap and make your way along the path one step at a time. For example, you may not be able to obtain the full budget for the entire project, but maybe you can convince them to let you implement one aspect, such as two-factor authentication, and then others as time progresses.
A possible path for starting out would include, researching Zero Trust and making a long-term roadmap, then, deconstructing your Zero Trust roadmap into strategic goals using a project management criterion.
Once that is done, implementation of specific technologies can begin. Whenever possible, use technologies that have security built-in and are as easy as possible to deploy. While there’s much more to Zero Trust, the advancements made in achieving these previous goals provide a metric for future projects.
Chris Hudson, Security Architect, Tripwire
While it is key to keep an eye on the end goal, ensure you’re slowly building your trust model all the time. Zero Trust maturity requires a lot of moving parts to be aligned, so breaking out individual components (such as devices, applications, and networks), and identifying where you will start and how you will provide verifiable improvements will make it easier to get a foothold. Also, give some consideration into your data forensics. A good starting approach to Zero Trust is to first ensure you have visibility across your estate and then build automations based around your real-world usage. No “one size fits all” approach will cover every trust transaction, so identifying where you are first is an important starting point.
Chloé Messdaghi, Chief Strategist, Point3 Security
Everything requesting access must be verified before access is offered. Over the last few years, cybersecurity innovators have been introducing various platforms that support this, and CISOs are starting to aggressively plan for and adopt them. But invoking a Zero Trust model among employees takes more than platforms – it takes people. It takes the conscientious creation of policies, and working to ensure consistent conformance to them among all employees, partners, and others touching the organization’s information ecosystem.
Some guidelines to consider include: A universally shared commitment not to inherently trust anyone inside or outside. Doing this without business disruption requires visibility, analytics and automation. Analytics are crucial because every organization needs to work on the assumption that, sooner or later, a determined attacker will succeed. Without the foundational knowledge that analytics provide, timely mitigation is far harder. It’s all about who has access to what, and making sure you have a secure administrative environment.
Adopting a Least Privilege Access model for data pools and resources, and constantly auditing who has access to what, are perhaps the most painstaking processes, yet absolutely crucial. Finally, embrace third party risk management. Zero Trust fails when your organization partners with other companies whose practices are laxer than yours.
Didier Hugot, VP Technology and Innovation, Thales
A good Zero Trust security strategy consists of having an optimal security posture which ensure that all sensitive assets are correctly protected at the core with the appropriate access policies whenever they are stored and processed by third-parties or under the control of the enterprise.
Migration to a full Zero Trust security model should be progressive over time. As a good practice, it is recommended to start by migrating the less critical assets to minimize risks while taking time to learn and apply the right security configurations. There is no easy way to achieve a Zero Trust model. Each enterprise has to adapt their strategy depending on their business needs and constraints. Some may decide to move everything in the Zero Trust security zone, some may decide to keep all sensitive data on-premises, and some others may choose a hybrid approach.
Jihana Barrett, CEO & Founder, CyberSuite
The first piece of advice I would offer is to change how we view security. Just as a person would have a natural suspicion of a stranger he or she encounters in public, the same thing needs to happen with technology. Access needs to be on a need-to-know basis. Micro-segmentation needs to be the default network set up and multi-factor authentication needs to become as common as a strong passphrase.
Organizations need to take their time when implementing the Zero Trust model. There is a lot that can go wrong with a hasty implementation. I would recommend a multiphase approach where network needs are based on priority and importance.
Haider Iqbal, Business Development Director, Thales
One positive outcome of this pandemic event is that this surge in the demand for remote work and adoption of Software as a Service (SaaS) applications has openly exposed the limitations of scaling perimeter security. So, even enterprises that were facing cultural challenges in adopting Zero Trust principles now have credible first-hand evidence of perimeter security’s inadequacies. The smarter CISOs/CIOs have embraced this challenge and turned it into an opportunity to educate other business stakeholders, and the laggards are almost bound to follow. Educating all stakeholders is crucial to the adoption of Zero Trust posture – leverage the current opportunity!
There is no “silver bullet” to achieving Zero Trust. Organizations need to map out their journey as achievable milestones, and then evaluate which capabilities can help achieve those milestones while also remaining mindful of not overthinking the journey. Some common themes in analyst reports about Zero Trust include the advice to use multi-factor authentication and adaptive authentication. Identify such capabilities and start implementing them from the onset of your journey. These quick wins that will boost the confidence of all stakeholders involved in this multi-step journey. As always, never trust, always verify!
Christine Izuakor, CEO of Cyber Pop-up
The biggest advice that I would give is to treat it as a journey. Treat it as a mindset. Treat it as a culture. There is no single total Zero Trust solution that you can buy, flip a switch and have effective Zero Trust. There are layers of processes and technology that you need to implement to get to a state where you're aligning with a Zero Trust model. That's important to keep in mind.
The other piece of advice is to acknowledge the human element in all of this and how your trust impacts various people and even the cultural context. You don't want to give off the sense that you don't trust people. We are dealing with attackers and hackers every day, and that's normal, but for someone who's not in the security industry, “Zero Trust” can sound pretty harsh. So finding that balance is important.
Trust is really empowering. True trust in the people that you should believe in and Zero Trust in the people that you shouldn't is what we're here for. That's the distinction that we're trying to make. It's important to keep that in mind at all times.
Before next year’s World Password Day, discover more on how you can overcome the challenges associated with Zero Trust, read our eBook here.