Zero trust is a network security model that minimizes risk by applying granular policies and controls to network access and network communications. Zero trust operates via constantly verifying the legitimacy of network communications even inside the network perimeter. Changes in location, device state, security state, behavior, and more can initiate a re-authentication process.
SEE: Identity theft protection policy (TechRepublic Premium)
Pulse Secure, a provider of zero trust secure access solutions, released a report last month stating the COVID-19 pandemic has not impacted the adoption of zero trust technology globally. In fact, nearly two-thirds of organizations (60%) said they have accelerated zero trust implementation during the pandemic.
Furthermore, enterprise responses regarding their success with zero trust were quite positive; the majority (94%) indicated degrees of success, and half labeled their efforts as successful.
However, the survey found that collaboration is not without complications. Eighty-five percent of respondents in zero trust task forces and partnerships found themselves struggling with cross-team skills gaps (33%), a lack of tools and processes that might facilitate collaboration (31%), and budget conflicts (31%).
I spoke with industry experts Mike Riemer, global chief technology officer of Ivanti, an IT asset and service management software provider, and Amit Bareket, co-founder and CEO of SaaS provider Perimeter 81, to learn more about zero trust.
Scott Matteson: What are some subjective examples of zero trust in action?
Mike Riemer: As businesses added capacity to support remote office accessibility, companies have had to cope with amplified security threats stemming from increased use of personal computing, home office and public networks, and cloud applications. Over the past year, the vast majority of enterprises saw an increase in incidents related to phishing and identity theft, susceptible and unmanaged endpoints, and insecure connections. Traditional corporate perimeter defenses are not going away but have morphed to cloud and edge computing.
Organizations are optimizing their investments to address the new normal of a hybrid, flexible workplace, with a focus on user experience, administration ease, end-to-end visibility and adaptive threat response. The sheer volume of users, devices, resource and application access, as well as the dynamics of user, resource and application provisioning is driving investment in zero trust network success and longer-term planning. To mitigate on-going unauthorized access, malware and data breach risks, organizations are accelerating the coordination of security controls that enable the zero trust tenets of user and device and security posture verification and applying condition access based on continuous risk assessment.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Amit Bareket: One example of zero trust in action is in managing contractors or workers that are remote. Today, these types of employees pose an easy and simple target for hackers. They are using their own devices and often exposing them to public Wi-Fi. Zero trust can enforce extremely restricted access to these workers and fight off security holes. Instead of every worker having access to the entire corporate network and resources, zero trust enables businesses to limit access only to the resources specific employees need to do their daily jobs.
Enforcing a zero trust approach limits the attack surface as attackers won’t be able to exploit within the network and gain access to the more critical and sensitive resources. As contractors and remote workers are the lowest hanging fruit for hackers, zero trust ensures these users won’t have deep access for attackers to exploit. Additionally, zero trust can allow specific users such as CEOs and CISOs to have high-privilege access that will allow these users to have “your eyes only” access.
Scott Matteson: What are the requirements for a zero trust implementation (hardware, software, policies, etc.)?
Mike Riemer: Organizations must start by taking inventory of all user and application access conditions, resources, and data protection obligations. Once everything has been accounted for, the next step is determining the key business needs for direct, private application access, including whether the staff can appropriately address meeting user and application access capabilities and the associated security policies. It is also important to identify what applications and use cases are not supported or require workarounds, including those that are legacy or latency-sensitive. These steps will help organizations determine whether they can take on managing ZTNA software themselves or if they will instead be contracting with a SaaS-based solution.
The next phase involves reviewing key takeaways identified during the above assessment to determine how easy and economical it will be to purchase, deploy and manage the ZTNA solution in conjunction with other secure access mechanisms. For example, as an organization moves to cloud-delivered security, to what extent will its current hybrid IT infrastructure, services and locations be supported? Knowing this information is crucial to building out a successful program.
Amit Bareket: There is a common misunderstanding that zero trust is both costly and complicated to implement, but as more businesses are moving their infrastructures to the cloud, it has become easier to take advantage of the benefits of zero trust.
Zero trust is an approach and not a product, but this doesn’t mean you don’t need to have the right product and policies in place to enforce the implementation. From identity and access management, to cloud security brokering and SIEM event solutions, each factor will help businesses to have a more successful implementation.
Scott Matteson: What should IT administrators do to prepare themselves to implement, administer and maintain a zero-trust implementation?
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
Mike Riemer: Organizations need to consider the extent to which their applications and services can and will be moved to the cloud. There are also investment and process details to consider. Many organizations have made a sizable investment in VPN and virtual desktop infrastructure (VDI) solutions based on the knowledge that the technology would work well with their hybrid IT infrastructure, would be convenient for users and administrators to manage, and would support their existing applications and security ecosystem. Furthermore, that investment decision is also aligned within their budget and depreciation expectations. As such, the majority of organizations will need to determine how to offset the investment. Ideally, the most pragmatic approach would be to seek ZTNA solutions that can co-exist with their other secure access investments, providing greater deployment flexibility as enterprises migrate applications to the private and public cloud and adopt edge-based services to address workplace flexibility and digital business requirements.
Amit Bareket: When implementing a zero trust security architecture, IT managers must isolate resources within their IT infrastructure in the form of micro-segmentation. Forrester Research recommends dividing network resources at a granular level, allowing organizations to tune security settings to different types of traffic and create policies that limit network and application flows to only those that are explicitly permitted. This network micro-segmentation approach allows security teams the flexibility to apply the right level of protection to a given workload based on sensitivity and value to the business.
Scott Matteson: What should end users be trained on in order to rely upon zero trust solutions?
Mike Riemer: A zero trust approach would ensure that employees’ devices are secure and meet corporate security policies, prior to any intellectual property being allowed onto the device, or to flow through the device. Enhanced security policies seamlessly enforced on employees devices, particularly remote connectivity, continues to be at an all-time high, will give employees the ability to enhance the entire enterprise security posture as endpoints—even new ones introduced during remote work—are protected.
Amit Bareket: When training end users with new zero trust solutions they should be introduced with its key guidelines, “never trust, always verify.” IT managers should train end-users to understand the different features that are integrated within the solution. With zero trust networks, multi-factor authentication is used to verify identities and then manage access to data based on the user’s “need to use.” Additionally, end-users should implement different complex passwords and adopt single sign-on features for a more secure end-user experience.
Scott Matteson: Are there any security or operational considerations involved?
Mike Riemer: When it comes to zero trust network access, organizations need to consider to what extent their applications and services can and will be moved to the cloud. There are also investment and process details to consider. Many organizations made a sizable investment in VPN and VDI solutions based on knowing that the technology would work well with their hybrid IT infrastructure, would be convenient for users and administrators to manage, and would support their existing applications and security ecosystem. Furthermore, that investment decision also aligned within their budget and depreciation expectations. As such, the majority of organizations will need to determine how to offset this investment. Ideally, the most pragmatic approach would be to seek ZTNA solutions that can co-exist with their other secure access investments which will provide greater deployment flexibility as enterprises migrate applications to private and public cloud and adopt edge-based services to address workplace flexibility and digital business requirements.
Amit Bareket: Zero trust offers more than just another layer of security against hackers. Zero trust delivers considerable business benefits such as greater network visibility, reduced IT complexity, less demanding security workloads, data protection, a superior user experience, and support for cloud migration. These benefits come with different operational considerations where employees’ access will need to be redesigned to fit an implemented zero trust model on a network. DevOps, IT, and Security teams will be heavily involved to ensure that across the business the newly implemented zero trust model is being adopted correctly.
Scott Matteson: How is this trend expected to evolve down the road?
Mike Riemer: In July 2020, bad actors leveraged social engineering techniques, which involves manipulating people into giving up sensitive information, in order to pose as internal IT staff and convince Twitter employees working from home to enter their login information. The phishing attack resulted in numerous high-profile Twitter accounts, like Barack Obama and Elon Musk, being hacked. Twitter was ultimately found to have insufficient internal controls and a lack of cybersecurity regulation, which contributed to the incident.
The brazen nature of the Twitter attack shows bad actors are using social engineering to raise the stakes, and we can expect to see more of these high-profile orchestrated events in 2021 as remote work continues and cyber criminals look for new, creative ways to infiltrate organizations. The incident represents a new focus on remote users and remote connectivity, whether through VPN tunnels or other remote connectivity forms. In response, companies must prepare now with the appropriate end-user education and adopt an adaptive risk and trust threat assessment mentality. This can be accomplished by adopting a zero trust approach founded on the principles of continuous verification and authorizations that allow organizations to have better visibility and insight into what is, and is not, typical behavior for an employee.
Amit Bareket: The current shift to remote work has increased the need to adopt zero trust, but the truth is this trend has long been in the works. The future of security will push for companies to implement more cloud-based security solutions with user identification. This will increase the usage of zero trust, providing businesses a more flexible and scalable option than traditional network security solutions.
Instead of businesses enforcing their employees in connecting to a VPN or a firewall, they will invest more heavily in more user-centric zero trust solutions which provide flexibility and more modern cloud-based security.