At the RSA conference in San Francisco last month, the show was abuzz with zero trust. It was clear that companies which wanted attention had to show they were participating in the zero trust frenzy. So, what exactly is zero trust and why should you care?
To begin with, zero trust is as much a security philosophy as it is an architecture. Zero trusts begins with a focus on the data, which contrasts with most current security approaches that begin with the threats. A zero trust strategy is based on four major tenants:
- Focus on data protection
- Assume the network is compromised
- Only provide access after authentication
- Authorize and encrypt all transactions
Some of these tenants are not new and for the most part, creating a zero-trust architecture does not require a replacement of all the security components which are currently being used in your environment. Tools such as firewalls, end-point protection systems, policy engines and others will still be needed to do the job they were intended for. But to truly arrive in an environment that supports the zero-trust philosophy, there are certain changes which must occur.
Visibility and Analytics
Visibility of users, devices, transactions and flows are required in this new model. Zero trust requires continuous monitoring and logging of all of these to provide real-time adjustments to the system. There are several tools currently being used, which provide some level of visibility of devices, users and flows, but the industry needs to mature this space with integration of element managers, advanced analytics and UI tools in an open and holistic manner.
Authenticate and Authorize
The intent of zero trust is to provide the least amount of privileged access necessary. This is only possible if users and devices can authenticate and get specific authorization based on corporate policy from a central policy engine. Fortunately, this is a fairly mature market with many competent solutions. Multi-factor authentication is required for most large enterprises and these tools now provide a means to force re-authentication and authorization based on environmental factors such as location, device type and specific to your company policy.
It is important to note that these tools work great for classic workers using mobile devices and computers, but an area of focus and development will have to be supporting IoT devices. Many IoT devices are headless (meaning there is no user interface) and don’t have the ability to log in or authenticate to a validating system. To date, segmentation is a viable first step for mitigating threats caused by these devices.
As the most common tool used to control an expanded threat surface and malware proliferation, segmentation is a critical component to zero-trust. However, in this new model, segmentation will be much more dynamic and granular. This will only be possible by leveraging the real-time visibility and analytics we already discussed. The intent is to be able to dynamically segment or micro-segment the network based on the anomalous activity occurring on the network.
An example would be to microsegment an IoT device from the network if it is a new, unknown device, or if the normal behavior of that device has changed – like a printer suddenly sending traffic to a computer instead of its normal traffic pattern of communicating only with the server on the internet.
For segmentation to be dynamic like this, an orchestration needs to occur between the sensors that detect the anomalous behavior, the network being manipulated, and a system which verifies the change happened, and mitigated the anomaly. That closed loop process includes the visibility and analytics tools working with a policy engine and controller that leverages software-defined networking (SDN) to make the changes occur. This is the next-generation network being built out today.
Finally, as applications move to the cloud we will start to see full encryption from endpoint to host. This is a blessing and a curse. A blessing in that traffic is protected from man-in-the-middle attacks and other forms of eavesdropping. A curse in that many of our visibility and analytics tools are less effective if all data is encrypted. There are currently some tools to provide visibility even with encrypted data, but this is still a nascent environment, which I see being addressed in the future with new tools.
As you would expect with any buzz word, zero trust has taken on a larger-than-life meaning, so this short blog doesn’t do it complete justice. To be fair, like the terms cloud and cybersecurity zero trust means different things depending on your point of view, so please do your research on each of the underlying tenants outlined above and be mindful of what zero trust could mean for your company.
Dan Kent is the U.S Public Sector CTO and Director Engineering for Cisco.