Security think tank: No trust in zero trust need not be a problem

Ths article was first published in Computer Weekly

Controlling the network perimeter security of traditional organisations, focused on protecting the infrastructure rather than the data, and with limited mobile and remote access, has never been a trivial task.

Yet modern trends of workforce decentralisation and mobile access, reliance on third-party support, increasing consumption of cloud-based solutions and – last, but not least – growing attention on insider threats, are making the task harder, more expensive and, to some extent, insufficient.

The “castle and moat” approach doesn’t work when the threat is already within the network. So it is perhaps not surprising that, almost 20 years after its emergence, zero trust, which treats the network as untrusted and hostile and focuses on the protection of data, has rapidly taken centre stage in security management. According to a recent report, 78% of 315 IT and cyber security professionals surveyed are looking to embrace zero-trust network access in the future (59% within the next 12 months).

The concepts of micro-segmentation, pervasive strong authentication and limiting individual access only to data that they need – known as the principle of least privilege – can all help to address the challenges ahead. Yet there are real doubts about the feasibility of this approach.

Almost half of enterprise IT security teams interviewed in the survey mentioned above showed a lack of confidence in their ability to provide zero trust with their existing security technology. And the current technical debt, legacy technology, possible clashes with digital transformation programmes and scarce uniformity and processes coherence in federated organisations make it difficult to achieve in practice.

But there are a number of steps that CISOs can take to address these concerns and successfully implement a zero-trust model. The first is to establish who is trying to access what data. That means examining how strong and well-defined the identity management processes in the organisation are, and filling potential gaps.

According to a recent survey of more than 450 organisations across the globe, 85% of them fail to meet even a basic privileged access management maturity level – and 55% don’t even have a clear view of their privileged accounts. Administrative accounts not following a proper lifecycle process and not automatically removed when needed represent an ideal target for attackers, and therefore seriously limit trust in any implementation of role-based access models.

Data protection is key, but not all data is equally valuable, and any access control policy needs to be strictly linked to the business value and sensitivity of data that is being accessed. This requires the organisation to have a clear understanding of its whole data environment, sound data discovery and data protection processes and technologies, and a comprehensive map of data flows.

Attention must also be paid to asset management maturity. Although the adoption of modern IT asset management practices is increasing, trends such as bring your own device (BYOD) and cloud bring complications. Another recent report showed that almost one-third of the organisations surveyed had no asset management activities or were in the implementation phase of an IT management system.

Legacy systems, in particular, need extra care in order to assess their impact on a zero-trust migration scenario to check whether they support multifactor authentication and the implementation of contextual access policies.

Access and containment control are at the heart of zero trust, but this can invite risk from assuming that the resource is secure to start with. Fundamental practices such as vulnerability and patch management are not a core part of the approach, but are nonetheless foundational for the overall security posture.

According to a recent survey by SANS, only 55% organisations were running a formal vulnerability management programme, with the rest relying on an informal approach or not doing vulnerability management at all. An unpatched vulnerability waiting to be exploited cannot benefit from the zero-trust model. On the contrary, it can hamper the efficacy of the model itself – if it affects the authentication mechanism, for example.

Also make sure that the micro-segmentation patterns adopted don’t conflict in any way with patch management. When moving from a loosely segmented (or flat) network model to a zero-trust architecture, particular care must be taken to ensure the scope and efficiency of patch distribution is not affected in any way. Orchestration and automated configuration management can help to make sure that these complexities are transparent and minimise the chance of error.

Monitoring is key to zero trust. Devices and services must be continuously checked to detect any early sign of compromise or unexpected activity. Therefore, a robust system of security event detection and correlation should be mandatory and extra care should be dedicated to legacy systems to verify that they can be monitored as required.

CISOs should also make sure that their enterprises run a sound security architecture management process. Zero trust requires a finely tuned organisation and understanding of people, processes and technologies. All this needs to be orchestrated at the right architectural levels and requires sound enterprise security resources and governance models to be in place. This is especially important for federated organisations, where the maturity of different entities may differ substantially.

Zero trust is a promising approach to minimising risk in a modern IT environment. But to be effectively implemented, it requires the organisation to have mature security foundations and will only succeed after an effective security department has been established and has put the basics in place.

Silvano Sogus is a cyber security expert at PA Consulting