PA Consulting’s cyber and data privacy expert, Elliot Rose, discusses the origins, effectiveness, and prospects of Zero Trust - and whether organisations will invest the time and money needed to make it work, with Security Insights editor Stephen Pritchard on a special Zero Trust podcast edition.
The podcast discusses how for years, information security has relied on defending boundaries. Defend the corporate network, and everything within is secure.
It explains how Zero Trust sets out to replace perimeter defences – ever higher walls – with a more intelligent, flexible, less intrusive and more effective form of security.
So, what exactly is zero trust, and how does it work?
According to Elliot, we have to rewrite the rule book. The starting principle is that everything is untrusted. The network, the device, and the user: “So zero trust is a concept of not trusting anything, as the name indicates, in terms of the environment. We’ve had, historically, the ability for people to log on to company systems through a single sign-on, and then have access to everything, in particular what relates to their work.
“Zero trust really comes at it from the other way, which says actually, ‘we’re going to not trust you, we’ll only trust you each time you interact with a piece of data or system that you actually want to have access to’. So, it’s really making sure that every time there’s an interaction, in terms of looking up data or accessing data or information, we’re authenticating and making sure that person is who they say they are, and they have the right credentials to access and use that information.”
The podcast goes on to explain that there’s no doubt over the last year that companies have had to move quickly towards remote working, and organisations that have already invested in zero trust have had a head start.
But conventional remote working security tools and VPNs are themselves under threat, argues Elliot: “The main reason is that through most of us now working remotely, there is increased loading on the infrastructure that organisations provided historically to enable remote access through VPNs – that was sized and scaled to perhaps cover about 10% of an organisation’s population. The increased loading on the VPN type network, and also the VPN itself, represents an additional threat which hackers can attack. So, from both an efficiency point of view and also from a security point of view, the historic way of remote working is now under threat, and so we’re looking at models now which encourage zero trust and provide direct access to apps, but through a system of brokering that ensures the person is who they say they are and can access that particular application to do their job.”
Elliot points to incidents, including the target breach in the US, in support of the case for zero trust: “We’ve seen this in terms of threats having lateral movements, where an attacker will go for one part of an organisation and they’ll be able to move around, based on where there may be weak credentials around a particular application, or if a target around a particular infrastructure was particularly purely protected. So, we often have a hard perimeter, but often when you’ve breached that perimeter in an organisation, you can get access to absolutely anything.
“It’s a real threat to organisations that would never had to think about it in this particular way, again with the situation we find ourselves in, but particularly the way we’ve architected our security systems in the past. We should also consider the wider eco system around this.”
And the greatest risk, Elliot warns, is in fact failing to work with the business: “We worked with clients, for example, in quite high secure environments, and this is something that they’ve already addressed and put in place, and it is really important to work with the business to understand how this model will operate, and so understanding that actually this person needs to know that there might be a certain piece of information which exists in a particular location, but can’t access it, but can understand how they can go about accessing it, is really important. You really need to engage with the business in terms of understanding the operating model, especially if you’re transforming a business and going digital; you need to think carefully about how that will operate in reality, because if you don’t get that right, then it won’t just cause friction, it’ll stop your business fundamentally.”
Elliot goes on to say that the move to the cloud, and the increasing need to comply with regulations, is strengthening the arguments for this type of security: “There’s increasing use of tools and techniques around this, and often in terms of moving to cloud, there are tool sets there that you can use, fairly cost-effectively from a cloud perspective. Undoubtedly, there’s a legacy there in terms of integratration, and again, clients need to look at the business case around that, as well as some of the greater regulations we’re facing now, with things like GDPR and the US privacy rules.”
How, though, can CSOs convince their boards to invest?
Elliot says: “Again, we’ve seen lots of examples where organisations have been breached and there’s lots of concern: how on earth did this happen? Why didn’t we spot it? And we do a lot of work with boards in terms of training and education around this. We also do work with non-executive directors (NEDs). Often NEDs want to understand more about the cyber risks attached to it. And there are another couple of angles to this; there’s obviously regulation, so it’s really important to understand and explain to the board what the risks are in terms of the potential fines and the reputational damage that will follow around this.
“We’re also seeing increasing attention from insurers, so many organisations now are purchasing cyber insurance. It’s becoming more popular, more talked about, and the cyber insurers themselves are pushing – from a premium perspective – and having a greater understanding of what’s been put in place. So I think we’ll see a demand or a drive on that, and of course from the boards, who, from a financial point of view, will be interested in insurance cover and premiums, and I think we may see some examples of insurers starting to question organisations where they haven’t got the right controls in place - certainly we’re seeing that form a regulatory point of view. If you have a breach in the GDPR now, the regulators will look closely at what actual controls you put in place, and if you haven’t got the right controls, then significant fines and bad publicity around that will follow. So, it is a difficult concept, historically, but I think there are a number of factors, as I’ve described, that are making this become a much more mainstream board level issue for organisations.”