November 12, 2020|
Enhancing Zero Trust beyond identity to data itself
Zero trust with focus on identity and the network access
Zero Trust, the network security model to never trust, always verify, centers on preventing intrusions and breaches by eliminating the notion of trust from an organization’s network architecture; instead, everything must be proven, every time. Despite the considerable hype, Zero Trust adoption actually has grown steadily over the last decade. But the parallel growth of cloud computing and everything-as-a-service that has shattered the network perimeter complicates security and presents some sticky challenges for the Zero Trust model.
There is a lot in play. Zero Trust encompasses multiple architectural ‘pillars’ that need to be secured: the data itself, the people accessing it, the network, and the devices and workloads running on it. There is also a requirement to observe the analytics of the interactions among those pillars to detect malicious actors and events. Addressing such a comprehensive range of moving parts involves strategic planning for an architectural reconfiguration that goes beyond any particular product or technology – it’s a long game.
Security at the Gate or Inside the Walls?
There are two different approaches that can be taken. One option is to begin with access in mind, focusing on the people and networks that are accessing data. To apply a simple analogy, think of a village where admission is controlled by verifying a visitor at the town gate. So far, most of the security industry’s effort has taken this approach, developing myriad technologies like Identity and Access Management (IAM), Network Access Controls (NAC), microsegmentation, and Secure Access Service Edge (SASE). Today, Zero Trust has evolved to mean authenticating, effectively supplanting traditional perimeter controls like virtual private networks, to instead verify a user at the “gate” of the application or service.
It’s a quantum leap forward, but still not enough in every situation. Controls at the edge of a network or the application level rely on user identity and credentials, which unfortunately remain a weak link. That’s not a fault of the technology; it’s due to the human factor. For one, data that is legitimately and collaboratively shared outside the firewall can go anywhere – accidentally or maliciously – once a third party possesses it. But beyond that, the ability of an individual to distinguish between a safe vs. malicious digital request (e.g., opening an email attachment or clicking a web page redirect) cannot be guaranteed. Even the most technically sophisticated, experienced people will occasionally fall prey to a well-done phishing attack that tricks them into revealing access credentials. Once a person is allowed through the town gate and enters the village, he’s free to roam. Once bad actors use legitimate credentials to enter the network, all bets are off.
Alternatively, a Zero Trust strategy can begin with data in mind. Starting from that perspective will lead to stronger, more encompassing protection. Data-centric controls like data encryption can allow for erecting another layer of defense, requiring authentication beyond the domain login when necessary. For an organization’s most sensitive assets, it’s prudent to apply data-centric security measures like encryption, but in a way that makes those assets track-able and enables revocation if malfeasance is detected – regardless of the data’s location. Suppose our visitor wandering in the village proceeds to rob the bank. You want to follow the serial number of each individual dollar bill he takes, and render it useless wherever he tries to spend it. Importantly, the encryption method cannot introduce any user friction; if it does, people simply won’t use it.
Zero Trust is a Long Game
Once the choice is made on your Zero Trust strategic direction, only then is it time to move forward with details like prioritizing the capabilities you’ll require, identifying the specific technologies you’ll need and defining particular feature requirements. It will take a combination of technologies, applied over a long period of time. Of course the right level of access control is integral to the equation. But that will be greatly improved by an approach that puts data-level protection first.
Whether looking to secure email attachments, bolster dropbox security, provide ransomware protection, or defending against myriad other cyber threats, only by taking control down to the data level can organizations truly secure their high-value assets dwelling at rest and in motion. Zero Trust is a powerful security construct for the way computing is done today. But enhancing Zero Trust, going beyond identity and authentication or network vendors to the data itself, is the last mile of true organizational defense.