A zero-trust security architecture approach is based on the premise that organizations should not inherently trust any systems that connect to or interact with their technical infrastructure and/or networks without verification and validation of their need to connect and an inspection of their security posture and capabilities. Historically, many organizations worked under the assumption that devices that connected to their networks and systems within their network perimeters and facilities were inherently trustworthy because they were connecting through internally managed and secured network and technical infrastructure. While this approach was considered reasonable in the age when systems and data assets were typically restricted to 4 walls, a local area network (LAN) and a mainframe, it is no longer viable in the current operating model in the age of a globalized workforce where systems and data assets know no boundaries and are not limited to exposure to only environments controlled and maintained by the governing organization.
A zero-trust architecture is conceptually a seemingly obvious and positive approach to effective security for many organizations, but adoption can be challenging and has a negative impact on the business if not thoughtfully and carefully designed and implemented. A zero-trust security architecture requires intimate knowledge of an organization’s information risk profile, business concepts, strategy, processes and requirements before any technical considerations are introduced. There are 5 key things to consider when adopting a zero-trust security architecture:
- Zero trust is an architecture philosophy and strategy and not a technology—A common misconception about zero trust is that it is primarily a collection of security-related protocols, technologies and tools including the 802.1X protocol, network access control, software and hardware, and micro-segmentation. While these are important and are often included in the implementation of zero-trust capabilities, they are in actuality a very small portion of successful implementations. Too often, organizations look for silver bullet technology approaches to security to achieve their goals quickly with minimal human effort, only to be disappointed with the results. Technology-first-focused implementations tend to only provide minimal benefits, not because the technology is ineffective, but due to technology only being the implementation and enforcement component of the approach. Technology is only as good as the strategy, planning, implementation and maintenance of its use.
Zero-trust architecture approaches require the development and implementation of policies and rules that will be applied to devices that will connect to networks and systems. While technologies can help identify and propose these policies, they ultimately need to be developed, reviewed and curated by business process owners, stakeholders and security professionals. It is suggested that organizations follow a monitor, learn, execute approach for the development and implementation of technical security policies, especially when they are retrofitting environments instead of working in greenfield implementations. Governance and oversight capabilities are important to implement and maintain as well. This is to ensure the development and upkeep of technical security policies as part of the ongoing maintenance of existing business processes and as part of the development of new ones. - Zero trust requires cultural change—The successful implementation of zero trust starts with cultural change and embracement. One of the current challenges to the adoption of zero trust is the perception and concern by stakeholders and constituents that this approach will cause business disruption and inefficiency due to perceived threats and vulnerabilities that are not realistic or material to the organization. It is typical human nature to resist change, especially when affected individuals feel as though they are having capabilities taken away from them that they are used to having. It is often the case that individuals in organizations have been historically trained and conditioned to believe that their internal networks and environments are inherently secure. As an example, users may be disgruntled if they were typically able to connect their personal mobile devices to enterprise Wi-Fi networks and, as a result of implementation of zero trust, they are now forced to have their systems undergo inspection and possibly have new restrictions on access.
The best way to manage this risk is to communicate the reasoning and justifications for these requirements in a way that is both easily understood and meaningful to users. Changing this mindset requires individuals to consider and recognize that malicious actors and software are likely already within the environment and are likely to continue to expand their presence as their operating environment expands and becomes more porous. Providing realistic scenario-based training and case studies that are applicable and representative of an organization’s environment are often useful approaches to enlightening individuals and advancing their thinking and acceptance of the need for a zero-trust approach. - Visibility is a key tenet of zero-trust architecture—You cannot protect what you do not know. This is a well-understood tenet of security that is applicable to zero trust. In zero-trust network implementation, it is important to identify and incorporate all network and system access and connection points, both physical and virtual. Once these connection points are understood, then the connection details (e.g., ports, protocols, existing access control lists, data flow characteristics) should be inventoried and mapped to business processes and requirements. It is only with this entire spectrum of information available that comprehensive zero-trust policies can be developed and implemented.
It is also important to create business process mappings and data flow diagrams and visualizations to allow for the creation, curation and maintenance of granular policies and connection rules that are part of any zero-trust implementation. Business process mapping allows for the identification and vetting of expected and accepted network and system connection types and data flows to ensure that there is no disruption to business activities as a result of implementing a zero-trust architecture and operating model. Business process mappings and data flows can be especially useful in the identification of dependencies of third-party systems and networks that may need to be interacted with but are outside of the governance or control of their organization. These connections can often be especially challenging for security professionals since they often have limited visibility and control over them. This often results in the enterprise need to allow for more access than it would allow for internally controlled connections to support business requirements and expectations. - Zero trust vs. verified trust—While zero trust is a fairly well-defined and aspirational approach, a verified-trust approach and strategy may be a more attractive and pragmatic goal for organizations. Verified trust provides for a risk-based approach to technical trust and trust of connections instead of an authoritative one. In a verified-trust approach, initial network and system connections with limited restrictions can be made and their associated network traffic and activities are then monitored and dynamically controlled as their intentions and activities are understood and validated for their appropriateness. This aligns more closely with the principal of “trust, but verify.” Where zero trust assumes no connection can be allowed unless strict rules and requirements are met, verified trust allows a dynamic approach that can be less business-impacting while still providing increased levels of protection.
A verified trust approach allows for the use of a risk-based approach instead of an authoritarian one. This approach is often easier for business practices to adopt and is more widely accepted by business leaders and constituents. A risk-based approach should align with an organization’s information risk profile that identifies and ranks data assets and information infrastructure according to their value to the organization. This level of insight allows for an informed risk management approach to developing and implementing policies and rules. This approach can also identify use cases and environments where verified-trust and zero-trust philosophies can be used simultaneously. For instance, a guest wireless network may follow a verified trust approach, while a network segment that supports a secure enclave (i.e., an area in which an organization’s most sensitive systems and assets are operated) can follow a zero-trust approach. - Zero-trust architecture should be a combination of endpoint and network capabilities—A common misconception often exists in zero-trust architecture models that they should be endpoint focused. As is often the case in information security, there are no absolutes. A layered approach is often more effective than a singularly focused one. While there is a great deal of focus on the interrogation and security posture investigation of endpoints, the value and requirement for effective network security policies should not be deprecated. These policies increase the difficulty for adversaries to traverse networks with malicious actions if they are able to circumvent endpoint solutions used for interrogation and policy enforcement. It is suggested that organizations adopting a zero-trust approach start with the definition and implementation of their network security policies and then define and implement their endpoint capabilities to ensure that they are complimentary to each other and to limit the risk of causing availability issues for their networks and systems.
The promised benefits of zero-trust architecture models can quickly become burdensome to an organization’s business activities and their effectiveness deprecated if not carefully architected, designed, implemented and maintained. To be successful, the implementation and operation of a zero-trust architecture approach should be considered an ongoing program and not a point-in-time project. As business requirements and expectations change, so will the configuration and operation of zero-trust capabilities. If properly implemented and maintained, zero-trust security architecture approaches can be both business enabling and provide material enhancements and benefits to the security postures of organizations that use them.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.