Introduction

There is no doubt that the Cybersecurity world is becoming more complex on a daily basis.  For example, there are newer variants that are coming out, Cyberattackers are being more deliberate in choosing their targets, it is even that much more difficult to tell the difference between a spoofed website and a real one, Social Engineering tactics are becoming much more sophisticated in nature and can even trick a Cybersecurity professional in giving out their Personal Identifiable Information (PII), etc.

In fact, because of all this confusion and mayhem, it is becoming more difficult to even trust anything that is digitally related that you receive.  For instance, how can you even trust the emails that you receive are even from the legitimate sender or not?

When you engage with a virtual assistant via Chatbot, what proof do you have that you are not communicating with a Cyberattacker on the other side?  Or, when you wire money from your bank account, what assurances do you have that it will even reach the destination that is supposed to and not some fraudulent, offshore account?

As a result, many businesses are now adopting the policy of zero trust.  In other words, you cannot believe the legitimacy of anything until you have irrefutable proof of its authenticity and identity.  This concept is further explored in this blog.

What Exactly Is Zero Trust?

A specific definition of Zero Trust is as follows:

“Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.”

(SOURCE:  1).

In other words, simply put, you cannot trust anybody from either the external environment or the internal environment to your business when it comes to accessing network-based assets that reside within your IT infrastructure.  This concept goes all the way down to the lowest ranking employee all the way to the top with the highest-ranking employee in your business.

Just because you have worked with an individual for years (such as your administrative assistant), or you are the CIO/CISO, nothing can be assumed or taken for granted, and there is no level whatsoever of even the most granular level of implicit trust.

Everybody has to go through the same layers of authentication in order to prove, 100%, the legitimacy of the claims that are being made about one’s identity.  This is very often accomplished through at least Two Factor Authentication (2FA) or Multifactor Authentication (MFA).  With 2FA, only two layers of authentication are used to confirm the identity of an employee, but with MFA, at least three or more layers are used to serve this purpose.

The Key Tenets of Zero Trust

Most organizations are adopting the use of MFA, because the more layers you have, the statistical probability of a Cyberattacker breaking through each successive wall of defense greatly diminishes.  In fact, MFA is one of the key tenets of the Zero Trust model, and there are others as well, which include the following:

The Cyberattacker is always present:

This tenet asserts that there is always the strong possibility that a Cyberattacker is lurking from both outside and inside of the environment of your IT infrastructure, even if the evidence points to the contrary.

The implementation of least privilege access:

As it states, the IT Security team of any business should only grant those privileges, accesses, and rights that are the bare minimum needed for an employee in order to accomplish and execute their daily job functions.  Any escalation in this would have to go through an intensive review process.

The use of “micro segmentation”:

In this regard, the lines of defenses that are used to protect the IT infrastructure of your business are broken up into smaller zones.  So, instead of having just one wall, it is further broken down into smaller, micro walls, to provide a more layered approach.  For example, with the former, once a Cyberattacker penetrates it, all of your mission critical assets are exposed, but with the latter, not everything is completely exposed if the Cyberattacker breaks through.  Thus, this gives you the critical time that you need in order to quickly isolate and remediate any breaches that may occur.

Also, micro segmentation means that of all of the network shared resources are allocated into separate, secure zones as well.  For example, while an employee may have the privileges to gain access to the accounting files, he or she will be required to obtain an entirely new set of login credentials in order to gain access to the files of the other departments in the company.

The adoption of a software driven approach is a must:

Keeping a Zero Trust model finely tuned means that it needs constant attention, on a daily basis.  If an IT Security team were to do this manually, it would take an enormous amount of time, and mistakes can be made very easily.  Therefore, making use of an automation platform that is software based is also a key component.  You can easily create the micro segments that are needed (as described above), and all updates and policy enforcements can be done on a real time basis, quickly and efficiently.  In this kind of scenario, Artificial Intelligence (AI) technology is starting to be used to a larger degree.

The need for easy to access Dashboards and Analytics:

While micro segmentation does have its key benefits, it does suffer from downside:  More smaller entities means that it can be harder to keep track of all of the activity that is transpiring from within the IT infrastructure as a whole.  Because of this, the Zero Trust model also calls for the deployment of easily accessible Dashboards and Analytics that can consolidate all of this into  a quickly decipherable “View”.  The idea here is that the IT Security team can then garner a  holistic picture of what is going on, and thus be able to react to any anomalous or malicious behaviors with a proactive mindset.

How To Create a Zero Trust Environment

Keep in mind that you simply cannot deploy a Zero Trust environment drastically.  Doing so will have a detrimental impact on your business processes, and worse yet, upon employee productivity and morale.  Thus, in this regard, if you do decide to implement this kind of framework, it is very important that you use a very gradual, phased in approach so that you can get the buy-in from all of the stakeholders (both internal and external) that will be affected by this new kind of environment.

Here are five key steps that you can use to get started at the initial outset:

1. Understand what needs to be protected first:

Obviously, the ultimate goal is to adopt the Zero Trust model for your entire IT infrastructure.  But first, you need to decide what is most at stake in your business and protect that first.  In this regard, it will likely be the databases that contain the Personal Identifiable Information (PII) of your customers.  This will even include their credit card and/or other relevant financial information, health care information, your digital based Intellectual Property (IP) assets, etc.  Once this has been clearly defined, it is then important that you define the Zero Trust model in very  understandable terms in your Security Policy.

2. Map out your network flows:

Another key lifeline to your business is the network connections that are both internal and external to your environment.  For example, the internal could be your company intranet, and the latter will obviously be the connections that are taking place by your remote employees.  Most of the activity that will transpire here will be gaining access to the shared resources that are stored on your network drives.  As a result, it is imperative that you deploy the Zero Trust model here as well, and at all costs, strictly enforce the concept of least privilege access.

3. Create your own Zero Trust model:

A cardinal rule is to never implement a framework that is simply “off the shelf”.  In most instances, this approach will not work, because it is not unique to your environment.  Therefore, when adopting your Zero Trust model, you also need to take a very close look at what your most urgent security requirements are and start the building blocks from there.  In other words, you need to customize to fit your exacting needs, and this process can be initiated by conducting a thorough risk assessment.

4. Defining end user groups and their privileges:

Part of the process of customizing your Zero Trust model  also means taking a very detailed look at all of your employees, the types of shared resources that they access, as well as the various files that they work in.  From here, you then need to define and create the appropriate user groups, what the exact permissions will be assigned, and what kind of shared resources that they can access.  By doing this, you will be implementing a very fine level of granularity that will assure only legitimate access and network communication flows are taking place.

5. Develop a methodology for keeping track of movements:

Once you accomplish the above tasks and have started the initial phase for your Zero Trust model, the next step is to implement the tools that are needed so that you can keep track of all of this (most importantly network log files), and also be alerted in real time of any  anomalous or malicious behavior.  A good software package to use here is what is known as the “SIEM”, which is an acronym for Security Information & Event Management.

Conclusions

Some of the key benefits implementing a Zero Trust model include the following:

  • A greatly reduced chance of an insider attack from occurring in your business.
  • Your customer databases will have the best levels of protection possible, as well as your other IT Assets.
  • You will have a much greater control over your Cloud based environment, especially if you are using AWS or Azure.
  • The time it takes to detect a security breach is much shorter.
  • You can come into compliance a lot more quickly and efficiently with data privacy laws such as the CCPA and the GDPR.

On the outset, deploying this kind of framework may appear to be  extreme.  But the bottom line is that you, the CIO or the CISO, have to protect your business from Cyberattacks at all costs, and this is where the Zero Trust model can be of greatest benefit to you.

Sources