As part of our teissTalk series, teiss hosted a panel session on Zero Trust and how to overcome the obstacles to rolling it out within your organisation. Journalist Geoff White was joined by:
- Twitter's Zero Trust Lead Technical Architect, Andrew Aken
- Chief Information Security Officer of Pharos Security, John Rouffas
- Chief Information Security Officer of Allegiant Air, Rob Hornbuckle
- CTO of PKI at Sectigo, Jason Soroko.
How do you start with zero trust?
You need to understand what you current operating environment is before you start considering zero trust. This will include things like the regulatory regime and standards that you aspire to comply with. Then you need to ensure that the fundamentals of cyber security are in place. Without the basics in place, such as asset management, threat intelligence, encryption, segmentation, you won’t be able to deliver an effective zero trust approach.
There is a simple process to go through;
- Start by mapping the current environment, the regulatory framework you aspire to and the controls that you have in place in place. In other words, assess where you are right now
- Then decide where you want to get to in terms of zero trust. Not everyone will want to get to the highest level – it may be too expensive. So you need to decide on your risk appetite and use that understanding to determine your aspirations for zero trust.
- And finally develop a roadmap to get there.
Why do this? The NSA says that the top focus for zero trust must be to add value to an organisation, increase its resilience and reduce risk. But zero trust will also improve user experience and productivity - due to the amount of automation that would typically be involved which will alleviate the administrative overhead for security teams.
Zero trust can also improve performance and productivity because when you look at cyber security systems piecemeal and try to address particular problems – that adds a lot of overheads to what systems need to do to perform tasks. But with zero trust you are looking at systems as a whole and this means that you can identify overlap between different elements of security that have been implemented over years. If you do this you can reduce the burden on people who are administrating them.
A common misunderstanding is that zero trust isn’t a binary “yes or no” state. It’s more of a journey. So you can evaluate the current maturity of your organisation’s zero trust and identify areas it can improve, and then put together a roadmap towards achieving a greater level of zero trust.
In a zero trust environment, how often do you have to re-evaluate peoples trust worthiness?
A core principle of zero trust is continuous verification. When you first log in and pass the credentials required, and when your devices are deemed as worthy to connect to the system, that’s not the end of the verification process. The authorisation doesn’t end when you have logged on. It’s continuous verification throughout the session: the system won’t necessarily require more information from the user but the system is making repeated checks.
In addition, different parts of the system may have different verification requirements. Managing that involves micro-segmentation of the system. Remember, zero trust isn’t just about end users; it’s also about different parts of the system interacting with other parts. So one of the main purposes of zero trust is to different isolate systems from one another, so that if a breach occurs the hackers can’t move laterally to other systems. This limits the damage if systems do get breached. This can be done at a very granular level
Is zero trust the same as zero harm?
Trusted people can be malicious. That means we can’t only rely on identity controls. We also need to consider what happens to resources when people access them. That’s where things like DLP come in to play.
For a very distributed organisation with lost of different locations, it can be appropriate to use micro-segmentation to keep different parts safe. But with covid and the dispersal of the workforce to multiple home locations, organisations have had to shift away from a focus on protecting microsystems to authenticating individual users, there has been a shift towards managing human, and not just system, identity.
Is zero trust just another piece of jargon: how can you show that it delivers real value?
Cyber security has been a progression over time. It started with a firewall. Then network segmentation happened, with firewalls in between different parts of a network -a defence in depth. Zero trust is just an evolution of that concept – we have multiple moats and castles to protect the crown jewels and when some one breaches we want to be able to stop people moving thru the system so we stop people moving laterally and we also limit the number of people who can access the different segments.
Zero trust as a concept is still evolving. It started to get popular when people put data in the cloud – there was a need to stop unauthorised people accessing it. The first thing that people did was to write policies that employees had to sign up to. The acceptable use policy was the most important. But that only works for people you know and can control. When you have someone who comes in to your network who hasn’t been validated – a temporary worker perhaps - then the risk goes up . To manage this you need to understand the potential impact on organisation in terms of its monetary significance.
Any organisation needs to understand what assets it has and who is using them. That’s is really what underpins zero trust.
How do you manage zero trust in multivendor ecosystem?
Systems, often from different vendors, are becoming more and more inter-dependent. If you need equipment to talk to other equipment then you need to manage those interactions. Typically this will start with a standard. Different vendors may sign up to a consortium or adopt a standard so that they can show they are compliant with a particular trust model.
We used to be obsessed with what happened within a network. These days it is just as important to understand what is going on outside your network. You need to be able to extend trust to when things happen outside your Digital identity of people, machines and systems is fundamental to that.
Watch the full episode now (exclusively for teissMembers).
teissTalk is a twice weekly Information Security talk show for Information Security leaders focusing on the vital questions affecting the industry in a relaxed and informal environment.