As it has become painfully apparent that perimeter defenses alone are inadequate to protect organizations from malicious intruders, the role that misplaced trust plays in undermining security has attracted increased attention from system defenders. The notion that anyone with a username and password should receive unlimited trust after logging onto a network is coming under increased scrutiny and feeding the growth of the zero-trust security model.
Trust no one
Zero-trust takes a "trust no one, trust nothing" approach to security. Even someone with a valid username and password, for example, trying to access the system from a new device or new location could have his or her access challenged. What's more, that person's actions on the network will be monitored for unusual behavior. What a person can do on a network is also tightly controlled, as well as what applications can do.
That kind of trust model is being driven by the technologies needed by companies to do business today. The introduction of mobile and cloud technologies along with third-party sourcing arrangements has blurred the hard lines that defined the perimeter. "With an on-prem environment, you just protected the perimeter. You had a hard shell and soft center," explained George Gerchow, vice president of security and compliance at Sumo Logic, an analytics service provider for cloud-based applications.
"Developers did what they wanted," he continued. "You hoped they used best practices, but you always had the perimeter locked down. Now everything in the cloud is born into a hostile environment, so we can't take that chance. There is no perimeter."
Meanwhile, the Internet of Things (IoT) will be adding to the trust problems faced by networks. According to Gartner, by the end of 2018, more than 50% of IoT device makers will still be unable to address product threats emanating from weak authentication practices.
"IoT adds complexity because there is not a human behind it, It's these things on our networks that can be compromised and can compromise the rest of the network."
—George Gerchow
As the IoT grows, you want zero-trust across those IoT devices and how they communicate with your mission-crtical systems, Gerchow said.
Are zero-trust networks a panacea? Security experts weigh in.
Insider threats: Identity matters
The decline in the effectiveness of perimeter defenses has been accompanied by exploitation of existing trust models for malicious purposes. According to Intel, 43% of data breaches are attributable to inside attacks. The success of many of those attacks has fueled account compromise activity. In its recent Security Intelligence Report, for example, Microsoft noted that during the first quarter of 2017, attacks on the accounts of its cloud users jumped 300% year over year. Account logins from pernicious IP addresses also increased, 44% year over year.
"Fraudulent new account creation is on the rapid rise and is a direct result of the surge in personally identifiable information data and legitimate user credentials so cheap and readily available to hackers on the dark web," said Ryan Wilk, director of customer success at NuData Security, a biometrics and behavioral analytics company. He added that in the last six months, his company has seen a 447% increase in account takeover attacks on both mobile and web logins.
Ivan Dwyer, director of product marketing at ScaleFT, a zero-trust security company, maintained that a zero-trust architecture is capable of making smarter trust decisions by accounting for the dynamic nature of users and devices. That begins by redefining corporate identity as a user plus the user's device at a point in time, which provides the context needed to make real-time trust decisions.
When implemented properly, a zero-trust architecture mitigates the most common insider attack vector, static credentials, Dwyer said.
"When every request is independently authenticated and authorized, the credential needed to initiate a secure session is ephemeral—limited in scope to the user and device connecting to a specific resource at a point in time."
—Ivan Dwyer
Another benefit of a zero-trust network is that connections are tested before they're made, said Leo Taddeo, chief information security officer at Cyxtera, a secure infrastructure company.
"If you look at the TCP/IP protocol, it's backwards. It allows a packet to traverse into a network segment, shake hands with an application, and then present credentials. That's the equivalent of TSA letting you get on an airplane, letting the plane take off, and then asking you for ID and checking for weapons."
—Leo Taddeo
Using the zero-trust model at the network level, where you can test and validate a user and device before allowing them on the network segment, is a big leap in security, Taddeo said.
The challenges with zero-trust
As effective as zero-trust systems can be, they can pose challenges to organizations with designs to deploy them. For example, they're not set-it-and-forget-it solutions.
Organizations need to know to the finest level of precision what is deployed on their infrastructure, the purposes of all those things, who can have access to which resources and why, and what action they are allowed to perform.
For zero-trust to be implemented and work, organizations need to understand access rights from the bottom of the technology stack to its highest level.
It's largely impractical for any organization to have a full, accurate picture on an ongoing basis of all the resources deployed at each level across the entire enterprise architecture, said Isabelle Dumont, a vice president at Lacework, provider of cloud security solutions.
"Modern organizations are dynamic, and so are their computing infrastructures. This leads to a situation where rules and policies are always one step behind what's actually being deployed. This is especially true in the cloud, where VMs, containers, and IP addresses are recycled all the time."
—Isabelle Dumont
However, all that care will pay off for organizations willing to take on the task, noted Aaron Lint, vice president of research at Arxan Technologies, an application attack prevention and self-protection company.
"While it takes a little more foresight, you will get better granularity if and when anything goes wrong."
—Aaron Lint
Productivity issues and cost
Zero-trust can also have an impact on employee productivity. "There's a tradeoff between security and productivity with the zero-trust model," said David Murray, product manager for endpoint security at Ivanti, an IT assets management company. "If I'm blocked from doing something I need to do, it's going to slow me down."
"It can be hard to maintain productivity and ensure everyone has access to what they need in a zero-trust model when you have that constant change."
—David Murray
Cost, too, can be a challenge to organizations interested in embracing zero-trust. Although there are some inexpensive tools for implementing aspects of zero-trust, to fully implement the approach, very expensive tools need to be acquired, noted Nathan Wenzler, chief security strategist at AsTech, a security consulting company. "Additionally, the administrative overhead requires a large number of man-hours to get up and running, as well as to maintain going forward," he said.
Chris Roberts is even more skeptical. The chief security architect at Acalvio, a provider of threat detection and defense solutions, said, "There are lots of zero-trust solutions out there—some of them even work."
"Many solutions are still too fluffy and involve a lot of up-front changes or aren't fully baked. Choose wisely."
—Chris Roberts
Because of the high cost of deploying zero-trust systems, organizations may want to implement them in stages. "You're not going to be able to control everything at once. You need to pick the things that are critical and start there," observed Bryson Bort, CEO of Grimm, a computer and network security company.
"Set up a trust model there and segment it off from everything else," Bort suggested. "Then slowly circle out."
Ian Paterson, CEO of Plurilock, a developer of network security products and digital identification solutions, recommends that organizations start their zero-trust programs by assessing high-risk areas where permissions have been historically lax.
"Privileged accounts is an area that frequently keeps our customers up at night."
—Ian Paterson
Some cost savings, though, may be realized after a zero-trust system is deployed. "Once implemented, companies should expect cost savings in a number of areas related to employee productivity and IT support costs," ScaleFT's Dwyer said. For instance, he noted that after Google deployed its zero-trust system, called BeyondCorp, across the company, it noticed a 30% reduction in IT support tickets.
Some of that reduction in cries for help may be attributable to improvements in security hygiene and the granularity of information within an organization that implements zero-trust. "A natural by-product of zero-trust is that the workflows inherently encourage better employee security posture, as the policies are built around self-awareness and device upkeep," Dwyer explained.
Rather than the typical error message of being locked out of a VPN, for example, a well-implemented zero-trust system knows why a request has been blocked and can deliver that message to the user in a more friendly manner, he said.
"Over time, a better security posture will just become habit, much to the delight of security and risk teams."
—Ivan Dwyer
Trust issues always remain
Can all trust ever be wrung from a system? At the very least, the people administering the system need a wide degree of trust to keep it working. That's why zero-trust has its doubters.
Sumo Logic's Gerchow said he had never personally seen an entire environment that's 100% zero-trust, for various reasons. But he said it's a really good goal.
"Zero-trust is Utopian. It's something that people strive for."
—George Gerchow
Kumar Saurabh, CEO and co-founder of the security automation company LogicHub, said it's a great principle for security teams to follow.
"After talking to about 200 customers over the last 18 months, we believe zero-trust might be more aspirational than practical, because of the costs and challenges involved in implementing it."
—Kumar Saurabh
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
