The days of castle-and-moat cybersecurity are over. At least, they should be over. The old model is no longer cutting it–not even close. Across the globe, cybercrime is costing companies trillions a year. In fact, according to the 2017 Annual Cybercrime Report, it is estimated to cost the world $6 trillion a year by 2021. That has increased from $3 trillion since 2015. The IBM-sponsored 2017 Data Breach Study from Ponemon Institute counted the global average cost of just one data breach to be $3.63 million. Their study also found the average size of a data breach is now around 24,000 files per incident.
At this point, the problem is simple from a bird’s eye view: even as threats have evolved, companies have maintained a castle-and-moat mentality–meaning they view cybersecurity as an outdoors-we’re-in-danger, indoors-we’re-safe scenario. According to that thinking, as long as they put up a strong perimeter of security, the company’s data will be safe behind the walls.But the reality no longer fits with this castle-and-moat mentality. As this report from McAfee notes: internal actors are responsible for 43 percent of data loss. Half of these incidents are intentional while the other half are accidental.
It’s no longer a situation in which data centers serve a contained network. Today’s environment has a complicated mix of challenges. On one hand, some things are contained on-site within a perimeter of firewalls. On the other hand, other applications exist in cloud networks that are exposed to chaotic cobwebs of users from different access points and devices around the world.
It’s an unmanageable situation when you’re tackling it with the old mentality. There are too many applications that run openly with too many default connections, most of which are based on unmerited trust. The solution is simple: trust no one, trust nothing. In the language of daily life, that phrase might sound anti-social and cold. But in cybersecurity, it is pragmatic. It is fast becoming the only practical solution to this massive quagmire of security that we call the internet.
What are Zero Trust Networks?
The term Zero Trust Network, also known as Zero Trust Architecture, was conceptualized in 2010. John Kindervag, the principal analyst for Forrester Research Inc., created the Zero Trust model and coined the phrase.
Zero Trust Networks scrutinize and verify everything that attempts to connect to its system whether from an internal or external source. A Zero Trust Network forbids access to anything until the source is verified and authorized. That really does mean refusing access to all machines, IP addresses–the whole scope.
Each request to connect is vetted and approved on an individual basis. Credentials are short-term and temporary, tightly monitored and limited to that particular user’s device trying to connect to a specific location of the network at the specific moment in time–similar to a temporary burner phone.
This high level of carefully controlled and monitored authorization on a case-by-case basis has become necessary as cyber attacks have grown in sophistication. It has also become a more realistic possibility as technologies have emerged that make the Zero Trust approach effective.
Why is Zero Trust More Secure?
This Zero Trust philosophy is more secure because it tests connections before they are made. In the old model, the one still used by many companies today, networks allow actors to connect to applications before testing and evaluating the connection.
Here’s a common analogy that Zero Trust advocates make when explaining the problem with the old way of doing things: imagine if airports removed their security measures that vetted people’s identities and removed checkpoints to ensure they didn’t have anything dangerous before connecting with their flight. Imagine if TSA allowed anyone to get on the plane, and then tried to vet each passenger ten minutes before departure while everyone’s sitting on the plane, buckled up and ready to go. That’s essentially what’s happening in cyberspace. A packet can wander freely into a network segment and engage with an application before being required to show any credentials.
A Zero Trust Network introduces the test and validation process before any packet can engage, and it does this vetting with every attempt to connect, whether from an internal or external source. It reverses the old way of doing TCP/IP protocol. This makes it harder for bad actors to get through the front door–or any door or window, for that matter. It manages any movement from a lateral threat within the network by using micro-segmentation, enforcing granular perimeters, and assessing the user, location and other data throughout the process.
It would be nice if we lived in a cyber world where a Zero Trust policy was not needed (just as it would be nice to never have to go through TSA security checks). However, such an open level of trust is no longer possible. Of course, every organization must retain a moderated measure of trust to continue functioning (so the term Zero is more aspirational than literal), but the days of security based on generous trust and minimal internal vetting are coming to an end.
Why is Zero Trust So Important?
It’s still surreal to think the smartphone has only been around for about nine years when Apple introduced the first iPhone in 2007. It is especially so when you think about how quickly and thoroughly smartphones have changed the world. In the early 2000s, before the creation of smartphones and other mobile-centric, cloud-based technologies, there wasn’t an urgent need for something like a Zero Trust Network. Now we have:
1) Cloud computing, which has no perimeter to defend and can’t be contained.
2) A huge variety of mobile devices that introduce a chaotic web of access points.
3) The Internet of Things, which uses sensors on physical objects–sensors that are notoriously difficult to control, update, and secure.
The public has loved these new technologies, but from the vantage point of cybersecurity, it has created a perfect storm. Additionally, when you throw in shadow IT vulnerabilities into the mix–i.e. the tendency of employees to introduce their own third-party software preferences or devices into a company’s network without IT’s knowledge or permission–your company’s cybersecurity suddenly becomes the Wild West.
How to Plan Zero Trust Network Implementation
Although the need for a Zero Trust philosophy is urgent (even if having literally “zero” trust is more of an ideal than an actuality), making the big transition into Zero Trust should be done in planned, cautious stages. You should not rush into it without crafting a thoughtful strategy. The following five steps will guide you through the planning process of Zero Trust Network Implementation.
1. Determine Your “One True Identity” Source with IAM (Identity and Access Management)
It is crucial to first establish your one true source of identity. Identity and Access Management is the key to this process. This is where you evaluate the identity of each source and assign the appropriate level of authorization before the user or device gains access to sensitive resources. Some examples of this kind of technology that will help you with IAM include the following:
- AzureAD: The Azure Active Directory, described by Microsoft as, “centralizes identity and access management to enable deep security, productivity, and management across devices, data, apps, and infrastructure”. It works for every scenario across the board: apps in the Cloud, on mobile devices, and on-premises. You can use features such as conditional access to layer security and manage access.
- OpenLDAP: This is an open source implementation of the Lightweight Directory Access Protocol (LDAP), a vendor-neutral application protocol for managing distributed directory information services over an IP network.
- Okta: Okta’s IAM products help you to centrally manage every user, app, device, and API in your organization.
- Amazon IAM: The tools in Amazon IAM allow you to control access to Amazon Web Services. You can create and manage groups and users. You can also create permissions to allow and deny access as needed.
2. Determine Device Trust
A Zero Trust approach means adopting a Manage vs. Unmanaged Device strategy to device security. This is especially true as more companies allow and even encourage BYOD (Bring Your Own Device). This approach means you assess each device that tries to connect with the network to classify it as either managed (a company-sanctioned, vetted device) or unmanaged (a personal device of the employee). If unmanaged, the system automatically assigns a stringent level of application access and data protection to it.
The system evaluates the device for compliance to determine if it has the appropriate software and updates installed. A remote health attestation review of a device will also use a variety of techniques to determine if the device is in “poor health” (i.e. vulnerable to attacks or infected with malware). This stops high-risk devices from gaining access to your network before they can do any damage. Depending on how the device performs in its compliance test, a corresponding access level is given to it.
3. Inventory Your Access Scenarios
It’s important to map out all access scenarios so you can prioritize where Zero Trust will bring the most benefit the fastest. As you create your inventory of access scenarios, you’re listing every possible source (user or device) and/or destination (resource) that needs to be addressed in your Zero Trust Network. Creating a comprehensive inventory will ensure nothing is overlooked or falls through the cracks. This will also help you identify at least one access scenario that is the most urgent need and would benefit the most from an immediate switch to a Zero Trust approach.
4. Choose your Zero Trust Access Tools
The next step is to choose a Zero Trust Access platform. This is when you’ll begin the shopping process and seeing which Zero Trust products on the market might be the best fit. You’ll want to consider fundamental questions such as whether you want the platform on-premises or in the cloud.
And as you evaluate which Zero Trust access tools to use, it’s important to check if those tools will properly integrate with every SaaS vendor used in your company. As you look at Identity, Security, Device Management, and SAML solutions, you will need to take the time to double-check any integration issues. And this is one big reason why Zero Trust Network implementation should not be a rushed process.
5. Migrate (Rolling Deployment)
The fifth step to implementation ensures no damage is done while transitioning to a Zero Trust approach. The goal is to keep the migration moving forward with caution and without disrupting productivity. This means:
- Incremental deployment
- Deploying from the top down, from the most valuable targets (i.e. EnterpriseAdmins) to the least valuable in terms of content and data
- First deploy management and compliance tools, then layer on any conditional access and multi-factor authentication (MFA) for the rest of the company
Zero Trust is a Mindset, Not an Exact Science
As you can see from the steps above, there are multiple options in the process. There are many tools and vendors to choose from to help your company create your own version of a Zero Trust Network. There is leeway and room for improvisation within each company when, for example, you conduct a rolling deployment. In other words, it’s not an exact science, but the process should generally include the steps above.
Even the idealistic name “Zero Trust” is meant to describe the fundamental mindset behind your cybersecurity strategy, not the literal end-result. Every organization must run on certain levels of trust in its network, but the real question is how to shape the process of granting that trust. Companies need to stop haphazardly throwing their trust to devices and users like candy in a parade. They need to become much more protective of who and what they trust. And that’s what the Zero Trust philosophy is all about.
Learn More about Zero Trust Networks
Contact us to learn more about establishing a Zero Trust Network and how Agile IT can help you make that transition to a more secure network (and future).