Data security management has become critical to the success of any organization, but what about the Zero Trust model? What exactly is this model, how do organizations adopt it and why is it important for them to do so? In the sixth and final episode of our podcast series, Get IT: Cybersecurity insights for the foreseeable future, we explore Zero Trust in detail.
In this episode, Theo van Wyk, head of cybersecurity at CDW Canada, and Wolfgang Gorlich, advisory chief information security officer for Duo Security at Cisco, examine the framework of Zero Trust, what the future of this security model could look like and what it means for organizations.
What is the Zero Trust framework?
Data security often refers to the process of controlling access and managing risk of information within a network. But rather than providing a single solution, Zero Trust is a framework that informs an organization’s approach to data security management. This concept has been adopted by hundreds of Canadian organizations, including industry leaders like CDW and Cisco, and ultimately only allows data access to intended users and devices. It works alongside essential elements like access control, malware prevention and identity verification to help structure and make them easier to consume.
The evolution of Zero Trust
Network security originated with physical secure network port plugins, followed by the firewall era’s two-decade run before the new millennium brought us the Jericho Forum’s concept of deperimeterization. This was the first notion of removing the physical perimeters around security with encryption and data authentication. This was the leading end of Zero Trust until Wi-Fi came along and enabled true “anywhere access”.
By 2010, many of the world’s largest organizations had adopted wireless access, prompting Forrester to officially coin the term Zero Trust. Shortly thereafter, a zero-day vulnerability in Internet Explorer contributed to the efficacy of Operation Aurora in 2014 – one of the largest cyberattacks ever. As a result, corporations like Google, Microsoft, Intel and Pager Duty started looking into proactive security measures leading to a new era of cybersecurity that focuses on the identity of people and their devices rather than where they are.
Only in recent years have regulators like NIST and the UK’s Cybersecurity Centre introduced formal cybersecurity standards, finally allowing Zero Trust to move from use among large corporations to more widespread adoption across organizations of all sizes. The concept of trust, authentication and authorization continues to evolve and is apparent now more than ever with the world’s most recent shift to digital due to COVID-19. Security is no longer reserved for corporately issued assets like laptops and phones and it no longer matters where users are connecting from. The focus is now on how trusted and secure a user’s device or connection is.
Why this model works
Organizations implementing a Zero Trust model will achieve greater network protection than other frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), which is not applicable to every scenario. This is important as more Canadians continue to work from home because it enables organizations to be much more flexible in how they deliver services and maintain secure access to data. In industries like healthcare, pharmaceutical, financial services and manufacturing, this can be especially critical when it comes to data access and identity verification.
At a hospital, for example, medical staff may need access to patient records without having hospital devices since they are not technically employed by the hospital. The hospital may want to grant them access to serve patients, but at the same time are aware of potential identity threat scenarios. This is where Zero Trust identity verification and authentication can be beneficial with specific policy-enforced ways of stopping these threats.
Implementation and identifying use-cases
If an organization is looking to implement a Zero Trust model, the first step is to ensure some form of multi-factor authentication (MFA) service is available to verify employee access. This is usually done through single sign-on (SSO). Once this has been established, you can identify the right Zero Trust use-case. The three main use-cases are:
- Zero Trust for the workforce – Applying to employees, partners and any other stakeholder requiring back-end access to apps or data
- Zero Trust for the workplace – Applying to medical, manufacturing or IoT devices, even office printers and photocopiers
- Zero Trust for workloads – Referring to an implementation within apps and networks that developers are building
Zero Trust for the workforce is traditionally where most organizations begin as it’s the easiest to implement and the technologies are readily available. The next step is implementing strong identity for devices in conjunction with telemetry to ensure they are secure and align with the Zero Trust policy. Following device implementation, organizations should implement the policy for employees, apps and devices to extend functionality, usability and defensibility.
Following strong policy implementation, the organizational focus should pivot to continuous improvement. Looking at ways to fine tune existing policies and achieve better telemetry is key to delivering the best possible services to end-users.
Once organizations understand what they’re trying to achieve (e.g. preserve data integrity or data availability), deciding how to segment security policies and determine corresponding controls is a natural next step. The latter is particularly important as once access is permitted, ongoing monitoring will be required to be able to revoke control and restrict access should something go wrong. Once controls have been established, they will ideally work in tandem with Zero Trust policies to balance usability, security and user experience.
Security policy best practices
When organizations want to create a new Zero Trust security policy, there are some key considerations they should address before implementation:
- Have a good understanding of organizational data. What is the organization trying to protect? What value does the data bring to the organization? Conversely, what value does it bring to potential attackers and how motivated would they be to go after it?
- Analyze the telemetry of the Zero Trust platform. A corporate-owned device will have multiple levels of information such as push software and full visibility into configurational elements. A personal device or BYOD (bring-your-own device) will still offer some visibility, though not as much as corporate-owned.
- Determine classifications of what should be enabled and blocked. This might sound like a given, but it’s important to have clear differentiators for both apps and devices.
Enhancing user experience and identity verification
Zero Trust ultimately contributes to creating a holistic, uniform user experience which is critical in today’s digital age. Creating and implementing policies that allow safe and secure data access are the foundation of Zero Trust and the easy, convenient and consistent experience end-users need and expect. If an end-user within an organization is moving between projects, moving to a new team or transitioning to a remote work environment, access to files and data can take up to days or weeks. Furthermore, if moving between assets, some devices may not be trusted or may be jailbroken.
With an identity-forward approach and accordingly defined policies, Zero Trust allows user identity to be verified and data access granted more efficiently. This process includes limiting the number of passwords and authentication steps while also reducing the amount of friction required to maintain a BYOD, corporate or personal device. This enables users to receive secure and quick access to information and verified identity in fewer steps.
The future of Zero Trust will be enhancing the trust indicators and behaviour analytics behind app and device uses. This includes going beyond surface analytics to explore how data is moving, how apps are being interacted with and identifying specific fraud indicators to feed back into the policy engine to ensure continuous improvement.
As AI and ML continue to become a bigger part of our reality, being able to look at data behaviour and see past the immediate zeros and ones, provide analysis and take action to improve is going to be critical. This also means we’ll inevitably see more integration with security orchestration, automation and response (SOAR) tools.
Orchestration and automation can be leveraged in the event that human capacity to process and review data from a security perspective is limited, so how can technology wrap around SOAR and resolve user issues before they even realize them? How is security maintained along the way?
These are all questions Zero Trust aims to answer, and why this model is key to organizational safety and success.
For more insights on how Canadian businesses are managing data privacy and security, listen to Episode six now.