A concept receiving much attention lately in public policy circles is Zero Trust. John Kindervag, the Father of Zero Trust, has been getting a lot of speaking engagements suddenly. And for a good reason. Risk Management – or what John refers to call “Danger Management” as ZT and the objects of its attention are only specific dangers posed to an organization ahead of risk management.
But as long as it ends up as part of the solution or the driving motivation for a ZT implementation.
So, What Is Zero Trust?
John will call it a strategy but for me, I see it in application, as an essential principle of Risk Management. A core tenet of the Zero Trust model is to assume that the network has been compromised and includes hostile intruders, which implies an obligation to authenticate and authorize every connected person or device.
Formally defined by NIST, from John Kindervag’s original work in 2008, Zero Trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources. A Zero Trust Architecture (ZTA) uses Zero Trust principles to plan industrial and enterprise infrastructure and workflows. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). See Zero Trust Architecture | NIST.
The acute crisis that generated the need to create a Zero Trust model was the ever-growing number of cyber attacks targeting both the public and private sectors, including critical infrastructures such as water plants or healthcare facilities and even governmental agencies.
The high-profile ransomware attack on the Colonial Pipeline and the Solar Winds breach shone a bright light on the dangers caused by vulnerabilities, and the government responded.
The fact that cyber attackers were lying hidden in Solar Winds networks for over a year before being discovered, and could have had lateral access through networks, demonstrated the crucial need for a change in the way to prevent the growing and sophisticated threats from state actors and organized criminal gangs, from wreaking havoc across all industries and jeopardizing critical infrastructure.
Through executive orders and memorandums, the U.S. government is now prioritizing and setting milestones for implementing the Zero Trust approach. See Executive Order on Improving the Nation’s Cybersecurity | The White House and also OPM’s Federal Zero Trust Strategy – Moving the U.S. Government Towards Zero Trust Cybersecurity Principles.
While the Department of Homeland Security is leading the civilian side of exploring and optimizing the Zero Trust approach, on the defense and intelligence side of government, a Zero Trust pilot is being undertaken as a joint effort between the U.S. Cyber Command, the Defense Information Systems Agency and the National Security Agency where they are lab testing various technologies. According to Neal Ziring, the technical director for NSA’s Cybersecurity Directorate, “The team has been able to demonstrate the effectiveness of Zero Trust at preventing, detecting, responding and recovering from cyber attacks,” DHS, NSA creating reusable pieces to Zero Trust foundation | Federal News Network.
Recently, the Pentagon’s top IT office issued a contract to develop a Zero Trust IT architecture capable of continuously validating user permissions, devices, services and data innocuousness. The project, called Thunderdome, will test how to implement Zero Trust architecture involving technologies such as Software Based Segmentation, Secure Access Service Edge and Software Defined-Wide Area Networks. See Welcome to Thunderdome: Pentagon awards Zero Trust architecture prototype (navytimes.com)
David McKeown, DOD’s senior information security officer/chief information officer for cybersecurity, summed up the challenge and the need for a Zero Trust model: “We feel like Zero Trust is the only solution out there right now that gives us a fighting chance on detecting these folks that may have a foothold on our network or this anomalous software that we’ve allowed in.” Pentagon ‘Zero Trust’ cyber office coming in December (yahoo.com).
Public And Private
Zero Trust will not only be implemented by governments but also by many companies in the private sector. Gartner predicts that spending on Zero Trust network access solutions will grow from $820 million this year to $1.674 billion in 2025, attaining a 26% Compound Annual Growth Rate (CAGR). Zero-trust trends for 2022 | VentureBeat
In view of the growing number of threats, a refocus on strengthening cybersecurity requires sound investments, resources, expertise and capabilities. And it requires creating a framework that will assess situational awareness, align policies & training, optimize technology integration and privileged access management, promote information sharing, establish mitigation capabilities and maintain cyber resilience in the event of incidents.
The 5 Steps Simulated
But first, leaders need to know where and what vulnerabilities they face. They need to determine upfront what linked devices, people, software and hardware should be trusted to best protect digital systems and networks.
Simulation platforms are invaluable tools to initiate a Zero Trust approach for a security framework, as they provide a bird’ eye view on the security gaps attackers could use to gain a foothold and the path they could use to escalate or move laterally.
Agencies and companies alike draw enormous benefits from testing their security controls against the full cyber attack kill chain. The combination of the chronic shortage of skilled cybersecurity workers and the ever-increasing volume and complexity of threats on connected attack surfaces makes automating breach and attack simulation the only effective way to help evaluate security gaps and check that remediation measures are effective.
The crux of a Zero Trust model is to reach and maintain the highest achievable level of segmentation and fortification and best prepared and fortified to minimize the odds of experiencing a breach and reduce the potential damage of such a breach to a strict minimum by preventing escalation and lateral movement.
Optimizing privileged access management and security controls effectiveness is the first step and needs to be continuously fine-tuned to account for modification of the threat landscape and the unavoidable frequent changes in the environment resulting from agile development. Continuous security validation processes are indispensable in providing the extended security posture management needed to maintain Zero Trust Architecture in a constantly fluctuating reality.
Danger And Risk Management
The Zero Trust model may not be a panacea for everything cybersecurity, and the founders of the CyberTheory Institute have it right when they remind us that their mission statement for the Institute is to convince CSIO’s that the downside of ZT is very slight against an upside that expects to cut successful breaches in half. Those thought leaders, all experts in Zero Trust are all convinced that a ZT implementation will remove excessive trust from a network, significantly reduce the attack surface and increase the granularity and frequency of identity validation, authentication and proofing, while continuous monitoring and alerting will lower the successful breach events by 50%.
In addition, the “never trust, always verify” motto is an essential element of Risk Management. It is encouraging to see government agencies and companies look first within their networks and operations to discover threats and help mitigate vulnerabilities. Whether folks think of cyber attacks in the “danger” or “risk” categories, that, in and of itself, is a big step in making our nation and industries more secure.
By Chuck Brooks, Steve King and John Kindervag