Four ways to build a zero trust mindset
When the coronavirus first appeared, organizations everywhere were forced to accelerate digital transformations to comply with stay-at-home orders and maintain business continuity. Now, thanks to the heroic efforts of IT and security teams to adapt to new challenges, we have a luxury we didn’t just over a year ago: time.
Today we can proactively think through new technologies and make long-term, strategic decisions about how they affect organizational strategy. And one of the most valuable ways that security pros can get ahead of the next challenge is by thinking through and scaling up their organization’s zero-trust mentality. Let’s look at what we mean by 'zero trust' and some tips for implementing it effectively:
The evolution of zero trust
'Zero trust' is a relatively new and buzzy new term describing the ongoing shift from a 'trust but verify' security principle to the more extreme 'never trust, always verify' stance. But don’t be fooled: though Forrester’s John Kindervag coined the term in 2010, parts of zero trust have been around for decades. By understanding the ideas that led to zero trust, we can see why it’s valuable and how to use it strategically.
One of the earliest contributors to zero trust was the concept of "least privilege," which was introduced in 1976 to describe the minimum degree of rights and access that a user would need to do their job. Around the same time, early papers in public-key cryptography introduced the idea of "trusted" third parties who needed to certify the overlying Public-Key Infrastructure; these papers viewed "trust" as a liability and sought to limit it whenever possible -- if not eliminate it altogether.
Zero trust also owes a good deal to 1994’s RFC 1636 (Report of the IAB Workshop on Security in the Internet Architecture), which said that traditional perimeter-based security (i.e., firewalls) led to a "crunchy outside [and a] soft and chewy center." Since then, security teams have picked up on this image, describing traditional security postures as M&Ms, Tootsie Rolls, or even eggs.
The image of a tough but ultimately brittle exterior and a vulnerable interior stuck: nearly a decade after RFC 1636, the Jericho Forum Working group published a working paper built on the assumption that the network core could never be trusted, and security teams should "deperimeterize" their networks entirely.
That’s a simplified history of some of the key ideas behind zero trust: trust is a liability that should be minimized and better perimeters aren’t enough.
Because these ideas have been a part of the cybersecurity community for decades, organizations can embrace zero trust by using vendors, services, and solutions that might already be in house. Here are some tips on how to move toward a zero-trust vision more effectively.
How to develop zero trust
1. Don’t be a zero-trust absolutist: 'zero trust' is a catchy name, but don’t let it fool you: businesses simply cannot 'always verify'. Doing so would be impractical, if not impossible. The recent Solar Winds breach is a good example of how hard it would be to reduce the trust surface to zero and why it’s worth reducing 'trusted' resources whenever possible.
Instead, think of zero trust as an aspiration that can improve your security strategy and decisions over the long-term.
2. Define your risk parameters: every organization needs to allocate limited resources to improve security without impairing core operations. For instance, implementing bi-directional TLS is consistent with zero trust. For e-commerce vendors, however, this approach would hinder customers from completing transactions.
So, instead of locking out customers, take a step back and identify what types of events would lead to organizational losses; then determine how frequently those events occur and the magnitude of their losses. Catalog your gaps and decide whether they fall within acceptable limits.
3. Lean trust = high value: although zero trust is probably impossible, lean trust is an appropriate and obtainable goal. Once you’ve identified your risk implications and priorities, maximize the value of reducing your trust surface risk per dollar spent by first addressing high-priority gaps. Then, take the next step in your zero-trust journey by addressing the next important issue.
4. Caveat emptor: vendors have jumped on the zero-trust bandwagon with solutions that 'enable' zero trust. That claim is misleading and potentially dangerous: digital infrastructures are already complex and becoming more so every day. No single point solution can fully achieve zero trust. Instead, security teams must consider networks, endpoints, digital identities, and more.
Zero trust isn’t a panacea. It’s not a product to install or a vendor to manage. Ultimately, it’s a mindset for beleaguered security teams to work through complex challenges, prioritize high-value changes, and prepare for the next disruption.
Dr. Zulfikar Ramzan is Chief Digital Officer, RSA