A little over a decade ago, John Kindervag outlined the Zero Trust security model. As a VP and Principal Analyst on the Security and Risk Team at Forrester Research, he spent years doing primary research and the result was a new model of trust, a new approach to cybersecurity, and a security strategy designed to stop the mounting data breaches.
In the intervening years, Zero Trust gained many adherents and proponents, and with good reason: the widespread adoption of mobile devices, BYOD, IoT, cloud computing, remote work (and remote access to company resources) have made the single enterprise-wide perimeter a thing of the past and have widened organizations’ attack surface considerably. Consequently, defenses had to be focused on users, assets, and resources.
Zero Trust: Does it work?
As Bill Harrod recently succinctly summarized, “the Zero Trust model enforces that only the right people or resources have the right access to the right data and services, from the right device, under the right circumstances.”
When, for example, hackers breached enterprise building security startup Verkada last month and made it sound like the access they obtained to Verkada cameras at Cloudflare offices might have been used to compromise Cloudflare CEO’s laptop and (through it) the corporate network, the company’s CTO quickly dispelled that notion.
“[…] we don’t trust our corporate network; we use our products, such as Cloudflare Access, to control access to resources. The fact that the attacker had access to a machine inside the corporate network is no better than the kind of access they’d have had if they’d connected to our corporate WiFi network. The network isn’t important, it’s the access control that matters,” he explained.
“Of course, if we had been using the old castle-and-moat style of corporate networking (where anything and anyone on the corporate network are inherently trusted) the outcome could have been different. This is why Zero Trust is so powerful. It allowed us all to work from home because of COVID-19 and it means that an attacker who got into the office network doesn’t get any further.”
As further proof of the effectiveness of the model, Kindervag says that the zero-trust strategy is widely deployed in some of the world’s most secure environments, which is why we’ve seen the NSA provide guidance on Zero Trust from their perspective recently.
That’s not to say that a zero-trust strategy is only helpful for large organizations of critical importance. It can be implemented by both the world’s largest and the world’s smallest organizations, he says, and can help protect against today’s most dreaded cyber-scourges: ransomware attacks and data breaches.
“Because Zero Trust is focusing on what is being protected, it stops traffic that doesn’t fall within the granular Kipling Method policy statements. This means that outbound traffic to a C&C node, which is how both ransomware and data exfiltration (the actual breach) work, will be stopped automatically. When malware tries to ping a C&C node on the internet, there is no rule in the control system that allows that session to be set up. Therefore data can’t be exfiltrated and ransomware can’t exchange keys,” he explained.
Implementing Zero Trust
As the current Senior VP of Cybersecurity Strategy at ON2IT, set on making Zero Trust more easily accessible and consumable by organizations of all sizes, Kindervag advises organizations to go through these five deployments steps to build Zero Trust networks:
1. Define Your Protect Surface: What do you need to protect?
2. Map the Transaction Flows: How does the system work together?
3. Architect the Environment: Place the controls as close as possible to the Protect Surface so that you can define a micro-perimeter
4. Create the Zero Trust Policy (by using the Kipling Method, i.e. by answering the who, what, when, where, why and how of your network and policies)
5. Monitor and Maintain the Environment: Gather telemetry, perform machine learning and analytics, and automate responses in policy
“The strategic concepts of Zero Trust have not changed since I created the original concept, through I have refined some of the terminologies,” he told Help Net Security.
“I used to say that the first step in the five-step deployment model was to ‘Define Your Data.’ Now I say that the first step is to ‘Define Your Protect Surface.’ My idea of a protect surface centers on the understanding that the attack surface is massive and always growing and expanding, which makes dealing with it an unscalable problem. I have inverted the idea of an attack surface to create protect surfaces, which are orders of magnitude smaller and easily known.”
Among the pitfalls that organizations that opt to implement a zero-trust model should try to avoid he singles out two: thinking that Zero Trust is binary (that either everything is Zero Trust or none of it is), and deploying products without a strategy (thus creating a false sense of security).
“Zero Trust is incremental. It is built out one protect surface at a time so that it is done in an iterative and non-disruptive manner,” he explained.
He also advises starting with creating zero-trust networks for the least sensitive/critical protect surfaces first (to learn, practice and make less disruptive mistakes), and then slowly working one’s way towards implementing Zero Trust for the more and the most critical ones.
While designing zero-trust networks, organizations should focus on the business outcomes, make sure to design from the inside out and properly determine who needs to have access to a resource, and inspect and log all traffic at Layer 7 so that a Layer 7 Policy Statement can be defined, he adds.
Among the misconceptions Kindervag is eager to dispel is that Zero Trust makes a system “trusted”, and that it is just about identity and multi-factor authentication (MFA).
Zero Trust eliminates trust from digital systems, because trust is a vulnerability that can be exploited, he says.
“Zero Trust CONSUMES identity attributes validated with MFA in Layer 7 policy. If Zero Trust was equal to MFA (as many vendors claim), then neither the Snowden nor Manning breaches would have been able to happen. They had very robust MFA and identity solutions, but no one looked at their packets post-authentication.”
Finally, he stressed that even though many vendors have redefined the meaning of Zero Trust to meet the limitations of their products, there are no “Zero Trust products.”
“There are products that work well in Zero Trust environments, but if a vendor comes in to sell you their ‘Zero Trust’ product, that’s a pretty good indication that they don’t understand the concept,” he noted.
“And, if you’re looking to hire a managed services provider to help you with the implementation, ask how they define Zero Trust: ‘Is it a product or a strategy?’ Then make sure the first question they ask you is ‘What are you trying to protect?’”