By Brad Pierce, Structured Managing Director of Security, CISSP/CISA/PCIP —
Zero Trust is a philosophy, a journey. No one manufacturer or security product will get you where you’re going. It will take all of your technologies, and likely some new ones, to arrive at a Zero Trust architecture.
Trust is dead, long live trust!
Zero Trust is a paradoxical name as it is not the elimination of trust but a specificity of trust (less catchy, I agree). It is an architecture where every user, system, service, device and packet gets to only access what it is authorized to access, in the right place, at the right time.
A brief history
Started in 2007 as the Jericho project, using a city fortress metaphor, it began to take shape as a new security architecture. It was intended to replace the old “castle and moat,” or perimeter-based architecture, that was predominant then … and still is today.
In 2011 Google ambitiously developed Beyond Corp as a Zero Trust example architecture that it had deployed internally to great success. But that’s Google. They built the tools needed to accomplish their goals as they did not exist in a way that could work at their scale or complexity. That’s like the USA telling the world how easy it is to build the most technologically advanced military on the planet (with limitless time and resources)
For modern companies, the concept started getting some traction — and it’s current name — from Forrester Research’s John Kindervag (now at Palo Alto Networks) in 2014. Thus began the race to adopt Zero Trust philosophies by manufacturers.
That brings us to current. In 2020 Zero Trust is finally on the radar of CIOs and CISOs as a project-level initiative. Questions are being asked about how the achieve Zero Trust and what it means.
This is incredibly exciting for Structured as a security-first solution provider. Zero Trust allows us the opportunity to provide value to an even larger part of the organization and to leverage the investments companies have already made by orchestrating their capabilities with modern tools.
The Four Pillars of Zero Trust
We consider the 4 pillars of Zero Trust to be:
Identity is the single biggest component of Zero Trust. Identity is more than user accounts. It is systems, services, devices (IOT). It is the provisioning/deprovisioning lifecycle. Identity is creating a single source of truth and then basing trust calculations on it. This single source of truth aggregates all of your disparate identity collections and brings them together in a place where they can be managed, governed, enforced, etc. Trust is calculated based on a constellation of information. Identity, MFA, source, destination, resource sensitivity, geography, time, access method, system disposition, etc. From these many components we are able to create a trust score that is then permitted or denied access to a given network or resource.
Access is all the authorization decisions made on those identities. These decisions are integrated into the entire organization. From port-level access on switches to data and application access on servers.
Orchestration is the stitching together of all your network and system information sources into an automated whole. It is creating playbooks that allow your NAC to talk to your NGFW to talk to your XXXXX-playbook logic. Orchestration is the force multiplier to which so many organizations are turning. As an industry, we are globally staring down about 3.5 million unfilled cybersecurity jobs by 2021. We can reduce the burden on the overtasked information security folks we do have by automating as much as possible. We must get the right information to the right people at the right time with maturing technologies like SOAR (Security Orchestration Automation Response).
Logging, while our final pillar, is not the final piece. Logging can provide a comprehensive real-time view of your environment as well as an audit trail to prove your prevention. Logging is the piece that enables monitoring. Often done by an internal team, monitoring has become an in-demand service as the realities of the volume of data, and limits of staffing, come into ever-greater focus. Capable outsourced Security Operations Centers (SOCs) can provide the 24/7/365 eyes on those logs and orchestration systems that would otherwise require a large amount of trained internal staff.
All of this is a journey. It will be different for every organization based on the complexity of the environment, the investments already made, the time/resources/staff available to implement, etc. There is not a linear path to completing this quest; you can start with what you have. It is very likely that you have tools and technologies in your environment that are not fully deployed or are not leveraging their full capability. Start there. Understand where you are today to that you can start building your map for the journey.