Zero Trust: The Future or Wishful Thinking?

“Assume nothing.  Verify everything.”  You may have heard about the latest security posture making headlines: Zero Trust.   Zero Trust takes the traditional concept of network security and turns it inside out.  Currently, most security is focused at the network edge and ingress points.  Once you are inside the network, the assumption is you’re supposed to be there and security is much more relaxed.  In the ZT model, the assumption is that you do not belong there and there is no inherent trust in anything or anyone anywhere on the network.  All-access is verified as it is requested. 

Guiding Principles of Zero-Trust

  • Verify explicitly – Always make security decisions using all available data points, including identity, location, device health, resource, data classification, and anomalies.  In light of recent high-profile breaches, this principle has expanded to also include the software in your supply chain
  • Use least privilege access – Limit access with just-in-time and just-enough-access (JIT/JEA) and risk-based adaptive policies. Zero Trust deployments apply least privilege access to infrastructure, ensuring compartmentalized access to systems that can add or modify permissions or policies
  • Assume breach – Minimize blast radius with micro-segmentation, end-to-end encryption, continuous monitoring, and automated threat detection and response.

It should be readily obvious this approach creates a very tightly coupled network infrastructure that, by default, is far more difficult to compromise than a traditional edge-protected network.  No longer can a single phishing email grant someone the keys to the castle.  At best, they might get in the front door but now that every door is locked, they must be successful over and over with their campaigns.  This makes many scenarios that may have been out of the question previously such as “work from anywhere” without requiring anything more specialized than an OTP authentication token. 

What is often not obvious is what kills most ZT initiatives – upfront costs and continued maintenance effort.   Properly implementing the ZT model can require a large amount of new equipment, some specifically built for ZT.  If that alone does not scuttle the project, the data required to verify user access requests at every intersection of every system in the network is often a monumental task, and then that data must be maintained.  Many businesses find that they do not have the information required and the process of creating a unified access control model for their entire organization is something they simply cannot afford.  The final, and often most important, barrier is user acceptance. The ZT model requires users to constantly verify their authorization for a given system which can easily become frustratingly tedious and repetitive.

Zero Trust doesn’t have to be scary.  Even small steps that are taken to move in the direction of zero trust can have huge gains.  Not only can these actions improve the security of your platform(s), but these actions also often reduce the friction of users and tools like a traditional VPN. As with most areas of change, choosing to begin is often the hardest part, but once you start, baby steps to the goal can create a much more secure and protected future for you and your technology.  

This article scratches the surface of what Zero-Trust is, its capabilities, and possible pitfalls.  Give the experts at Open Professional Group a call or talk to us and set up a personal evaluation of your organization’s needs today.   

~ Joe H.