It seems as if everyone is playing “buzzword bingo” when it comes to zero trust and its implementation, and it starts with government guidance. The White House’s comments in January on the Office of Management and Budget’s (OMB’s) Federal Zero Trust Strategy for all federal agencies and departments were both pragmatic and aspirational. Their observation, citing the Log4j vulnerability as an example, sums it up nicely: “The zero-trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats.”
For a zero-trust strategy to be successful, however, those implementing it must understand what it is and the basic principles it’s based on.
Is zero trust new?
In a one-on-one discussion on the topic of zero trust, at Black Hat, Trellix’s principal engineer and director of vulnerability research, Douglas McKee, noted how the reality is that “defense in depth” and “principle of least-privileged access” are the nuts and bolts behind the new buzzword, zero trust.
CISOs working with business operations must collaborate and coordinate access to needed information so that colleagues may be successful in their piece of the overall mission. What they don’t need is unencumbered and continuous access to information when it is not necessary. This requires continuous and dynamic monitoring of needs across the corporate ecosystem. When individuals change roles their needs will adjust, so should their permitted access. When individuals depart, their access must be terminated. Easily said, yet seemingly so difficult to accomplish for so many entities.
As Joe Payne CEO of Code42 has said, “Enable your personnel to do their job in a trusted manner with an umbrella surrounding them so that if they venture away from the processes and procedures—for example, load to web-based storage—they are corrected in the moment.”
Zero trust can’t exist without least-privileged access
Therein lays the rub. If CISOs aren’t exercising the doctrine of least-privileged access, then there is no venturing out of bounds, as the access is both permitted and authorized. As an old counterintelligence silverback, I must observe: Detecting information theft by an individual who stays within their swim lane is a heavy lift. By that I mean, the individual follows all the corporate processes and procedures, accessing only that to which they have natural access, they may harvest with near impunity.
Zero trust’s perception problem
Zero trust is more complex than a buzzword. Egress Vice President of Product Management Steve Malone observes, “Zero trust, unfortunately, has a bit of a perception problem: It is often mis-represented by vendors, which causes buyers to misunderstand it. The most important thing to understand about zero trust is that it is not a product! It’s not something you can buy from a single vendor. Zero trust is a security methodology, a framework of technologies and best practices that an organization needs to define and adopt across their IT environments over time. Think of it as healthy and ongoing paranoia!”
Malone is right. Healthy and ongoing paranoia keeps everyone on their toes and focused on how information is accessed, moved and stored. This manner of thinking needs to be embraced from the C-suite to the individual contributor, as the security implementation may be supported by the CISO and their team of infosec gurus, the rubber hits the road in operations and production.
Zero trust can’t be implemented with a single product
Malone continues, “Some organizations have a difficult time implementing a zero-trust strategy. The biggest mistake I see is security teams misunderstanding what a true ‘zero trust approach’ means. Some organizations believe that zero trust can be achieved using individual security solutions here and there to provide a ‘quick fix’ to the problem. However, zero trust is about more than deploying individual solutions.”
Malone concludes, “Don’t be fooled by the snazzy name. Zero trust is not just another buzzword nor a single product. It’s a critical security initiative.”
The importance of people, processes and technology can’t be over-emphasized. They are core to the principles of least-privileged access and the strategic implementation of defense in depth. While the universal, textbook implementation of zero trust simply doesn’t exist, the principles of zero trust do, and as trust is key to the success of the strategy of zero trust. Without trust, we are, as the navy would say, sunk.
Copyright © 2022 IDG Communications, Inc.
