How Can CISOs Easily Adopt Zero-Trust Security?
CISOs might not think that the Zero-Trust security is the fundamental model to secure their environment. Although, during these uncertain times, it is the imperative.
At first glance, the fundamentals of zero trust security would not seem pretty useful for its adoption. Architecture. Principles. Benefits. Transformation. What use could these basic insights have for Chief Information Security Officers (CISOs) to easily adopt Zero-Trust security?
Quite a bit, as it turns out.
6 months ago, just when the COVID-19 pandemic started testing business continuity and resiliency plans, a Singaporean cooperative bank and integrator of online transaction channels, decided to implement the Zero-Trust security model. By taking a deeper look at the fundamentals, especially during the short amount of time, the CIO and the CTO together, easily moved beyond a castle-and-moat model to adopt zero trust security across the enterprise.
So far:
- Relationship managers and financial advisors working remotely can securely access real-time data
- The bank reduced the risk of breaches by 100% using identity and authentication processes
- The CTO scaled up digital transformation initiatives for unique customer requirements during the pandemic
- The bank achieved 50% reduction in organizational friction through better data classification and enhanced compliance audits
Learning from the bank’s experience, traditionally employed security models can be replaced with Zero-Trust security with the help of a few specific fundamentals.
The fortress security model is outdated
Traditionally, our networks were designed taking into consideration a model of a medieval fortress. As per the fortress model, everything outside the boundary walls was deemed as a threat to the security of the fortress. Any entity desiring entry inside the fortress was required to get an authentication of its identity, which was the responsibility of the guards stationed at the fortress gates. Once the entity receives the authorization to enter the fortress, there was minimal security in place to check the activities performed by the entity and there was an inherent trust bestowed by the fortress security personnel on all the entities which are inside the fortress.
Amid the chronic turbulence propelled by the need for digital transformation during the pandemic, businesses must decide today if the fortress security model is secure enough. The approach does not do much for compromised identities or insider threats. In many ways, the fortress security model allows overuse of administrative privileges dedicated to IT that repeatedly frame ambiguous and inconsistent access rights to users with little or no governance.
As digital transformation accelerates, in many ways and forms, CISOs must shore up their defenses to protect business critical information systems. But with threats on all sides, which is the defined perimeter for protection, and how do CISOs keep redefining the perimeter with constant digitization?
In fact, the new perimeter is no perimeter
Now, the question arises, what is wrong with perimeter/fortress model of network design?
The answer to this question lies in the ever-changing business environment. The workforce is now globally empowered with many employees working from home. Network access is not just restricted to the employees. For the proper functioning of the business mechanics in action, even vendors and/or clients need constant connectivity with the organization’s network from their desired work locations.
In summary, the workforce has never been more diverse – with partners, customers, vendors and freelancers connecting more and more to the corporate network. To complicate matters even more, cybercriminals have never been more successful at penetrating and moving laterally within the security perimeter. Once inside, they collect valuable and sensitive data and can do so for months before being detected.
The Zero-Trust Security Architecture
At the core, Zero Trust isn’t a product or solution. It’s a concept that CISOs can practice on an enterprise-wide scale, and the fundamentals really matter.
Zero-Trust Security Architecture is one which constitutes an identity-aware and data-centric network design approach which is specially crafted to meet the challenges of our new perimeter-everywhere world.
Unlike perimeter or fortress model, Zero Trust emphasizes on an architecture which is driven by the principle of never trusting anything or anyone inside or outside the organization’s security parameter. And hence, in the Zero Trust model, the IT or Security team of the organization will put policies in place to validate every connection attempted by any device to intelligently limit access.
The principle behind a Zero-Trust Security architecture is guided by the following controls:
- Deny by default
- Allow only if authenticated and on a ‘need to know’ basis
- Continue to monitor for anomalies
- Remove human interventions
The 7 Principles of Zero-Trust Security Architecture
1. Zero Trust People – Re-evaluate every user’s connections attempts, strict authentication of identities, grant access after the entire context of connection is inspected
2. Zero Trust Network – Identify and classify critical data and assets, map both north-south and east-west traffic, group assets with similar functionality and sensitivity, deploy segmentation and define least privilege policy for each
3. Zero Trust Data – Deploy data encryption and data loss prevention for all data at rest, in transit or being processed
4. Zero Trust Devices – Identify and segment IoT/OT devices, protect workstations and mobile devices, quick blocking of infected or vulnerable devices
5. Zero Trust Workloads – Identify critical cloud assets/applications, recognize all workloads associated with these assets, define segmentation ad least privilege
6. Automation & Orchestration – Reduce security admin’s workload, convert repetitive tasks into automated workflows, automate incidence detection and remediating, deploy a SIEM solution to provide log management and threat intelligence
7. Visibility and Analytics – Establish centralized security management, ensure proper logging of every activity, deploy a threat intelligence service, leverage big data analytics tools of threat intelligence
Benefits of Zero-Trust Security Architecture
Following are the major benefits which can be attained by embarking on a Zero-Trust security architecture journey:
- Significantly enhanced network visibility and added functionality of quick detection of breaches
- Reduced risk of lateral movement of threat e.g. malware, with enhanced monitoring of east-west traffic
- Stop exfiltration of sensitive data with considerably improved security positioning
- Enable digital transformation for the organization even for the one which shies away from the same due to legacy infrastructure
- Reduce scope and hence cost of compliance and regulation maintenance initiatives
- Long term reduction in capital expenditure and operational expenditure on security
A Zero-Trust Transformation Journey
It is very important to understand that deploying Zero-Trust security architecture is not a one-stop solution which can be adopted by procuring a few gadgets and tools directly from security vendors. Also, it should be noted that Zero Trust is not a destination, but a continuous journey with many small and large steps involved.
Following are the most common steps in the journey of Zero-Trust security transformation:
1. Developing foundational capabilities
The first step in the journey is to develop the foundational capabilities which include the following activities among many others:
- Creation of asset inventory and developing the capability for effective management of assets including applications, data, devices, etc.
- Developing capability for continuous data identification and classification
- Improving identity and access management postures by following industry best practices including 2FA or MFA, Central Identity Credential Access Management (ICAM) etc.
- Fine-grained segmentation of users, devices and data
- Creation of user groups and access policies which are based on access needs, job roles, etc.
2. Developing Application Capabilities
Once an organization has created an inventory of assets and data, the next step is to start investing in application capabilities including:
- Creating and managing the integration between applications and Central Identity Credential Access Management (ICAM)
- Defining RBAC (Role-Based Access Control) and User Group permissions at both the data layer and application layer
- Investing in robust central access management and logging solution
- Following DevSecOps and continuously updating development standard and architecture
- Developing a plan to migrate legacy applications
3. Developing Security Capabilities
Once the organization has developed secure application development and maintenance capability, the next step is to invest resources in security capabilities, including:
- Developing data architecture and schemas to enhance visibility and security
- Network layer
- Application layer
- Device or endpoint layer
- Identity logging and authorization, etc.
- Security Incidence and Event Monitoring for better logging and threat intelligence
4. Training and Support
The final step of Zero Trust Journey is to maintain the architecture created, which include investing in training and support capabilities to strengthen the human element of zero trust including:
- Classifying critical users and defining role-based continuous training program for each role defined
- Continuous performance tracking of all users and deploying remediation steps if required
Transitioning from traditional security architecture to Zero-Trust Security Architecture is not a simple task for an organization of any size. It will require significant investment in people, process, technology, and will challenge the leadership in many ways.
To build a resilient enterprise against the ongoing data breach onslaught, CISOs and other executives must start laying out a vision to adopt Zero-Trust security. And the fundamentals posed in this article are the natural starting point.