President of Trustsec Inc., Vanguard Cloud Services, and the Cloud Security Alliance Canada
Zero Trust just kind of rolls off the tongue, doesn’t it? The industry is abuzz about implementing a Zero Trust Model within industry as a whole. But what is ZT all about?
Earlier this year, the Biden administration issued a strategic directive requiring a “never trust, always verify” based on the current cybersecurity threat landscape against the U.S. government IT infrastructure. Speaking from a Canadian perspective, while there is no enforceable policy position from the Canadian Government, what happens in the U.S. government cybersphere typically ends up happening here.
What’s the Zero Trust Model?
Well, a good indication is what the U.S. government policy states is an approach of never trust, always verify. Zero Trust is an evolving set of cybersecurity concepts focusing on users, applications, endpoints, the network, and audit logging to ensure continuous and explicit authenticated access to organizational resources. There’s no implicit trust granted to assets or user accounts based solely on their physical or network location (local area networks versus the internet) or based on asset ownership.
Several key principles need to be front and centre for an effective Zero Trust Architecture:
- The network is always assumed to be hostile
- External and internal threats always exist on the network
- Policies must be dynamic and calculated from as many sources as possible
The core tenet of the Zero Trust Model is that no user/role, system, network, or service operating inside or outside the security perimeter is trusted. As implied here, the identity is essentially the new perimeter, and consequently, best practices concerning protecting the identity — privileged or otherwise — are paramount in Zero Trust.
Now, after all that good stuff about the benefits and protections provided by Zero Trust, unless we talk about a truly greenfield environment, it’s likely not achievable. The more realistic outcome is less trust. It’s extremely challenging for a CIO to balance the user experience with an effective organizational security posture. Cost, performance, security awareness, threat management, and audit log analysis all present challenges to establishing a true Zero Trust Model. However, if organizations make a plan as to how they intend to improve their security such as reducing implicit trust in a couple of those areas previously mentioned (application, users, network, endpoints, and logs), these steps may thwart a majority of the common exploits and tactics that bad actors tend to employ.
Matt is currently President of Trustsec Inc., Vanguard Cloud Services and the Cloud Security Alliance Canada.