Zero Trust Starts with 100 Percent Mindset

There’s nothing new to say when it comes to zero trust security, at least in terms of tactics. Many of the most commonly deployed methods have been around for decades: the least privilege principle, need-to-know access, firewalls, and VPNs.

But if we’re talking about the concept of zero trust, its increased importance in recent years and why, and how, it should be deployed, then that’s an entirely different and incredibly timely conversation.

We are all spending more time online – working, socializing, staying informed and entertained, and using more interconnected devices and cloud technology than ever. This trend had been growing for years and was simply accelerated by the pandemic. At the same, there’s a growing threat from cybersecurity attacks: Colonial Pipeline, Solar Winds, JBS Foods, and on and on. The short-term effects are unfortunate enough: rising prices, supply chain freezes, and sudden plummet of stock prices. Longer-term, these attacks can damage a brand’s reputation and lead to permanent customer mistrust.

It makes sense that cybersecurity is on everyone’s minds; ransomware attacks make news headlines almost daily. People are aware that cyber threats exist and are continually increasing. Most governments have elevated cybersecurity to a matter of national security for a while now; the President of the United States, Joe Biden, signed an executive order in 2021 that prominently featured zero trust as one of its pillars. The research and analyst firm Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, triple the number in 2021. And by 2024, 30% of enterprises will adopt some form of security and risk management policies, including Zero Trust Network Access (ZTNA).

More and more people and companies operate under the assumption that they’ll have to deal with a security breach. Everyone knows they need to do something about boosting their ability to prevent attacks in the first place, but they often don’t know where or how to start.

The difference between a traditional security approach and a zero-trust security approach

The best starting point is understanding the term and getting past the confusion and mystery. Zero trust means you don’t trust anyone or anything.

  • Traditional security is perimeter-based. Think of a castle: you can make the walls thicker or higher, even add a drawbridge or a moat. But no matter how strong these additional levels of perimeter security are, the people inside the kingdom are still free to roam and interact with anyone. If someone opens the door and lets in a malicious person, the damage is done.
  • Zero trust is basically the concept of removing implicit trust in network communications. Every transaction, every identity, every activity taking place on your network is verified and not trusted by default.

If you look at many recent major attacks that have occurred, they involved products from trusted vendors that contained malware and were regularly deployed in these environments without the organization knowing.

Or, to continue the metaphor of the castle, the drawbridge was lowered to let them in.

With Zero Trust, there is no implicit trust relationship between your network, your people, and the devices they use. The attack surface shrinks significantly and so does the damage attackers can cause.

Your zero-trust architecture must align with your business and patterns of user behavior

There are challenges to implementing an effective zero trust architecture beyond simply understanding what it actually means.

The architecture approach should vary by organization and the type of business it conducts. To give an example related to user behavior: If you’re a manufacturer with multiple sites, then it would be normal to observe users jumping from one site to another and logging in from different locations.

However, if you’re a small company with all remote employees and travel is not typical, then the above scenario would definitely be flagged as atypical. That’s why you need to identify and create different risk profiles that fit your business – and then design your architecture accordingly.

Prioritize and then start small, implementing zero trust principles in one area as a test to see if it works in production. But don’t just stay in development mode forever. Always look for new ways to improve and enforce those principles. If you achieve success in one area of the business, then make sure the rest of the organization is aware and sees the value of how it contributes to managing risks.

Successful zero trust deployments are built on a sound understanding of user behavior, business processes, and business context

Many people by nature are change-averse. And zero trust is a big change to natural human impulses. Since you have to make explicit what is allowed and define what is “normal” behavior, you have to think deeper about the design of your business processes.

Without factoring in business context, it’s impossible to successfully create, design or implement zero trust principles.

In fact, you run the greater risk of disrupting your processes further because you’ve made the wrong assumptions in your design.

There are many success stories of successful zero trust roll-outs, and just as many cases of less-than-perfect deployments.

The most important thing to remember is zero trust is not about checking a box. You may think you’re successful because you’ve implemented multi-factor authentication, but if the second factor is ridiculously easy without forcing users to think about the action they are performing, then all you’ve done is defeat your own purposes.

However, having appropriate levels of visibility into network activity or enforcing additional steps like strong user reauthentication will demonstrate the value of zero trust implementation for drastically reducing both the incidence and impact of attacks.

Cybersecurity is high on companies’ priority lists for good reasons.

An effective zero-trust strategy, developed to complement other business processes, can help “future-proof” every aspect of an enterprise and set you up for long-term success and growth.

Download Kudelski Security’s ModernCISO Guide to Zero Trust for Microsoft. This guide will take you through the essentials of building out Zero Trust within a Microsoft environment.

Vincent Waart is the lead for digital infrastructure and secure identities at Kudelski Security. As well as Zero trust, his practice covers OT, Microsoft365, AWS, and Active Directory, and cloud security posture. https://kudelskisecurity.com/services/advisory/