Zero trust is a good cybersecurity platform, but experts suggest care to get it right and not disenfranchise users.
Thanks to the pandemic, the zero trust cybersecurity model has come into its own. However, like most things concerning cybersecurity, zero trust has a good side, a bad side and an ugly side. Before we get into that, there is a need to agree upon what zero trust means, as there are many different definitions floating around cyber space.
For many, Zeljka Zorz, managing editor at Help Net Security, has become the go-to source for information related to zero trust. In her article, Preventing insider threats, data loss and damage through zero trust, she quotes Bill Harrod, federal CTO at MobileIron: “In short, the zero trust model enforces that only the right people or resources have the right access to the right data and services, from the right device, under the right circumstances.”
In his TechRepublic article, 5 tips for implementing a zero trust model, Lance Whitney offers how-to information on setting up and enforcing zero trust.
SEE: Shadow IT policy (TechRepublic Premium)
Zorz, in a more recent Help Net Security article Zero Trust creator talks about implementation, misconceptions, strategy, talks to John Kindervag, senior VP of cybersecurity strategy at ON2IT, about zero trust, asking specifically what we’re doing right and what we’re doing wrong. If anyone should know, it is Kindervag–zero trust is his creation.
The good side of zero trust
To find support for zero trust, Kindervag tells Zorz we need look no further than the people at NSA, who arguably have some of the most secure environments in the world. They are convinced that zero trust is the way to go, and say so in their paper Embracing a Zero Trust Security Model.
“Because zero trust is focusing on what is being protected, it stops traffic that doesn’t fall within the granular Kipling Method policy statements,” explained Kindervag. “This means that outbound traffic to a [command-and-control] node, which is how both ransomware and data exfiltration (the actual breach) work, will be stopped automatically.”
Kindervag champions the Kipling Method as a reason why zero trust implementations succeed. “For years, I have used the Kipling Method to help companies define policy and build zero trust networks,” wrote Kindervag in his Palo Alto Networks blog post All Layers Are Not Created Equal. “It ensures that security teams are thorough in their definitions and that anyone, including non-technical business executives, can understand cybersecurity policies due to the simplicity of the approach.”
The bad side of zero trust
The bad side of zero trust concerns the misunderstandings that are currently being propagated. “Among the misconceptions Kindervag is eager to dispel is that zero trust makes a system ‘trusted,’ and that it is just about identity and multi-factor authentication (MFA),” mentioned Zorz. “Zero trust eliminates trust from digital systems, because trust is a vulnerability that can be exploited.”
If Zero Trust was equal to MFA (as many vendors claim), then neither the Snowden nor Manning breaches would have been able to happen,” explained Kindervag. “They had very robust MFA and identity solutions, but no one looked at their packets post-authentication.”
Something else that Kindervag finds disconcerting is that vendors are redefining the meaning of zero trust so that it coincides with what their products are capable of doing. According to Kindervag, there are no “zero trust products.” He told Zorz, “There are products that work well in zero trust environments, but if a vendor comes in to sell you their ‘zero trust’ product, that’s a pretty good indication that they don’t understand the concept.”
Kindervag added, “If you’re looking to hire a managed services provider to help you with the implementation, ask how they define zero trust: ‘Is it a product or a strategy?’ Then make sure the first question they ask you is ‘What are you trying to protect?'”
The ugly side of zero trust
Right from the start, the name zero trust has unwelcome implications. On the surface, it appears that management does not trust employees or that everything done on the network is suspect until proven innocent. “While this line of thinking can be productive when discussing the security architecture of devices and other digital equipment, security teams need to be careful that it doesn’t spill over to informing their policy around an employer’s most valuable asset, its people,” mentioned Jason Meller, CEO and founder at Kolide.
“Users who feel their privacy is in jeopardy, or who do not have the energy to continually justify why they need access to resources, will ultimately switch to using their own personal devices and services, creating a new and more dangerous problem—shadow IT,” continued Meller. “Frustratingly, the ill-effects of not trusting users often forces them to become untrustworthy, which then in turn encourages IT and security practitioners to advocate for more aggressive zero trust-based policies.”
In the interview, Meller suggested the first thing organizations looking to implement zero trust should do is form a working group with representatives from human resources, privacy experts and end users themselves. He added, “This group should consider what the rules of engagement are for IT and security teams interacting with devices that might contain personal data, and ensure those rules are well communicated to both the security team and the employees.”
In conclusion, Kindervag addressed the concern that zero trust is only for mega corporations. “It can be implemented by both the world’s largest and the world’s smallest organizations,” he explained, “and can help protect against today’s most dreaded cyber-scourges: ransomware attacks and data breaches.”