How banks, fintechs and consumer groups agreed on open banking

Without a doubt, zero trust is “the most misused and misunderstood term in security today,” said Heath Mullins, senior analyst at Forrester.

Depending on who you ask, zero trust is an architecture, a strategy, a goal — or probably, all of the above. The concept of zero trust gained momentum at Google following the 2009 “Aurora” attacks, attributed to Chinese government hackers, which included stealing the company’s source code. As a security term, “zero trust” was popularized beginning in 2010 by John Kindervag, then a Forrester analyst.

However you prefer to define zero trust, there is enormous potential for organizations to improve their security by adopting the principles associated with it, such as tighter control over access to corporate resources and ensure that users are not allowed to do more than necessary. for their role, experts say.

But with all the hype and hijacking of the idea, information security practitioners are pretty exhausted by the term at this point, said Matthew Prince, co-founder and CEO of Cloudflare, which counts technologies zero-trust security as one of its main goals. areas.

“Literally every vendor is saying, ‘We don’t trust you,'” Prince told Protocol. “The risk is that if everything is zero trust, then maybe nothing is.”

For Mullins, one of the most common questions he receives is from a customer who has just deployed a new cybersecurity tool and wonders, “Am I zero trust now?”

The answer, overwhelmingly, is no.

The risk is that if everything is zero trust, then maybe nothing is.

This is because zero trust is not something you can buy in one package. There are many tools that can help an organization embrace the concept, including identity security, access management, and network segmentation, but no single product can provide it all.

“There’s no one there doing everything,” Mullins said. “The first company to get there is going to clean up.”

A recent Cloud Security Alliance survey found that the majority of organizations, 80%, now consider zero trust security a priority. Almost as many, 77%, planned to increase their zero-trust spending over the next year, according to the survey.

trust no one

The question of what zero trust actually means remains a common question. But perhaps an equally instructive question at this stage of the game is, what doesn’t that mean?

Alex Weinert, vice president and director of identity security at Microsoft, has a favorite quote about zero trust, he said during a recent online panel hosted by Protocol. Weinert once asked an information security manager to define zero trust, and the response he received was, “It means whatever the person on the other side of the table is trying to sale”.

Less casually, zero trust can be seen as an organizing principle for stopping modern cyberattacks. Attackers today tend to follow a certain trajectory: after gaining initial access to an environment, they move across the network, take control of additional accounts, and elevate their account privileges to allow them to take action. additional more damaging.

Although the result may be the deployment of ransomware or the theft of valuable data, the attacker must navigate computing environments before they can actually reach that point. It is during these attack phases that an organization has the opportunity to shut things down and reduce the damage caused by a breach. The promise of zero trust is that an attacker who steals a password or manages to defeat multi-factor authentication will not necessarily succeed in achieving their end goals.

There are different ways to achieve this, such as by examining device data or a user’s behavior before deciding whether to grant access to a sensitive resource or by dividing a computing environment into different sub-segments. who can each have their own policies.

But the unifying idea is that “trust” must be eliminated from the equation, especially “implicit” trust, according to Weinert. In other words, users should not be automatically granted access to applications and data just because they were able to authenticate and gain access to the network.

The promise of zero trust is that an attacker who steals a password or manages to defeat multi-factor authentication will not necessarily succeed in achieving their end goals.

Instead, in order to allow access to a sensitive resource, “we explicitly verify aspects of that request,” Weinert said.

While Google’s “BeyondCorp” initiative in the wake of the Aurora attacks is credited with paving the way for zero trust, there have been many attempts since then to simplify the concept for businesses that don’t have the same resources or of the same complexity as at Google, but still have valid cybersecurity concerns and a budget.

Implementing a zero-trust architecture has become a top priority in the face of increased cyberattacks as well as the shift to working from home, which has moved countless workers outside the safety of the workplace firewall. ‘company. This led to the need for a more secure approach than the virtual private network, or VPN, which is supposed to be a “secure tunnel” between a client device and a protected corporate network, but which has actually proven to be very vulnerable. For example, the 2021 ransomware attack on Colonial Pipeline, which led to gas shortages in the southeastern United States, stemmed from a compromised VPN password.

“More confusion than clarity”

Certain categories of security products are overtly associated with zero trust, such as Zero Trust Network Access, which is a VPN replacement built around zero trust principles. For example, zero trust network access tools can use additional data sources to verify a user beyond their credentials, such as their location or device security posture.

But deploying this particular technology alone does not achieve zero trust. And given that zero trust incorporates a variety of different technologies, this has led to a number of cybersecurity vendors taking some liberties with the term.

At the RSA security conference in June, for example, “every vendor on the show had no confidence in their marketing to some degree,” Forrester’s Mullins said. “It created more confusion than clarity.”

This brings us to the second question: what is zero trust?

For starters, “It’s not all the security controls in your environment,” said Andrew Rubin, co-founder and CEO of zero trust segmentation provider Illumio, at Protocol’s recent panel.

In particular, traditional firewalls meant to support the corporate “perimeter” are clearly not capable of helping with zero trust.

That hasn’t stopped vendors that offer network firewalls and traditional VPNs, who are “all trying to pretend they’re zero-trust,” said Jay Chaudhry, founder and CEO of Zscaler, a leading internet provider. zero-trust network access, in an interview with Protocol in June.

“Zero trust was created to overcome the architecture of the network,” Chaudhry said. “Firewalls and VPNs, versus zero trust, are fundamentally opposites.”

“Don’t listen to a salesman when he talks about [the definition of] zero trust. It’s going to be biased. »

Zero trust is a “complete paradigm shift,” according to Cloudflare’s Prince, and “there’s a natural tendency to try to make everything old fit into the new paradigm.”

“Anytime you talk about a perimeter, you’re probably not in a zero-trust model for how this new paradigm works,” he said.

Rather than imposing limits on what users are supposed to do, fundamentally, the traditional approach to network security has been to define the local network of trust, Prince noted.

“And so when I hear traditional firewall vendors say, ‘We do zero trust,’ I’m like, ‘That just doesn’t make sense,'” he said.

Who can you trust?

Kapil Raina, VP of Zero Trust Marketing at CrowdStrike, has a rule of thumb for determining whether a product has anything to do with Zero Trust or not: check it with the National Institute of Standards and Technology.

According to NIST’s 2020 Zero Trust Architecture publication, the core of zero trust is around secure access — and making sure the right people have it and the wrong people don’t. “The goal [is] to prevent unauthorized access to data and services, while making the application of access control as granular as possible,” the authors of the post said.

If a security product matches something in this document, then it has a valid claim to help achieve zero trust, Raina said. Although he works for a major security vendor, his best advice is to trust NIST, not industry.

“Don’t listen to a salesman when he talks about [the definition of] zero trust,” he said. “It’s going to be biased.”

Anyone who claims to be able to deliver zero trust quickly or easily should also be treated as a suspect, according to Mullins. Most organizations are still in the early stages of establishing a zero-trust security posture because it takes time, he said.

“You’re not going to do it in a year,” Mullins said. “If you can do zero trust in a year, please call me and tell me how you did it.”

Comments are closed.