Zero trust was already a buzzword in security circles before the coronavirus spread across the globe, but the pandemic is stoking more interest in this identity-based approach to security.
Before the COVID-19 pandemic, interest in zero trust was being driven by a need to modernize how the information security stack works. There was a realization that the traditional perimeter-centric security model is not compatible with the way businesses are working today, said Sami Laine, director of technology strategy at Okta, a cloud security company.
“So much data is being processed in applications and systems outside the traditional perimeter, and many more employees and partners who need access to that data are also outside the perimeter.”
The pandemic forced the hand of organizations looking at zero trust because so many employees shifted to remote work that the organizations’ networks were no longer a source of trust, Laine added.
COVID-19 has absolutely accelerated interest in zero trust and how to get started, said Reiner Kappenberger, director of product management for data security at Micro Focus. Before COVID-19, security was about being in the office and in a controlled environment. “That’s completely gone” with the pandemic, he said.
“Now that people are working at home there are different threats in that environment. So zero trust is even more critical in today’s world, where people are removed from the office and may be so for some time to come.”
Here’s what you need to know about the state of zero-trust security.
VPNs no longer ‘good enough’
Organizations are increasingly being driven to zero trust by the stress the pandemic is putting on their infrastructure, particularly on virtual private networks, said Dave Larson, general manager of the security solutions business at telecommunications company Spirent Communications.
“COVID is an inflection point. It switched the way people worked and was unanticipated, placing stress on systems,” he said. “Some organizations were able to handle it. Some were not.”
Prior to the pandemic, VPNs were “good enough” to satisfy most companies’ work-at-home demands, which were occasional and as-needed, said Chad Carter, vice president of sales at the Wallix Group, a cybersecurity software solutions provider.
“With employees now connecting en masse, they’re effectively creating a hacker’s playground, with new, vulnerable endpoints and access points being exposed.”
“No one is moving from VPN to zero trust overnight,” Larson said. But after looking at the cost of keeping legacy systems up and running under the new model and the unanticipated costs of scaling VPNs, “a lot of people are trying to find a better way to solve their problems.”
Experts agree that an effective zero-trust implementation takes time, commitment, and cultural change. “It’s a significant change that could be a multiyear effort that can take a lot of focus, a lot of commitment, and the necessary budget to enforce and support the transformational effort,” said Andrew Rafla, cyber-risk leader at consultancy Deloitte.
“There is no quick fix,” said Nick Nikols, vice president for strategy at Micro Focus. You can’t buy a one-point solution and consider it done. “You have to look at your environment, decide where your highest risks are, create a plan to address those risks with controls, implement those controls, and then monitor what’s going on to see if what you did was effective and to prepare for the next step,” he said.
“Everyone would like to have an easy button, but that mentality creates more problems than it solves.”
Adoption is growing
While the pandemic is boosting business interest in zero trust, that interest was already growing before face masks became de rigueur attire. North American organizations that said they have or plan to have a zero-trust initiative on their books in the next 12 to 18 months rose by 275% year-over-year, according to a report from Okta based on data gathered before the global spread of the coronavirus.
North America leads the world in zero-trust interest, Okta said, with 60% of organizations saying they’re embarking on zero-trust initiatives, trailed by Australia and New Zealand at 50%, and Europe and the Middle East at 18%.
The report also noted that industries that commonly store large amounts of sensitive data—finance, healthcare, and manufacturing—prioritize zero trust more than do other industries. Professional services firms, on the other hand, are less likely to recognize their risk levels, with less than 40% saying they have zero-trust initiatives.
In addition to the pandemic, a number of trends are driving zero-trust adoption. Here are four of them.
1. How data is accessed and where it resides
Data in the modern enterprise can reside and be accessed from anywhere. Security approaches based on data and users camped behind a firewall can’t meet the needs of today’s organizations.
According to Kevin Curran, a senior member of the IEEE and a professor of cybersecurity at Ulster University in Northern Ireland, enterprises tend to no longer host data in-house. Enterprises now use a variety of platforms and services, which reside both on and off premises and “have a host of employees and partners accessing applications via a range of devices in diverse geographical locations,” he said.
Traditional security models tend to make the assumption that all elements “inside” a particular network can be trusted, he continued. Zero-trust security models, however, operate within the framework that no network user—internal or external—can be trusted by default, he said.
With zero trust, user access is conditioned based on their identity, credentials, authenticators, location, and device.
“Those become the new security perimeter, as opposed to, ‘Are you on my network or not?’ ‘Do you know a password or not?’ or ‘Do you have a token code or not? You’re going from this binary yes-no to a much more nuanced, risk-based assessment.”
Zero trust allows an organization to contextualize both users and assets trying to connect to an application or database, added Deloitte’s Rafla. “That context is not only needed now for remote workers,” but also because complex IT environments can now support unmanaged devices, such as those on the Internet of Things, he explained.
Zero trust can also address the agile needs of a modern organization. Zero trust allows “a far more flexible and agile way of working and accessing corporate resources for users,” said Richard Archdeacon, advisory CISO at Duo Security, an access security provider owned by Cisco.
It allows organizations “to become more agile as they move to the cloud and change their IT backbone,” he said.
2. Device health and access control go hand in hand
As organizations move to zero trust and identity becomes more important to a security scheme, so does device health.
Typically, the network was used to establish the context for access to resources. If the device or user was on the network, access was granted. Now the device is becoming the top factor, Okta’s Laine said.
“I have to understand your identity,” he said. “Have I seen you before? Have I seen your device before? Those are much more predictive of a risk than whether you’re on my network or not.”
Device health allows an organization to be more certain about the state of its endpoint devices. “It’s no use authenticating users if they’re on a compromised device or a device that’s vulnerable. When you authenticate a user, you give them a level of trust. Part of that decision has to be based on the health of the device of that user.”
Tamer Baker, global principal systems engineer for ForeScout Technologies, a device visibility and control provider, said zero trust of all devices was the way forward.
“Gone are the days where we can trust a user or machine. Just because an employee is using a corporate-issued laptop does not mean they should have access to my critical infrastructure.”
That becomes even more important during a pandemic. Employee devices might be picking up malware on home networks or falling out of patch and configuration compliance now that they have not been inside an office for months, said Jordan Blake, vice president of product management for BehavioSec, a behavioral-biometrics-as-a-service company.
“Just because a laptop is part of a legitimate, inventoried device fleet, you should not grant it unquestioned access to the network,” he said. There could be malicious programs installed on the machine capturing keystrokes and attempting to introduce ransomware or hijacking a login session.
“Organizations need the ability to spot red flags in both configuration and behavior as devices come and go.”
3. The growing use of APIs
As with any enterprise resource, access to APIs needs to be controlled. “There’s an authorization aspect to APIs,” said Micro Focus’ Nikols. “Who should be able to invoke or interact with an API? Should it be limited or constrained to certain services or processes?”
“In the early days of microservices, it was a bit of a free-for-all, and APIs were exposed willy-nilly. With zero trust, every interaction with the API should be validated.”
Zero trust also fits well with automation and orchestration solutions that depend on APIs to function. “The only way that you can enable automation and orchestration across the security stack is if you are able to integrate disparate technologies through APIs,” said Deloitte’s Rafla.
Being able to make policy decisions and automatically mediate a potential weakness or implement an access control change is a core functionality of zero trust that’s needed to support automation and orchestration, he said.
4. Healthcare sees zero trust as good medicine
In recent times the healthcare industry’s reputation for data security hasn’t been stellar, but that may be changing, thanks to zero trust.
“Healthcare is not only one of the most targeted industries when it comes to attacks, but it has terrible budget constraints,” said Okta’s Laine. “Trying to secure their critical applications left them with a lot of attack surface.”
“[These organizations are realizing that] if they can shift all these disparate, disconnected systems and force them into a single pipe of authentication and authorization by implementing single sign-on, all of a sudden they have a single control point for security.”
They saw a huge opportunity in this because they had such a large area for improvement, he said.
Zero trust: Welcome to the new normal
As adoption of zero-trust principles continues to grow, zero trust is starting to become part of the basic architecture of every organization’s security environment.
“Zero trust fulfills basic criteria for a modern security technology,” Laine said. It must be perimeter-less by design. It must add context that’s useful for better evaluation of risk. It must produce information that’s actionable by the tool itself or by another tool.
Zero trust, as an idea, he said, is going to become the normal way of thinking about security, as the firewall perimeter used to be. This basic approach of doing more contextual, risk-based evaluation of all requests is going to be the norm moving forward, he said.
In the next two to three years, more organizations will be implementing zero-trust models, Duo Security’s Archdeacon added. “It will become the way security is architected. It will be driven by the business need to be agile,” he said.
It will also be driven by compliance requirements via frameworks by organizations including NIST in the United States and the National Cybersecurity Center in the United Kingdom.
“That’s why CISOs should have a zero-trust strategy in place, because it’s going to be required sooner rather than later.”
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.