The Zero Trust Handbook (1)

Welcome to part one of my guide to the zero trust movement, in this chapter we will be focusing on defining the zero trust approach to cybersecurity at a high level and explaining it in laymens terms, making sure to cover the key foundational concepts.

Whenever the US government widely adopts a new security standard the private sector usually follows, and so it will be with zero trust. Mandated by an Executive Order, supported by Cybersecurity and Infrastructure Security Agency (CISA) and underpinned by its own NIST architecture guidelines (SP 800-207), the zero trust approach is about to be deployed across the entire US federal government.

Earlier this year the Office of Management and Budget released a Federal strategy they have put together to help the US federal government move towards a zero trust approach to cybersecurity.  This Federal strategy is a hugely important step forward in the governments drive to deliver on the President’s federal zero trust mandate.

I have written about the President's Zero Trust Mandate in this article, but the gist of it is that cybersecurity teams at the DoD, the NSA and the DHS talked and decided that implementing zero trust was by far the most practical way to improve the government's cybersecurity. Shortly after, President Biden issued an executive order mandating everyone to adopt zero trust, CISA rallied in support behind the idea, NIST published a guideline, and now the OMB has published their federal zero trust strategy.

Zero Trust Is Coming

You can tell from the way different cybersecurity vendors have spun up zero trust marketing around their offerings to bolster their positioning within the zero trust movement. I myself am a little guilty of this but in my defense the company I work for builds remote browser isolation technology and RBI is written into the NIST zero trust architecture guidelines as a foundational component, so I should get a free pass seeing as how we are a semi-official part of zero trust architecture. I probably won't though.

We have been reading about zero trust for years, but only recently have we seen a standard emerge and significant attempts to implement the model and approach. The real reason zero trust is coming is because the US government is leading by example and deploying zero trust across the federal government and it's long overdue.

The President wants to have zero trust architecture deployed across the entire government by 2024, a little ambitious if you ask me, but then again I am not President Biden. They are trying hard and its almost always better to arrive late than never.

You can expect zero trust architecture to become standard in strategically important public and private sector organizations by 2024 and the rest of the world to follow as fast as their cybersecurity budget will carry them because it makes security sense.

What Is Zero Trust?

Zero trust is an approach to cybersecurity which increases the security of an organization by completely killing off the notion of implicit trust, which kind of means that employees are treated in the same way as a homeless person who just walked in off the street from a cybersecurity perspective. As horrible as that sounds it makes sense.

An easy way to explain it is the phrase "never trust, always verify", which in simple terms means "hey am not going to trust you and give you access to that thing until you have verified that you your identity, and that you have explicit permission to access that thing. The thing in question could be a server, an application, some data, or the key to the executive bathroom, it doesn't matter, by taking a zero trust position to anyone, even people you think you know, who want to touch the thing you are making it much harder for unauthorized people, or intruders, to access the thing.

The Old Approach To Cybersecurity

Zero trust differs from the traditional approach to securing information technology infrastructure in the enterprise in that traditional security was built on the assumption that anyone inside the network was an implicitly trusted user and anyone outside the network wasn't. This is a hangover from the days when everyone worked in the office from a corporate PC, if you were in the office (inside the network) you had access to applications, data, or whatever else was available to implicitly trusted users by default.

All you had to do in the old days was keep the anyone who shouldn't be inside the network out of the network, and make sure nobody was watching too much porn on their workstation PC's. In those days securing the organization at the perimeter of the network, when that perimeter was clearly defined, was good enough security.

But this model has died a death of a hundred cuts, it was first cut by the BYOD trend when everyone brought their own devices into work, then the SHADOW IT rebels came along and cut the model a little more by installing their own apps onto their PCs, inside the corporate network, without telling IT. Finally along came the WFH crowd who insisted on working from home in their underwear outside the office and network, and with all of that combined the idea of a defined network perimeter disintegrated.

Another problem is that the tools we traditionally used to protect our organizations, firewalls, VPNs and VLANs, are security tools designed to protect a well defined network perimeter, and our anti-virus was only ever able to detect and contain known threats that it could recognize, useless in the face of constant malware evolution.

None of it was enough in the face of increasingly well organized and sophisticated cyber criminals, and rapidly evolving malware and ransomware strains that your firewall or AV could not detect. It doesnt matter how good your network perimeter security was if one of your users downloaded and installed a ransomware package onto their PC, or brought an infected laptop into work and connected it to the network.

All of this was enough to make the cybersecurity department almost lose their minds. Imagine trying to secure an ocean of applications, servers and data in an organization where users are using their own insecure devices inside the network, installing their own insecure applications onto their office PC's, or not being physically located inside the network at all while retaining access to resources located inside the network.

Trust me, it's an neverending nightmare and a thankless task.

The New Approach To Cybersecurity

Forget the traditional approach to cybersecurity, it's as good as dead. Instead let us metaphorically look everyone suspicously in the eye (even if you work with them), and ask them to identify themselves and provide evidence that they have permission to touch a thing you protect. That is the zero trust approach to cybersecurity and it secures you by continously verifying every digital interaction in the organization.

That, of course, is easier said than done and we shall touch on how a zero trust approach to cybersecurity will change the way we do things in the next couple of chapters in this handbook. For now it is enough to sit and think about the idea of zero trust, how you can apply the concept of never trust and always verify to your business, and contemplate the notion of least privilege access. I am going to tackle all of these in the next few chapters. It is well worth saying that you needn't become a zero trust extremist in order to be secure, organizations should use their common sense around the subject of when and where it is appropriate to apply zero trust in the real world.

Need a little help or guidance? Talk to the the zero trust consultancy.

Zero Trust Defined / Summarized

Zero trust is a strategic approach to cybersecurity that adheres to the concept of least priveleged access, by exclusively providing access to a digital resource based on the permission levels and identity of the user requesting the access. If the user does not have the right permissions, and has not validated their identity, they do not get access to the resource.  Zero trust is characterized by least privilege access controls, strict user authentication and continous trust validation rather than assumed implicit trust.

That's all for now folks, I will return shortly with part two in my zero trust series where we leave the high level overview and dive down a little deeper into the subject of the zero trust architecture, and the nuances of how and when to apply zero trust.