Reagan coined the phrase: “Trust, but verify” when dealing with the Soviets. In today’s world of Cyber it’s just not good enough. Welcome to the world of Zero Trust. What is it and what does it mean to you?
As computer use blossomed security rapidly became a major concern. How do you protect your key information; allow only legitimate users access, and keep the bad guys out? Our response was to build a digital fortress. We put in firewalls that allowed only authorized entry and we secured the communications by eliminating open internet connections through using only virtual private networks (VPN’s) that also required keys or codes to use. The whole concept revolved around the idea that only those with the right credentials could open the gates and pass into the secure domain with the precious information.
Well how well did that work out? As you’ve read – it didn’t work out very well at all. Headline, after headline scream about this breach and that one. Private emails both embarrassing and scandalous are regularly revealed. Malicious characters and state actors vacuum up personal data of every stripe. What happened?
People happened. Humans are the key weakness of the fortress approach. The user is given (or creates) a password that enables him or her to enter the privileged domain. That means the user needs to protect that key to the kingdom. Unfortunately, that’s not what occurs. A recent study demonstrates that 74% of breaches were due to access credential abuse. Doesn’t do much good when the keys to the castle are spread all over the place.
Obviously, we can’t let this situation continue. Hence the rise of a new way of thinking about security: Zero Trust – never trust, always verify. In this concept the fundamental assumption of the fortress is overturned. Instead, just because you have the password does not mean you are who we think you are and you must be thoroughly checked out.
So what does “checked out” mean in this new security model (from Centrify – “Zero Trust Security for Dummies”):
- Verify the User – A password alone is just not good enough. Here is where we use Multi Factor Authentication. Many of us have run into this already when in order to access an account the website texts a code to your registered phone that you also have to enter. The technique can be extended to all kinds of things that make you, you like biometric qualities, e.g. your fingerprint that unlocks your smartphone.
- Validate the Device – Is the device the user is utilizing for access known to be associated with the user and at a regular location that the user would normally be located? If you are on your laptop, at home you are probably who you say you are. If you are on a strange machine in an Internet café in Tehran, not so much.
- Limit Access and Privilege – Access is limited to what you need to do your job. Let’s say you write proposals for your employer. You probably need product information, past proposals and maybe certain approved pricing. But why should you be rummaging around in the HR or accounting systems?
- Learn and Adapt – Zero Trust Security must continuously improve by learning and adapting. Information about the user, endpoint, application or server, policies, and all activities related to them can be collected and fed into a data pool that fuels machine learning. The system can then automatically recognize out-of-the-ordinary behaviors that immediately raise a red flag that may require a second form of authentication, or block access, depending on policies.
Makes a lot of sense doesn’t it? Surprisingly, it is not a new concept. NIST (National Institute of Standards and Technology) promoted it in 2010. In 2011, Google launched a Zero Trust approach it called BeyondCorp and claims great success. If it is so good why have we had all those awful breaches? That’s because mostly no one uses it. IDG’s 2018 Security Report indicates that only 8% of those surveyed are actively using it, while another 10% are piloting it.
What’s the problem? It’s not like no one knows about it. The same IDG report relates that most security professionals (71%) are aware of it. Partly, the concept needed some maturation and the machine learning tools needed to advance. But more importantly, unlike with the fortress approach the IT guys just can’t buy a firewall or VPN and claim things are secure.
IT and business leaders need to work together to implement Zero Trust as a strategy and business process. As we all know, when you set out to affect people, processes and organization, change can be difficult. Just look how long it has taken to adopt cloud and we still have a long way to go.
Cyber security is too important not to adopt models like Zero Trust. It’s kind of ironic that one of the principal bad guys out there are the same ones Reagan faced off in the 80’s – the Russians. Only now for our time it must be: “Never Trust, Always Verify”.
By John Pientka
John is currently the principal of Pientka and Associates which specializes in IT and Cloud Computing.
Over the years John has been vice president at CGI Federal, where he lead their cloud computing division. He founded and served as CEO of GigEpath, which provided communication solutions to major corporations. He has also served as president of British Telecom’s outsourcing arm Syncordia, vice president and general manager of a division at Motorola.