Zero Trust

The castle and moat methodology is no longer as relevant as it once was due to a variety of reasons…

• The rate and pace of IT transformation has significantly increased, especially with the introduction of the Cloud. Many applications are now not located inside the corporate network but instead reside in a Cloud-based environment.
• COVID-19 has increased the amount of people working remotely with even more workers being mobile than pre COVID-19. Users are increasingly mobile and need/want to consume resources from wherever they are (not just from inside the corporate network).
• Malicious actors and cyber criminals have been focusing on alternative methods to compromise IT environments which bypass the perimeter security controls.
• As we have mentioned in other posts this month the number and cost of data breaches has increased, regulations have been put in place that require enhanced security controls to mitigate the risks, and so on…

What is Zero Trust and why is it relevant?

Zero trust is a security methodology whereby NOBODY AND NOTHING IS TRUSTED.

• Do you trust all your users? What about social engineering or a disgruntled employee?
• Do you trust all your end user devices? What about if a device has been compromised by a malicious actor?
• Do you trust the plethora of locations where you are hosting IT services from? Cloud providers, Software-as-a-service providers, 3rd parties/vendors, etc…
• Even inside your IT environment, how do you know that you have not already been compromised and how do you prevent lateral movement?

Zero trust is based upon the premise that every actor (User, Application, Service, etc..) is a threat. Typically, there are 4 things that you need to determine if access should be allowed:

1. Is the actor really there and are they who they claim to be?
2. Is the actor using a secure device and secure tools?
3. Is the actor authorised to access the data?
4. Is the actor acting in a way that is abnormal?

Zero trust is not a product or a set of tools/technologies, it is a methodology that requires a set of policies, processes and technology to implement.

So how do we start on a Zero Trust journey?

As we have said Zero Trust is not one thing, there are many aspects.

Here are some good places to start..

• Complete end to end security governance programme with well defined policies/standards, processes and procedures to enable continuous improvement.
• A comprehensive Identity and Access Management capability.
  • With well defined processes and procedures for Joiners/Movers/Leavers, Quarterly Employee Validation, Continued Business Need and Privileged Access Revalidation
  • Integrated into all applications, services, etc…. to provide a single sign on capability.
  • Based upon the principle of least-privilege access – so that you only have the permissions that are required for you to do your job. For example, limiting the number of Domain Admins in Active Directory to less than a handful.
  • Based upon the principle of dynamic privilege access – sometimes called just in time permissions, so that if a user requires additional permissions they are provided only for the period of time that they are required.
  • Unique, randomly generated, 15 characters or more passwords or passphrases (even if there is no technical enforcement this still needs to be done!) and integration with multi-factor authentication – see our posts on Passwords and Multi-Factor Authentication Part One and Two.
  • Posture checking for end user devices before accessing any corporate IT assets
• Strong network security controls.
  • Perimeter security controls with Next Generation Firewalls, Web Application Firewalls, DDoS Protection, etc…
  • Micro-segmentation breaking up internal networks into smaller security zones enforcing firewall policy at a more granular level to protect IT assets.
  • Remote access solutions that provide posture checking, multi-factor authentication, enhanced logging, etc…
• Thorough and well managed endpoint security controls to make sure that devices/systems are secure. Some of these were referenced in our Secure your Devices post.
  • Anti-Virus/Anti-Malware.
  • Endpoint Detection and Response.
  • Vulnerability Scanning
  • Patch Management
  • And so on…
• A Security Operations Center (SOC) responsible for enhanced logging (with all log sources feeding a central MSIEM) and visibility/monitoring including analysing/investigating potential threats or malicious activity based upon data and threat intelligence, and dynamic make changings based upon the threat landscape/remediating any issues.
• And various other security mechanisms including but not limited to:
  • Encryption at rest and in transit.
  • DevSecOps – as per our post on DevS ecOpsto to ensure security is embedded end to end.
  • Regular Penetration Testing and Security Reviews.
  • Automation and Orchestration to not only implement the security controls but also to validate/check them.