Another consequence of the supply chain attacks of 2020 is the big push to adopt the Zero Trust security model. This security model isn’t really a new set of security controls per se; it is more a way of implementing and coordinating existing control types. Another apt name for the Zero Trust security model would be the “Paranoids’ Delight” security model. Zero Trust assumes that internal and external attackers are there, that security breaches are inevitable, and that system compromises have probably already occurred.
The National Security Agency (NSA) defines Zero Trust as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. … . Zero Trust embeds comprehensive security monitoring; granular, dynamic, and risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus specifically on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.”
Implementing Zero Trust into your security program is no easy task. It takes time, it takes resources and it takes a willingness on the part of company personnel to adopt and participate in a stricter security regimen. It means that gaining access to critical resources will be more difficult, and it means that access to nonbusiness-related resources on business networks will be curtailed. Getting buy-in for these processes will be an uphill battle at best.
The very first step in the process is knowing your entire network, including trusted partner/service provider/vendor connections and privileges. You need to be able to identify the criticality of all your network assets, how data flows, what trusts what, who has access to what resources and more. A good way to start collecting such information is by conducting a detailed Business Impact Analysis (BIA) if one is not already in placer.
Once you understand these processes, you can start defining “tuples.” A tuple is the combination of a user, device, and any other security-related contextual information to be used in making an access decision. For information in a tuple to be reliable, you must ensure explicit authentication of both the user and device. Once tuples have been constructed, you need to implement a Zero Trust decision engine. This engine examines the tuple in the access request and compares it to a pre-established security policy for the data or resources being requested. It then makes a risk-informed decision on whether to allow access and sends a log entry of that access request and decision to be part of future suspicious activity analytics. You need to do this for every access request to each sensitive resource.
This is an intimidating goal, and I’m sure that most of you don’t know how to proceed. Besides doing a thorough BIA, I also recommend starting by validating and coordinating your present information security program. Ensure that you have complete inventories of all network assets, that you have fully implemented access control, change control, configuration management, security maintenance, incident response and security monitoring practices in place.
The next step is to ensure that all of these processes work as a whole and are coordinated. People and departments need to communicate freely and without reservation. There is no room in an advanced information security program for squabbling and “rice bowl” mentality. Zero Trust will not work unless the entire organization pulls together as one.