How do we define Zero Trust? Hint: it’s not a one-size-fits-all solution (Part 2)

November 03, 2021

Simon Morse

Simon Morse

Technical Director Security, Versent

The internet has become the ubiquitous delivery channel for commerce, business and remote access. Cybersecurity is paramount in this new world economy, and the principle of Zero Trust has emerged to meet the challenges it presents.  

In my previous article – What is Zero Trust & why is it so important? (Part 1) – we saw how security thinking has evolved, especially as a result of the COVID-19 pandemic and discussed a more nuanced approach to cybersecurity through trust modelling.   

In this article, we’ll look at the way Zero Trust cybersecurity defends against the escalating threat landscape. We’ll gain a better understanding of modern cybersecurity’s advantages and limitations, and, I’ll be busting a few Zero Trust myths.   

Practical network defences   

With the proliferation of cyber-attacks through the 2000s, organisations invested in cybersecurity research to combat the growing threat. A variety of techniques were deployed against the attackers, some developed by businesses in-house and others by security hardware, software and service providers. Some techniques were increasingly sophisticated detection and response capabilities. But because most organisations had a ready-made network boundary, and many security techniques were difficult and expensive to implement, it often seemed expedient to simply beef up the network-based defences and rely on preventative approaches.   

“Firewall sandwiches” deployed to defend against direct infrastructure attacks, DDoS protection to help defend against extortion attacks, Web Application Firewalls (WAF) to try and defend against HTTP attacks: these were the defensive tactics most companies used. There were also more advanced techniques that were selectively deployed, such as Database Firewalls and Real-time Application Self-Protection (RASP).   

Rather than mount strong, flexible defences against internal attacks, most organisations threw up internal firewalls, attempting to wall-off internal resources in the same way as external threats. As this was going on, organisations were also adopting private and then public cloud technology, integrating external SaaS (Software as a Service) applications, and outsourcing cybersecurity to remote service providers.    

Then COVID-19 struck, at which point most organisations were forced to transition their teams to remote work arrangements.   

Companies now find themselves in a situation where the strategy of beefing up internal network security has been rendered obsolete. People don’t work in closed office environments anymore, so a new way of thinking about security is required. The appeal of an adaptable, strategy-based Zero Trust approach becomes clear at this point.    

As a veteran of the cybersecurity world, I’ve seen plenty of examples of organisations approaching Zero Trust in the wrong way, so let’s start by dispelling a few common misapprehensions.   

Zero Trust myth 1:
Absolute zero       

Since Zero Trust was introduced a decade ago, it’s gained wide acceptance as an industry standard and evolved into a leading market segment of the cybersecurity industry. But, the way it’s normally implemented, it isn’t really “zero” trust. In the strictest sense, it’s actually “strictly limited” or “granular trust” because trust is still implied. That means there’s potential for that trust to be exploited.   

Zero Trust is an improvement on prior cybersecurity models, but the reality is that you’re still connecting users and devices to resources and information based on authentication.    

The Defense Information Systems Agency (DISA) launched the Cloud-Based Internet Isolation (CBIIinitiative to try and eliminate common web-based threats. This is an example of Zero Trust being applied to the real world internet by shifting the browsing process from the desktop to the cloud, creating an air gap between the Internet and vulnerable networks.      

Zero Trust myth 2:
A single product    

Zero-Trust can’t be achieved with a single, specific product. This should be obvious, really, when we consider the constellation of capabilities that it implies. Zero-Trust may be composed of a collection of products, but even organisations like Microsoft that attempt to pull together capabilities across diverse technology domains will inevitably struggle to cover everything adequately.    

Zero Trust capabilities must be pluggable, able to accommodate failure states, and designed with the understanding that at some point, they will be ineffective or redundant due to technological progress or the value of the data assets they protect.    

Zero Trust myth 3:
Done and dusted    

Zero-Trust compliance is not a one-off exercise. It’s a strategy, not a single application solution.   

Zero Trust is a security framework built around a concept: never blindly trust, always verify. It means that we’re always assuming that a breach is possible. As noted above, attempting to buy Zero Trust as a product is not going to be a successful pathway.   

Assessing your ecosystem’s Zero Trust maturity means considering people, skills and technology. We need to understand how people are interacting with your IT systems and how your business functions, mapping existing technology and identifying security gaps.     

The concept of Zero Trust is designed to be continuously reviewed and optimised. The good news is that the fluid, integrated nature of Zero Trust makes it easier to adapt to change.    

Zero Trust myth 4:
One-size-fits-all   

Applying Zero-Trust principles won’t produce the same solution for every organisation.  In fact, it’s unlikely that any two organisations will arrive at the same solution, and even if they do, it’ll change to accommodate evolving business changes.  

Zero-trust implementations need to be customised for specific organisations based on their behaviour, IT standards, compliance obligations, and applications used.  

Traditional on-site security technology is too rigid to properly address the demands of contemporary IT environments. Cloud-based Zero-Trust solutions, on the other hand, offer the flexibility needed for consistent, adaptable protection. But that doesn’t help unless an organisation is “cloud-only.” Zero Trust won’t be truly effective for “cloud-first” or “hybrid cloud” organisations.  

Zero Trust myth 5:
Second Best   

The decision to rely on Zero Trust isn’t a case of “I can’t use my network defences, so I’ll settle for something less.” Proper application of Zero Trust measures should materially improve security.  

In general, network-based security delivers weak criteria for enforcement decisions. We’ll talk through some concrete alternative approaches in a later article, but in general, they can include:  

  • Using signed attribute values in the payload of messages as an improvement over IP information or low-level networking  
  • Integrated posture evaluation of workstations and mobiles before allowing access to applications (rather than blindly trusting the health of the device, irrespective of whether access originates on-premises or elsewhere)  
  • Automating administrative functions to reduce or eliminate privileged administrative access  
  • Using logical isolation to contain lateral movement rather than blindly trusting applications in a common network subnet  

Zero Trust controversy    

There are plenty of vendors claiming to deliver “Zero-Trust” security in a similar way that products in other industries claim to be “green” or “healthy.” But without concrete definitions and reference points, these Zero Trust claims amount to nothing more than empty buzz words.    

There’s still substantial confusion about what Zero-Trust really means. Some vendors claim their product is a cybersecurity silver bullet. Others advocate for radical de-perimeterisation (effectively abandoning any concept of network security). Still others, observing the confusion in the marketplace, have retreated to a stance that claims Zero Trust is just a passing fad and continue to offer what amount to redundant, incomplete strategies.     

Where does the truth lie in the Zero-Trust debate?    

The answer for those of us in the security industry is to think in terms of threat models. First: identify the problem. Next, define the required capabilities. Once we’ve completed these vital preliminary steps, we can proceed to evaluating specific products and vendors or consider how to restructure an organisation.    

Organisations will need to maintain a suite of capabilities that can then be selectively applied, redesigned or augmented as new applications and use cases emerge. A pattern-based approach can help here to reduce the complexity and manage exceptional cases.  

We know what Zero Trust is… now what?   

In this article and my first in this series, I’ve given you a brief history of Zero Trust’s inception and a basic definition of its capabilities and limitations.  

At this stage, things may still seem a bit abstract, but in my next article, we’ll move on to some concrete use cases and see how modelling trust scenarios helps guide solution implementation. We’ll look at several practical use cases:   

  • setting up secure cloud foundations in a public cloud provider,    
  • defending commercial websites against internet-based attacks, &   
  • secure remote worker connectivity.    

These are all good examples of architectural problems well suited to Zero Trust solutions. But as we’ll see, they require very different sets of capabilities.   

Got questions about Zero Trust architecture or strengthening your company’s cybersecurity?   
Get answers from Versent’s expert security advisors.   

Want Versent insights and news delivered straight to your inbox?