Unpacking Zero Trust
By Andrew Roberts, Chief Cybersecurity Strategist, cStor and MicroAge
In 2019, it was Artificial Intelligence and Machine Learning (AI/ML). In 2020, it was Detection & Response – both Managed and Endpoint (MDR & EDR). In 2021, it was ransomware. What am I talking about? Cybersecurity buzzword themes of the year.
After a trip to the RSA Conference this year, there is no doubt: 2022 is the year of Zero Trust. There was no spot on the conference floor where you could not see the phrase “Zero Trust”; it was everywhere.
If we want to start a Zero Trust journey, we should first look beyond the buzzword and marketing hype so we can understand what Zero Trust really is.
Let’s start with what zero trust is not: it is not a product, and it is not a project. Zero trust is not a one-and-done undertaking.
Zero Trust is an ongoing process that requires a new way of thinking about security. It is no longer sufficient to believe that gaining access to the network is enough to establish trust; we must go beyond that.
Never trust, always verify. Assume everyone and everything is compromised until proven otherwise – especially when behavior is abnormal or critical systems or data are being accessed. This means we will need to validate users, devices, and applications at every step along the way.
Let’s look at some of the key elements of Zero Trust.
Identity & Access Management (IAM) and Multi-Factor Authentication (MFA)
To continually validate users in the environment, it is critical to have a solid IAM strategy in place that covers all your user needs while making sure that only the right people have access to the right resources at the right time. Layering on a solid MFA solution goes a long way to improve security. If you really want to step up the protection, opt for a solution that offers adaptive authentication that can vary based on the type and context of the access being requested.
For example, if an accountant is trying to log in from their own workstation, during their normal working hours, in their office in the corporate office building, maybe a second factor once each morning is enough. If that same person is trying to access data that isn’t normal, from an unknown device, or from a different country, we probably want to add another factor or two. Adaptive MFA can handle this for you.
Network (Micro) Segmentation
In the past, we could connect to VPN and then access everything on the network. Zero Trust requires more control. By segmenting your network and making the east-west traffic more visible and protected, you can keep the bad actors confined to a small portion of your network, if they can get in at all.
I have long been a proponent of data-centric security practices. Data is usually the target of cyber criminals, so why not focus protective controls on that data? Understanding where your critical and sensitive data is the first step – you can’t protect what you can’t see. Once you know where it is, you can protect it with appropriate access controls and encryption. Before you start encrypting more and more data, don’t forget to get a solid key management system in place so tracking all those encryption keys doesn’t become a nightmare.
Like with data, when it comes to activity in your environment, you can’t protect (or protect against) what you can’t see. Gaining visibility into the activity in the environment is non-negotiable. Some choose to use a Security Event Information Management (SIEM) system to gain this visibility and for more mature organizations, this may be the right choice. SIEMs are difficult to manage. While there are many different SIEMs available, they all have one common trait: you only get out what you put in. For that reason, many organizations choose to outsource this function to a managed SOC or similar service provider.
Wherever you are on your Zero Trust journey, you will surely have questions and need expert advice. cStor is here to assist you on your journey.