Faith no more: the rise of 'zero trust' approaches to cyber security

Faith no more: the rise of 'zero trust' approaches to cyber security

Image:
Faith no more: the rise of 'zero trust' approaches to cyber security

The need to support WFH and flaws in the perimeter model has pushed ZTN to the fore

Zero trust networking is an architectural and organisational approach to security that has come to the fore as the last vestiges of the perimeter model are consigned to history. That model, with its 'zones of trust' in which devices and applications have implicit faith in one another, its porous 'demilitarised zones' and its assumption that threats lie outside the organisation, is woefully inadequate in an age defined by cloud, the distributed enterprise and - the final straw - the sudden increase in remote working.

With these changes data has moved well outside the traditional security perimeter, so security strategies have had to evolve, said Mieng Lim, VP of product management at HelpSystems.

"Zero trust is increasingly important for a number of reasons. With the increase in remote work and cloud computing, confidential and regulated information is no longer just on-site but spread across numerous locations."

The threat posed by insiders is on the rise too, up 44% in the last two years, according to the Ponemon Institute.

"Organisations can no longer hide behind traditional firewalls and other perimeter defences and assume that they are secure," said Lim.

Image
ztn benefits
Description

Computing Delta. Base: 204 UK IT leaders who have implemented ZTN or plan to

What is zero trust networking?

The term zero trust networking (ZTN) was coined 10 years ago by Forrester, which has since expanded on the label to encompass ‘zero trust extended ecosystem platforms' (ZTX). Gartner's preferred phrase is ‘zero trust network access' (ZTNA), while others use the ‘A' to stand for architecture. Meanwhile, Omdia uses 'zero trust access' (ZTA) since "from the end user's point of view it's about safe access to specific applications, regardless of underlying networking constructs".

The 'zero trust' tag has also been adopted by other areas of technology.

Despite the differences in emphasis (in this article we'll stick with 'ZTN' as an umbrella term for all the above networking and application security strategies) these approaches describe a simple concept: instead of implicit trust between systems sharing a zone, force them to authenticate themselves every time; instead of protecting against external threats, assume attackers are already inside and limit the damage they can do.

This concept is underpinned by the following principles:

Importantly, it also needs to be easy to use and manage: a poor UX will inevitably lead to risky workarounds.

Industry standards are emerging around ZTN, the best known being NIST SP 800-207 which has the following core tenets

The technologies

The main technologies that underpin ZTN fall into the following categories: network access control (NAC), identity and access management (IAM) and privilege access management (PAM). Machine learning is another component that's growing in importance.

Fernando Montenegro, senior principal analyst for cybersecurity at Omdia notes that "it takes a coordinated effort between multiple technologies to make user-centric, zero trust access work."

At a more fundamental level, these include network security (SSL/TLS) and content security, such as forward and reverse proxies for web and custom applications. Then there are the technologies that contribute to IAM, including identity federation, support for multifactor authentication (MFA) and others; endpoint security, including agent-based telemetry and posture information; and a "healthy dose of analytics, including in many cases machine learning techniques".

For application-to-application access, which falls somewhat outside of Omdia's preferred zero trust access definition, micro-segmentation and workload protection technologies are required, creating secure zones to isolate application workloads from each other.

"With a lot of modern cloud native applications, or microservices-based applications, the need to have a deep understanding of the application has gone up very substantially," said Kumar Ramachandran, SVP, product and GTM at Palo Alto Networks, whose ZTN approach is rooted in application security.

Lim of HelpSystems says vulnerability management systems should be considered another essential ingredient. Organisations need to identify vulnerabilities in servers and endpoints before cybercriminals.

"By leveraging vulnerability management, organisations identify vulnerabilities in servers and endpoints before cybercriminals. Since time is a limited resource, organisations must prioritise the vulnerabilities and address the highest risk ones first," she said.

ZTN is a tying together of some or all these technologies, with differing priorities according to the approach. While automation and analytics are certainly required for this integration, machine learning is currently a sideshow, said Omdia's Montenegro. "It's interesting but not a panacea", he said, the more important factor being smooth coordination between the various parts.

It's certainly important for Palo Alto Networks' approach, said Ramachandran, who claims that across its operations the company stops 224 billion threats every day, with that data feeding back into its threat intelligence and operational capabilities.

"With the scale and variability of threats it's getting to a place that if you don't have machine learning, it's becoming very, very hard to address these things," he said.

"So whether it's changes in device posture, whether it's changes in user behaviour, an application you initially gave access to because it looked like a web-based application, but then hidden inside it is actually malicious content. Trying to understand all this in real-time and then stop these threats in real-time absolutely needs data science-based techniques."

Implementation

Computing Delta research among 200 IT leaders who have implemented or plan to implement ZTN found that most had rushed to bolster their defences when the pandemic struck, typically upgrading their VPN, rolling out MFA, extending IAM/PAM, and so on. 21% said they had implemented ZTN measures.

Image
additional security measures
Description

Computing Delta. Base: 158 UK IT leaders who said their organisation had updated security provisions due to the pandemic.

ZTN (implemented or planned) was seen as most valuable in protecting remote working, hybrid and multi-cloud setups and email. Half the respondents expected to ultimately protect 80% or more of their applications and infrastructure in this way.

But how long will it take? The best answer is ‘it depends': on what's in place already; on skills available; on the size and complexity of the organisation; and so on. It may also be part of a broader digital transformation too.

The most common answer from our respondents was 'one to two years' (43%), followed by 'two to three years' (23%); a total of 24% said less than six months.

The presence of legacy systems, the expense and the amount of preparatory work required were cited as the three main obstacles likely to require a significant investment of time, followed by the need for organisational change, because ZTN is more than a simple tech fix.

"A typical project replacing a legacy VPN architecture is usually rolled out in phases - both in terms of starting with a limited set of applications and smaller groups of users - so it's likely easy to fix smaller environments. For larger environments, we find it's often the coordination and testing efforts that introduce delays, but it varies by organisation," said Omdia's Montenegro.

However, Palo Alto Networks' Ramachandran insisted that a large customer had rolled out ZTN in less than three months.

One prominent concern among respondents was getting ZTN to work across environments, including on-premises applications and public and private cloud platforms, with a fear that any gaps left could create a false sense of security. There could also be compliance issues, for example, replacing a VPN with ZTN might not be recognised by regulators, and worries that applications and devices could become harder to manage.

Cloud or on-premises?

A large majority of respondents (74%) said they'd favour cloud-based ZTN, citing scalability, ease of management and their organisation's cloud-first policy. Those preferring data centre ZTN solutions or bespoke implementations spoke of avoiding lock-in, lower latency and increased flexibility.

The big cloud vendors all offer the components of ZTN with varying degrees of integration, including Google's BeyondCorp, Cloud IAP and Context-Aware Access; Microsoft Azure AD and Web App Proxy; AWS IoT Core, Direct Connect and VPC; IBM Security Verify, MaaS360 and SASE; Oracle's partnership with NetFoundry, and many more native and hosted third-party solutions.

In terms of vendors of ZTN solutions, Cisco was the first name that came to mind for the largest number of respondents, followed by Microsoft, Fortinet, Palo Alto and ZScaler, and adoption followed a similar pattern, although a large number of less well established vendors were also mentioned, illustrating the breadth and variety within the space. In fact, most security and networking vendors will have a ‘zero trust' offering somewhere in their portfolio.

To learn more about Zero Trust, join us at the CyberSecurity Festival 2022, taking place across 3 days starting on June 9th, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free