Over the last two years, organizations have faced a thorny security issue: how to protect organizational information when the workforce was dispersed to remote locations. Some organizations were prepared for this, others absolutely were not.
But whether a small to medium business or a large enterprise, everyone had challenges. These ranged from panic buying laptops to enable remote working, to configuring network kits to allow connections in so remote workers could actually achieve something, to securing remote end points. One organization I know struggled with VPN bandwidth, telling admin staff to only log on briefly to get email after 8pm. A neighbor who works for a government agency told me they had three weeks paid leave, as their infrastructure could not initially handle everyone signing in from home.
In the ensuing two years, we've had multiple times when we started planning to go back to the office, only to find those plans pushed back by new, emerging variants.
Now a new crisis has emerged: a major war in Europe. A war in which the protagonist is a major purveyor of not only disinformation, but also state-sponsored hacking. Russia has a long history of not only cyber attacks on Ukraine's banking system and public infrastructure, but also that of Estonia. And of course it has been implicated in countless other hacking attempts, ransom ware gangs and bot farms.
Since the assault on the people of Ukraine began four weeks ago, President Biden and other prominent western politicians and government officials have warned repeatedly of the threat of broader Russian cyberattacks, urging business to ensure their systems are patched, up-to-date and protected as well as can be.
Defining Zero Trust Security
It is in all of the above contexts that I'd like to raise the concept of zero trust security.
The US National Institute of Standards and Technology (NIST) defines zero trust as:
"... the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location ....
Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
Though that is a highly abbreviated version, it's still a lot to unpack:
- Zero trust means security is no longer about your location on the network. In other words, just because you are on the local area network (LAN) in the office, protected by firewalls, does not mean you are automatically trusted.
- Zero trust focuses on protecting resources, whatever form they may take, to ensure that an authenticated and authorized user can do something with those resources.
The initial development of zero trust security was in fact an early response to remote work, and policies such as "bring your own device." BYOD provided employees the flexibility to use their own Mac laptop or phone while pushing desktop support infrastructure and costs onto the employee. Overall it probably had benefits for employee satisfaction, but it also had impact on security.
Related Article: Now Is the Time to Replace VPN With Zero Trust
How Zero Trust Differs From Previous Security Approaches
To simplify this for the non-InfoSec people out there, let's say in the 'good old days' you had a desktop, which was purchased by your organization, and its physical ethernet adapter address was logged and entered into a database. The security team installed strong firewalls to protect the organization from the public internet. Internal computers, whose addresses were in that database, were allowed to connect to any other asset on the internal network, simply because they were internal and therefore trusted. This is why connecting from home used to require (and still does for many) a secure virtual private network (VPN) connection, from a computer which is known to the organization.
Enter the BYOD policy. Now I register my personally-owned Mac with the company, maybe I have to download some security scanning software and the VPN client. The focus here moves to, "Jed is an employee, he has a registered Mac, and he is logged on from the LAN in the office, so everything's cool." The organization might require extra steps if logging on remotely, such as the use of a physical hardware security token and a security scan immediately before I could do some work.
But work has grown more complicated. We're now in the thoroughly modern world of remote access from anywhere, on any device, via cloud services. It's no longer good enough to understand that a computer owned by the organization has logged on from within the LAN. Now it is a smart phone in Jakarta is accessing our cloud services hosted by Amazon and Microsoft. Hence zero trust turns its focus on assets, which includes ourselves as users, systems, workflows and information itself.
The onus is now on describing which users can access what content or services and with what level of privilege — in other words, what they can do with the asset. The technology focus here is on securely authenticating the user, so we add technologies like multi-factor authentication to our log-in process. However, the process does not stop at authenticating who I am. Now I am authenticated, so the system knows I am who I say I am.
What does that mean in a zero trust world? Perhaps it provides me with a level of trust required to access generic, read-only resources such as intranet pages. For other systems or information assets, we get into the granular world of permissions and groups. I am authenticated, I am definitely Jed, and Jed is a member of the group which is allowed to edit the documents in this Workspace. In other words, we have put another wall around the assets or resources and checked that not only am I who I say I am, but that I am allowed to edit these resources. I am authorized.
Modern systems, through features such as data loss prevention (DLP) controls take zero trust to the next level by checking exactly what I am authorized to do with the asset.
My authorization says I can edit this asset, which is a MS Word document. However, my authorization level does not allow me to print the document, attach it to an email or change the permissions — even if my authenticated group membership says I should be able to change them.
Zero trust therefore has moved us from a security paradigm based on trusting a machine due to its being in a recognized, secure segment of the network, to assessing who we are, where we are connecting from, how we prove who we say we are, what we should have access to, and what actions we can take on the assets we can access.
Many of use are used to working with granular permissions and adding users to groups, but a zero trust strategy can take that to the next level.
Finally, I am not an InfoSec professional, I just work with them, so hopefully this hit the spot as a simple primer.
Related Article: Enterprise Data Security Still Has a Long Way to Go