Cybersecurity is awash with acronyms, jargon and marketing slogans. Yet, history and headlines demonstrate the ongoing success of adversaries and tell us a different story. Zero trust security offers promise but is largely misunderstood and perceived as yet another overly-hyped buzzword. To properly understand zero trust, it is important to dissect the emergence of this concept, identify what it is (and is not) and determine if it can help advance cybersecurity—and, if so, how.
What Is Zero Trust?
Although the term may be relatively new, the concept of zero trust has been around for several decades. Critical infrastructures such as military installations, power plants, nuclear facilities, medical facilities and financial institutions have historically operated using the concept of air-gapped networks.1 The idea of air gapping is to separate the network into high (classified) and low (unclassified) segments, with physical separation between the 2 to minimize the exposed attack surface. Assets on the high network are highly valuable, and the low network is not trusted with access to those assets. Although this model is not user friendly, it delivers stronger security than traditional networks.
The term “zero trust” was coined by Forrester analyst John Kindervag in 2010.2 Its definition has continued to evolve, but at the core, zero trust is a philosophy or framework for thinking about cybersecurity in today’s hostile environments. As Forrester defines it, the traditional “trust, but verify” cybersecurity model offers attackers a broad attack surface that leaves security teams flat-footed and in permanent crisis management mode.3 Zero trust implements methods to localize and isolate threats (i.e., “never trust, always verify”) through microcore, microsegmentation, and deep visibility to identify threats and limit the impact of any breach.
Although the world is still in the early stages of the zero trust revolution, this thinking has some key benefits including:
• Reduction of exposed attack surface
• Proactive security
• Damage containment
• Relief of pressure on security teams by moving away from alert-driven architectures
Although zero trust is a framework, it is supported by 3 different underlying technologies that offer protection on various fronts.
Implementing Zero Trust
Although zero trust is a framework, it is supported by 3 different underlying technologies that offer protection on various fronts:
- Microsegmentation—One of the earliest concepts of zero trust, microsegmentation was primarily designed to protect against lateral movement to minimize the impact of a breach. Lateral movement to capture information from key assets in the data center is a central component of several attacks. Microsegmentation aims to limit unsanctioned communication between workloads if they have no operative reason to do so, thereby minimizing breach impact. Unlike typical north-south protection offered by firewalls, microsegmentation looks at east-west security for workloads.
- Zero trust network access—Zero trust network access (ZTNA) creates a context-based logical boundary for application access. The goal is to minimize access and abuse by user- and device-context-driven application access. ZTNA challenges the assumption that the location of an entity (e.g., inside a network) should grant trust automatically to a user or device. ZTNA hides all applications on the network and allows access based on attributes such as user identity, device, geolocation and security posture.4 In other words, users get access to applications they need, but they see nothing else on the network. A ZTNA broker assesses the user’s profile before granting access. The user may be an enterprise employee, a partner or a contractor. ZTNA has its roots in the BeyondCorp architecture and concepts of software-defined perimeters.5
- Remote browser isolation—Remote browser isolation (RBI) operates on the principle that end users represent the weakest links in any organization and Internet access is one of the largest attack surfaces responsible for breach origination. Therefore, one of the most effective ways to shrink the end point/end user compromise in a cloud-first world is to isolate web access to eliminate browser exploits and threats such as ransomware, malvertising and phishing.
Building on the concept of air-gapped networks, RBI creates a virtual air gap to ensure security while also addressing the user experience. Instead of trying to detect all potential dangers and training people to avert them, the RBI model isolates the risk.6 When an employee clicks on a link, RBI remotely renders the page to ensure that the malware does not even reach the endpoint.
The best return on investment (ROI) usually comes from assessing risk and then understanding feasibility. For instance, if controlled access to cloud services is the biggest risk, ZTNA might be a good place to start, but if end users are a weakness, RBI would be a smart investment. The best place to start the zero trust journey is to assess where risk is the highest.
Editor’s Note
This article is excerpted from an article that appeared in the ISACA® Journal. Read Rajiv Raghunarayan’s full article, “Harnessing Zero Trust Security,” in vol. 6, 2020, of the ISACA Journal.
Endnotes
1 Techopedia, “Air Gap”
2 Higgins, K. J.; “Forrester Pushes ‘Zero Trust’ Model For Security,” InformationWeek Dark Reading, 17 September 2010
3 Forrester, “Zero Trust”
4 Craven, C.; “What Is Zero Trust Network Access (ZTNA)?” sdxcentral, 14 August 2020
5 BeyondCorp
6 Hechler, D.; “Browser Isolation: An Island of Relief From Attack,” Cyberinc, 20 May 2020
Rajiv Raghunarayan
Is the senior vice president of products and marketing at Cyberinc, where he leads the product management, marketing and strategic alliance functions. Raghunarayan has spent more than 25 years in the technology industry, having held technology and marketing leadership positions at FireEye, Cisco and SentinelOne. His areas of expertise include network security, email security, endpoint security, network management, infrastructure security and wide area network (WAN) optimization.