In February 2021, a significant data dump called the Compilation of Many Breaches (COMB) contained more than 3.2 billion unique pairs of cleartext emails and passwords. With the increased severity and frequency of data breaches, why do so many entities continue to experience high-profile and severe cybersecurity compromises? Data breaches occur using four exploitation methods: a weak third-party entry point, a technical or architectural vulnerability, ineffective access control to data, and unknowingly giving away password or account access.

That said, the methods of remediation seem to prescribe more technology to solve these problems. However, the problem’s root is an ineffective risk-based information security strategy, which gave rise to the “zero trust” idea. The term started floating around information security circles around 2010. For those not familiar with the term, the concept is essentially that entities should not automatically trust connections inside or outside their network. Instead, the entity must verify all connections and devices attempting to connect to its systems before granting access. Basically, don’t trust anyone! IT administrators will cut off all access to IP addresses and machines until the network knows who they are and whether they’re authorized.

A Brave New World of Zero Trust

The zero-trust concept relies on a strategic selection of security technologies and governance policies. The overarching theme of zero trust is to build an effective strategy that no one and nothing has access to until proven trustworthy and authorized. Let’s expand on the concept and review the processes an entity should consider when implementing a zero-trust security strategy.

Effective Identity and Access Management: Let’s make sure Bob is really Bob before he can access the system. Also, let’s make sure Bob’s device is secure, the connection is secure and he has enough access to fulfill his position’s responsibilities, whether human or machine. Zero trust for identity and access management requires implementing multi-factor authentication, encryption and the principle of least privilege access.

Data Mapping: Zero trust requires the identification of the collection, transmission and storage of sensitive data. Entities will need to perform data discovery and classification. A data mapping exercise that identifies the acceptable routes for sensitive data access and egress is critical for regulation and for adequately implementing the least privilege access principle.

Network Micro-Segmentation: Using the zero-trust approach, system administrators create zones in databases and cloud environments to isolate workloads from one another and secure them individually. The creation of policies that limit network traffic between workloads and secure the individual workloads provides barriers to threat actors attempting to access large amounts of sensitive data or processes. Organizations use micro-segmentation to reduce the network attack surface, improve breach containment and strengthen regulatory compliance.

Real-Time Monitoring: Most entities cannot afford to sit in front of their IT environment around the clock. Using real-time monitoring tools, such as security information and event management (SIEM) systems, a risk score can be calculated for potential threats as they occur by leveraging existing security analytics through automation and machine learning. These scores then trigger automated risk-response workflows. Being able to spot high-risk users with abnormal behaviors through machine learning is invaluable.

Change Is Hard. Implementation Is Harder.

The zero-trust security model is a challenge, and it may not be entirely adaptable for every entity. Some of the challenges of achieving the zero-trust security mindset are legacy applications, infrastructure and operating systems. Legacy systems must be compatible with real-time monitoring solutions. There may be the ability to monitor logs and network traffic to look for potentially malicious behavior. Still, it is vastly reactionary in the absence of compatible systems and security technology. Whether business operations are down due to malware or a misconfiguration, both of these events are damaging for business. 

In modern infrastructures, entities operate in the cloud environment and with peer-to-peer (P2P) networking technology. While some organizations turn P2P off, others are not even aware it exists. This represents privileged lateral movement between systems that is fundamentally uncontrolled. The P2P trust model is based strictly on keys or passwords, with no dynamic models for authentication modifications. P2P technology presents a stumbling block to embracing the access and micro-segmentation controls required for zero trust.