PHOTO: phil cruz | unsplash
Over the past two years, organizations have faced a thorny security problem: how to protect organizational information when workforces are dispersed across remote locations. Some organizations were prepared for this, others absolutely not.
But whether it was a small or medium-sized business or a large corporation, everyone had challenges. These ranged from panic buying laptops to enable remote work, to setting up network kits to enable connections so remote workers can actually get something done, to securing remote terminals. One organization I know struggled with VPN bandwidth, telling administrative staff to only go online briefly to receive emails after 8 p.m. A neighbor who works for a government agency told me he had three weeks paid leave because his infrastructure initially couldn’t handle everyone logging in from his home.
Over the next two years, we’ve had several times where we’ve started planning to return to the desktop, only to find those plans pushed back by new emerging variants.
Now a new crisis has emerged: a major war in Europe. A war in which the protagonist is a major purveyor not only of disinformation, but also of state-sponsored piracy. Russia has a long history of cyberattacks not only against Ukraine’s banking system and public infrastructure, but also against Estonia’s. And of course, he’s been involved in countless other hacking attempts, ransom gangs, and bot farms.
Since the assault on the Ukrainian people began four weeks ago, President Biden and other prominent Western politicians and government officials have repeatedly warned of the threat of broader Russian cyberattacks, urging businesses to ensure their systems are patched, up-to-date and protected. as good as possible.
Define Zero Trust Security
It is in all of the above contexts that I would like to bring up the concept of Zero Trust security.
The U.S. National Institute of Standards and Technology (NIST) defines zero trust as:
“…the term for an evolving set of cybersecurity paradigms that shift defenses from static network-based perimeters to focus on users, assets, and resources. A zero-trust architecture uses zero-trust principles to plan industrial and enterprise infrastructure and workflows Zero trust assumes that there is no implicit trust placed in assets or user accounts based solely on their physical or network location. ..
Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, because network location is no longer considered the main element of the resource’s security posture.
Although this is a very abbreviated version, there is still a lot to unpack:
- Zero trust means security is no longer about your location on the network. In other words, just because you’re on the office local area network (LAN), protected by firewalls, doesn’t automatically make you trustworthy.
- Zero trust focuses on protecting resources, regardless of their form, to ensure that an authenticated and authorized user can do something with those resources.
The initial development of Zero Trust security was actually an early response to remote working and policies such as “bring your own device”. BYOD gave employees the ability to use their own Mac laptop or phone while shifting the infrastructure and desktop support costs to the employee. Overall, this probably had benefits for employee satisfaction, but it also had an impact on safety.
Related article: Now is the time to replace VPN with Zero Trust
How Zero Trust Differs from Previous Security Approaches
To simplify this for the non-InfoSec folks out there, let’s say in the “good old days” you had a desktop computer, which was purchased by your organization, and its physical ethernet adapter address was recorded and entry into a database. The security team has installed strong firewalls to protect the organization from the public internet. Internal computers, whose addresses were in this database, were allowed to connect to any other asset on the internal network, simply because they were internal and therefore trusted. This is why home connection previously required (and still requires for many) a secure virtual private network (VPN) connection, from a computer known to the organization.
Enter the BYOD policy. Now that I am registering my personal Mac with the company, I may need to download security scanning software and the VPN client. The emphasis here is “Jed is an employee, he has a registered Mac, and he’s logged in from the office LAN, so all is well.” The organization may require additional steps if connecting remotely, such as using a physical hardware security token and a security scan just before I can do any work.
But the work has become more complicated. We are now in the thoroughly modern world of remote access from anywhere, on any device, via cloud services. It is no longer enough to understand that a computer belonging to the organization has connected from the local network. Now it’s a smart phone in Jakarta accessing our cloud services hosted by Amazon and Microsoft. Therefore, zero trust focuses on assets, which include ourselves as users, systems, workflows, and information itself.
It is now a question of describing which users can access which content or services and with which level of privilege, in other words, what they can do with the asset. The technology here focuses on secure user authentication, so we add technologies such as multi-factor authentication to our login process. However, the process does not stop at authenticating who I am. Now that I am authenticated, the system knows that I am who I say I am.
What does this mean in a world of zero trust? Perhaps this provides me with a level of trust required to access generic read-only resources such as intranet pages. For other information systems or resources, we enter the granular world of permissions and groups. I am authenticated, I am definitely Jed, and Jed is a member of the group authorized to modify documents in this workspace. In other words, we put another wall around the assets or resources and verified that not only am I who I say I am, but that I have the right to modify those resources. I am authorized.
Modern systems, through features such as Data Loss Prevention (DLP) controls, take zero trust to the next level by verifying exactly what I am authorized to do with the asset.
My permission says I can edit this item, which is an MS Word document. However, my permission level does not allow me to print the document, attach it to an email, or change the permissions, even though my authenticated group membership says I should be able to change them.
Zero trust has therefore moved us from a security paradigm based on trusting a machine because it is in a recognized and secure segment of the network, to assess who we are, where we connect from, how we prove who we say we are, what we should have access to, and what actions we can take on the assets we can access.
Many users are used to working with granular permissions and adding users to groups, but a zero trust policy can take this to the next level.
Lastly, I’m not an InfoSec pro, I just work with them, so hopefully this hit home as a simple introduction.
Related article: Enterprise data security still has a long way to go
Jed Cawthorne is director of security and governance solutions at NetDocuments. He is involved in product management and works with customers to make NetDocuments even better products.