The zero trust model has been adopted by many organizations since 2011, with the goal of allowing employees to work from untrusted networks without needing to use a virtual private network (VPN). Access was shifted from the most common network perimeter defense to the user and their devices, allowing employees to work from anywhere and evolving the manner in which they work. This became especially important throughout the COVID-19 pandemic, since due to the rise in remote and hybrid workers, networks have been more difficult to manage. Zero trust provides an enterprise the opportunity to create a more robust and resilient security posture, simplify security management, improve the end user experience and enable modern IT practices.
According to the US National Institute of Standards and Technology (NIST), the rise in remote and hybrid workers, satellite offices, cloud services, and mobile devices has resulted in networks that are so complex they “[have] outstripped traditional methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise.”1 A great deal of effort has been expended addressing this issue. If enterprises had been more quick to act with (justifiable) caution, they could have significantly reduced their risk. Now that the need for caution has been recognized, enterprises have begun to implement proper zero trust protocols.
If enterprises had been more quick to act with (justifiable) caution, they could have significantly reduced their risk.
Conventional perimeter-based security used the castle and moat (i.e., firewall and endpoint) method to protect organizations from cyberthreats. This created an excessively trusting attitude toward users and devices inside the fortress. As a result, internal malicious actors can also move laterally and exploit excessive trust.
Zero trust requires organizations to remove implicit trust and abide by several principles:
- Never assume trust, always verify every access attempt—Verify access from each device that attempts to access the network (e.g., laptops, mobile phones).
- Continuously verify and validate trust—If a device has already been verified, verify it again.
- Deny anonymous or unverified access—If access is requested by a device that is not recognized or cannot be verified, it must be denied.
Recognize All-in-One Zero Trust Solutions Do Not Exist
It is important to recognize that zero trust is not a methodology that can be purchased via a specific product, nor is it a single approach or technique. It is composed of policies, frameworks, technologies, and people. All need to be linked to the 7 pillars of zero trust, which are defined by the US Department of Defense (DoD) as:2
- User
- Devices
- Applications and workloads
- Data
- Network and environment
- Automation and orchestration
- Visibility and analytics
Security leaders can implement these 7 pillars of the ZTX model to apply the appropriate security tools and better secure IT. The ZTX playbook or similar zero trust pillars are designed to help IT security administrators identify, organize and implement the appropriate security tools that satisfy the overall goal of a zero trust strategy.
Buying individual products to address these pillars can leave gaps. A zero-trust framework cannot be implemented using a single solution. It is an ever-evolving road map. As stated by chief executive officer (CEO) and cofounder of OpenVPN Inc., Francis Dinha, “Zero trust involves layers and layers of security, structured on top of one another with intention and purpose.”3
Scale Appropriately
Once successful, the deployment of zero trust can be scaled. Gradually introducing zero-trust security is beneficial because it does not disrupt the continuity of an existing cybersecurity strategy. Organizations may begin by locking down crucial assets, but because they are not entirely abandoning 1 system for another, they are exposed to fewer threats.
Think Compromise
It can be useful to consider the assumed compromise principle when attempting to use zero trust to mitigate the risk of a network breach. Whether employing the use of tabletop exercises, whiteboarding or seminars, the primary goal of the assumed compromise principle is to answer the question, “If this user, asset, or website is compromised, what would I do differently?” This question could be answered by creating a list of scenarios such as those described in the ISACA® publication IT Risk Scenarios Tool Kit.
Organizations should consider the following factors:
- Data and information management—The organization should assess its ability to achieve and preserve adequate data and information quality and protection.4
- Control type—Controls can be classified into different types. Such a classification can help assess whether the applied range of controls is sufficiently holistic. For example, not all controls are focused on policies.
Many classifications are possible, including:- The governance system component types of COBIT® which distinguish among process practices, organizational structures, information flows (i.e., reporting), culture and behavior, skills, policies, applications and infrastructure
- Preventive/detective/corrective controls within any internal classification system an enterprise has developed
- Intent/motivation—Generally, if the threat actor is an insider within the organization and the event is accidental, the value of data or patterns within the actor’s intent/motivation can give insight into how such an event may occur. If the actor is malicious, the intent/motivation field describes how and why the actor may act against the assets and resources. If the actor is an act of nature, the field explains how particular events lead to a loss (e.g., high winds cause a power outage, leading to data center downtime).5
- Effect on impact—Whether a control is estimated to influence impact is expressed as a qualitative indicator, with possible values of Yes/No. It is recommended that an enterprise’s risk management practices include some guidance on the thresholds for these qualitative values to ensure consistency across the IT risk register.
- Reference—This field on the risk register is for a reference to the control. References can be anything that help the user better understand or better position the control.
Possible references can include:- A reference to a particular governance or management objective in the COBIT framework, or a process practice or activity contained therein that explains the control in more detail
- A reference to another relevant standard or framework where the control is sourced from or where it is better explained
- A reference to a control in an enterprise’s own control catalog
- Effect on frequency—The estimated effect that this control has on frequency. The effect is expressed as a qualitative indicator, with possible values of Yes/No. It is recommended that risk appetite guidance be provided for qualitative values to ensure reliability across the IT risk register.
- Essential control— The security controls included in the zero trust architecture enable defense in depth (DiD), which should be taken into consideration during risk assessment at the system or organizational levels.
Consider (and Address) Challenges of Adopting Zero Trust
Zero trust consists of a collection of concepts that enforce an Agile approach per a request to trust none and verify all, unlike traditional perimeter security. It is not an out-of-the-box solution, and there are sources of risk6 and challenges that must be considered for zero trust to be successful.
First, legacy software and hardware can create gaps in the network that are unable to adapt to zero trust. These systems were built with a perimeter frame of mind. These systems may need security deployment mechanisms to be protected or replaced.
Next, the risk of a breach increases with the number of copies of data that exist. Many organizations are guilty of having multiple copies of the same data—sometimes dozens. Every time someone sends an email, a copy of those data is created on their computer. When the email is sent, a copy of those data is created on the server. A seasoned hacker can download a copy of these data.
The third risk factor is liquidity, or how easy it is to transfer data from one place to another and process them. There has been a push in the modern world to make data more fluid so that they can be leveraged more effectively. That puts data-driven organizations at great risk of a breach.
The final data breach risk factor is, arguably, the most important in that the risk of the breach increases with the value of the information: the dark web. A considerable section of the dark web is devoted to the buying and selling of stolen financial and personal information. And if information ends up on the dark web —for instance, after a data breach—an identity thief could gain access to it. As the dark web has flourished and dark net markets have emerged, the risk of data breaches has increased.
As the dark web has flourished and dark net markets have emerged, the risk of data breaches has increased.
Conclusion
In the data risk management (DRM) space, zero trust helps reduce risk, simplifies the improvement of digital monitoring (i.e., governance), and increases maturity within the compliance framework. By employing security protocols and a zero trust method, organizations gain visibility into risk at all levels. At the granular level, the risk of a single-user identity breach can be evaluated, logged and reported. With IT and security tools integrated, other potential breach indicators such as a high volume of data access and transfer and malware detection can be observed, allowing the first line of defense to obtain the necessary details for investigation. The rich threat and vulnerability data can be further processed to offer an aggregated view of an organization’s risk posture, making risk reporting to senior management and auditors more accurate and hassle-free. Powered by the insights generated from risk monitoring and reporting, organizations’ risk management strategies and policies can be continuously reviewed and improved to stay relevant and effective.7
Endnotes
1 National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-207, Zero Trust Architecture, USA, 2020
2 Department of Defense, DoD Zero Trust Strategy, USA, 2022
3 Dinha, F.; “When It Comes to Zero Trust, Don’t Trust Everything You Read,” Forbes, 7 March 2022
4 Sanbower, J.; “Addressing Risk in Web Security With Zero Trust,” GRC Outlook Magazine
5 ISACA®, IT Risk Starter Kit, USA, May 2022
6 Shea, S.; D. Turpitka; “Top 6 Challenges of a Zero-Trust Security Model,” TechTarget, October 2022
7 Kudrati, A.; J. Xia; “How to Improve Risk Management Using Zero Trust Architecture,” Microsoft Security, 23 May 2022
Paul Phillips, CISA, CISM, CDPSE
Is the director of event content development at ISACA®. He has worked for US enterprises in various capacities for 37 years. He has also worked as a part-time professor for several universities and other institutions of higher learning for 20 years including Aurora University (Illinois, USA), Lewis University (Romeoville, Illinois, USA), Northwestern University (Evanston, Illinois, USA) and the University of Chicago (Illinois, USA). Phillips is an award-winning international public speaker and has spoken at events sponsored by organizations such as the US National Institute of Standards and Technology (NIST), the MIS Training Institute (MISTI), The Institute of Internal Auditors (IIA) and ISACA.