The concept of Zero-Trust has been around for a while. While this model has been widely recognized as an effective approach to prevent data breaches and mitigate the risk of supply chain attacks, its adoption across the private and public sectors has been slow and inconsistent. This is about to change.
It was in 2003 that the Jericho Forum, a security consortium, defined some of the earliest work on what we now call Zero-Trust, whose basic principle is that we shouldn’t trust anyone or anything just because it’s inside the organization’s perimeter.
Forrester later established the Zero-Trust model in 2011, which was centred around the guiding principle “Never Trust, always verify”, and the recognition that perimeter firewalls are no longer sufficient to protect business secrets and assets.
Several organizations such as Google or Microsoft established methodologies to implement and operationalise it, but until now it has yet to be widely adopted. So why is now the time to embrace Zero-Trust and learn the lessons from others who have been on this journey?
A pivotal moment to embrace the Zero-Trust model
First, the COVID-19 pandemic has accelerated the adoption of Cloud and remote working technologies, further transforming the attack surface as well as complexity and interdependency across the digital supply chain. The old castle-and-moat mentality focused on protecting the perimeter is no longer viable.
Second, businesses are grappling with more stringent regulations and increasing pressure to improve data privacy.
Third, government policies and executive orders such as the one executed in May by the Biden administration will enforce the Zero-Trust model to address the growing number of malicious campaigns that threaten the public and private sectors, as well as the security, privacy and ultimately the livelihood of individuals.
Learnings from recent attacks that impacted the Colonial Pipeline or JBS meat packing company underscore how organizations must consider implications that can impact the broader ecosystem and society.
Where do we go from here?
It is important to recognize that there is no silver bullet product and no unique way to implement Zero-Trust. It requires a layered security approach that covers the entire digital infrastructure, legacy and modern systems, with a focus on having the adequate controls where the user accesses digital resources and a reduced reliance on perimeter security.
While there are no commonly accepted definitions for Zero-Trust, these tenets below are recognized as essential to implement a Zero-Trust strategic roadmap:
Tenet 1: Be consistent on how you authenticate and authorize any users and digital resources, includingany computing and data resources inside and outside the organization. This tenet assumes that the digital architecture, users and all resources owned by an organization are well understood and documented. Apply a Just-In-Time access mechanism to authenticate positively a request at the time it is made without assuming a request is authentic because of a past certificate.
Tenet 2: Secure all communications irrespective of the network location using encryption and multi-form authentication technologies, to ensure that the data being carried always remains protected.
Tenet 3: Apply access based on the principle of least privilege, relying on better situational awareness on the users, applications and devices being used and accessed, as well as environmental and behavioural attributes. Deploy a just-enough access mechanism based on real-time dynamic policies, which ensures that only the access needed is provided and only for the duration of the request.
Tenet 4: Monitor and verify explicitly the security posture and integrity of all digital resources, including personal devices which may be used to access certain corporate applications. The collection of the necessary information on the current state, health and posture of assets, based on multi-attributes data points, including user identity, user MFA, location, day and time, device authentication, device health, service or workload, data classification, and anomalies. This increased situational awareness will ultimately help improve access decisions.
Tenet 5: Always refer to the guiding principles “Never trust, always verify” and “assume breach”. Such an approach will help focus on minimizing the damage caused by a data breach or cyberattack as much as preventing it.
While the implementation of these tenets can be complex, they have proven to be very effective at preventing cyberattacks and advanced tactics used by cyber-malicious actors. It is best practice to focus on the most critical data and digital resources when implementing these tenets and necessary access policies.
The road to Zero-Trust will be different for every organization. And while the end-state may never be reached, everyone can begin the journey and start adopting these key tenets.
Like any other transformational initiatives, it will require a robust understanding of the different Zero-Trust approaches and associated mechanisms, as well as a thorough assessment of the organizational readiness, business benefits and capabilities needed to maximize the operational outcome.
By Basim Al-Ruwaii & Georges De Moura
About the authors: Basim Al-Ruwaii is the Chief Information Security Officer, Saudi Aramco; Georges De Moura is Head of Industry Solutions, Centre for Cybersecurity, World Economic Forum.
This article originally appeared at https://www.weforum.org/agenda/2021/10/why-the-time-has-come-for-the-zero-trust-model-of-cybersecurity/ and is republished with permission.
