What is Zero Trust Security?
The threat landscape is evolving and has greatly expanded over the past ten to fifteen years. IT environments used to traditionally consist of an office where all employees, servers, and maybe even a DMZ were centrally located. Due to advancements in connectivity, the typical office has changed. Through cloud applications, VPNs, mobile networks, and Wi-fi, it is now expected that the office is anywhere. Recently, this evolution in work has accelerated due to the pandemic. We now have a widespread hybrid workforce where you’re no longer just in the office or just out of the office, you’re potentially going in and out depending on the day. Users and devices may be inside the network or outside on any given day and there are also many more devices to secure. Employees are using mobile phones, connecting remotely via laptops, or connecting via desktops from inside the network. Some devices may be more secure than others, depending on what endpoint protection can run on them. Basically, what this boils down to is we can no longer rely on a strong, secure internal network to protect us. We need to be protected everywhere.
Corey Nachreiner, Chief Security Officer at WatchGuard, relates the traditional security model to a Tootsie pop. There is a hard candy shell that contains all your protection. But once you break through the shell, you can go anywhere in the soft candy center. So, a bad guy just has to get past that hard candy shell. In today’s environment, that hard candy shell can’t exist solely “at the office.” It must exist everywhere but that still isn’t enough because hard shells can be broken through. Even before the hybrid work environment was adopted, security should have been based on a zero-trust model. Networks can no longer allow users privilege just because they got past the door or broke through the shell. Security models today need to allow the least amount of privilege possible to do what is necessary.
Zero-trust security is taking a cynical approach to users and permissions. Basically, it is assuming that every user is a bad actor. That could be a hostile actor intentionally targeting your systems or an employee connecting a compromised device. Zero trust grants only the permissions necessary and doesn’t allow lateral movement through a network — breaking through the shell doesn’t give a user access to the whole soft candy center. Zero trust implements a hard shell throughout the network like a hard lollipop and eliminates the soft-candy center. Or as Corey would say, turn your network security into a Jawbreaker.
Zero trust also goes beyond simple authentication level access. If you turn your network into a zero-trust Jawbreaker, you can now separate that Jawbreaker into individual tiny pieces, and most users won’t even know what pieces exist. Only users who need access to a certain piece of the Jawbreaker (think applications, network storage, systems) get visibility and access. The Microsoft Exchange server hack from March of this year was exactly this type of exploit. The bad actors didn’t need a username, password, or MFA token. They just needed network-level access and could exploit a server-level request. The recent Kaseya hack was also this type of authentication bypass attack. Zero-trust security boils down to also protecting applications against these types of attacks. Authentication is still a very important part of zero-trust security, but network segmentation, including establishing micro perimeters is equally as important.
Zero trust starts with authentication and identity controls. You need to know who the person is, and what the device is before you can make a decision on whether it should have access or not. Until you’ve established that this is someone you know, or not, you can’t figure out how much access to give them.