The shift to zero-trust security architecture is accelerating. Vendors, IT service providers, and organisations are talking up zero trust to address the drawbacks of perimeter-based security exposed by a recent spate of software supply chain and ransomware attacks.1
Microsoft – one of 18 tech companies recently appointed to a US-led Zero Trust consortium – is promising to invest $US20 billion in the initiative.2 Google has committed $US10 billion.3
Closer to home Kāinga Ora and the Ministry of Housing are leading the adoption of zero trust in New Zealand government.4
The former is running a zero-trust architecture working group as part of the Government Information Security Forum.
So, what is zero trust?
Zero trust assumes that fortress security approaches are doomed to fail – that if your security perimeter hasn’t been breached already, it soon will be. Which means nothing and no one can be trusted, not even devices on the safe side of the firewall.
Zero-trust architectures do not replace perimeter security. Rather, they reorientate security to treat system access requests as if they came from an open network.
The model harnesses a blend of technologies, including identity and access management, and multi-factor authentication, inspecting a mix of signals to build the necessary confidence to grant access to data and services.
Blame a certain virus that accelerated the shift to distributed working. Increasingly blurred lines between work and personal lives, device switching and sharing, and activity crisscrossing organisational boundaries present multiple entry points for cyber criminals.
Now more than ever, identities, devices, apps, networks, infrastructure, and data live beyond the protection of traditional perimeters.
The larger attack surface provides the canvass on which cyber criminals can get creative, demanding that organisations must “never trust, always verify" before granting access.
Pillars of zero trust success
Broadly, a zero-trust model applies security principles and methods designed to prevent, detect, mitigate, and recover from security events.
The American Council for Technology and Industry Advisory Council (ACT-IAC)5 – a non-profit organisation established to improve government through technology – identifies six pillars of a successful zero-trust security model. Visit the ACT-IAC website.
Users: ongoing authentication of trusted users; continuous monitoring and validation of user trustworthiness to govern access and privileges
Elements of a zero-trust architecture keep changing to fight evolving threats, casting uncertainty over exactly where to start, the likely effectiveness of progress, and security end-state.
Even taking first small steps toward a zero-trust architecture is fraught.
Some IT managers we’ve talked to say employee perceptions are a barrier, with many believing their company no longer trusts them.
CIOs have also expressed concerns related to open-ended costs arising from migration to a zero-trust network design, training, support, protracted and potentially disruptive programmes of work, and modernising legacy systems incompatible with modern authentication methods.
Until recently, security technology lacked necessary integration capabilities to put CIOs at ease. However, a new breed of access control technologies essential to a zero-trust architecture click together quickly and simply.
This kind of Lego block approach to designing security models puts organisations in a stronger position to build a modern security operations centre to align IT and security operations with a zero-trust strategy.
Core elements of a zero-trust implementation
Microsoft lays out the core features of a zero-trust implementation:
But has anything changed, really?
Most IT managers with a few grey hairs will be familiar with the term ‘least privilege access’ - a principle that enforced a minimal level of user rights, or lowest clearance level, to allow a user to perform their role.
The idea dates to the mid-80s and recognises that enforcing least privilege is instrumental to reducing security risk from errors or malicious intent.
Least privilege is the foundation of a zero-trust strategy.
As systems shifted to the cloud and other variables, such as heterogenous systems, endpoints, and third-party access, have redefined the technology landscape, the job of applying least privilege access got too big.
Simply, there were too many places IT managers had to look, and too many individual security elements to choreograph.
Zero trust is mostly about establishing the technology model to orchestrate access, or privilege, in a format that provides a single point of reference to coordinate the strategy.
Perimeter security won’t disappear because firewalls still have a role to play. However, in thinking about a zero-trust architecture we accept that its principal function is to broker communication between users, devices, applications, and services – wherever they exist. And doing that job well is far bigger than a single solution.
Zero trust imposes a form of tax – but it’s money well spent
The absence of trust is a type of societal dysfunction. It imposes a form of tax that everyone must pay when zero trust is your best from of defence.
Organisations must invest in technology and attention, and users are required to tolerate inconveniences posed by hurdles and protocols governing access to resources.
Much like tax evasion, taking shortcuts to ease the burden of remaining safe and operational in a zero-trust environment will eventually come back and bite hard.
Spark’s cybersecurity practice provides customers with leading security experts to design, implement, and support your journey to a zero-trust model. What’s more, we practice what we preach, building our own portfolio enterprise services – from connectivity and SD WAN to endpoint solutions – to zero-trust principles.
When no one can be trusted, trust the company who understands the new standards for security in the modern digital age.
Learn how Spark’s Cyber Security Practice keeps critical infrastructure and services safe, and the reputations of New Zealand’s biggest brands intact.