Zero-Trust: Is Your Company Ready?

Ben Schoenecker, Director of Information Security, Hendrick Automotive Group

Companies are quickly adopting the Zero-Trust security model. Leaders are inundated with marketing hype around Zero-Trust, and it can be difficult to understand what is real, and what isn’t. With hybrid and remote workforces becoming the new norm, companies have started embracing Zero-Trust at a faster rate. The White House even stated the importance of Zero-Trust in the “Executive Order on Improving the Nation’s Cybersecurity”, in May of 2021. A recent market research exercise conducted by The Demo Forum, found that there are now nearly 300 different vendors offering Zero-Trust security solutions. Why should your company consider adopting Zero-Trust and how can you properly communicate the benefits to your boards and stakeholders?

Let us first demystify the term: Zero-Trust is not so much a product, as it is a mindset or paradigm that describes objectives and outcomes. Tools and products that claim to be Zero-Trust can help you evolve in ways to meet these objectives. But what’s involved in developing a Zero-Trust strategy?

One of the core principles of Zero-Trust is removing the implicit trust that we have within our IT environments. As we design our networks, we have evolved throughout the years as security professionals to think that “outside is bad”, and “inside is safe”. We protect our networks with firewalls to keep the bad guys out, and we usually assume that if something gets in that we don’t want, we have a breach of security. The Zero-Trust mindset removes this way of thinking. Attributes like location and network have less importance on determining the level of trust of our assets and users (but can still be useful). With Zero-Trust, we treat every system with an equal risk profile, whether it is on or off our corporate network.

A second main tenant of Zero-Trust is replacing that implicit trust with technology that dynamically monitors the trust level of users and assets and then adapts to it. One of the primary ways this is done is with identity. ZeroTrust solutions rely on continually determining the contextual identity of users and assets at any given time or location. A strong identity management solution is a must-have prerequisite for adopting Zero-Trust.

“Zero-Trust is not so much a product, as it is a mindset or paradigm that describes objectives and outcomes”

The end result is a model that “never trusts, but always verifies” our assets and users. This model is not only flexible enough for our post-COVID era hybrid workforces, but also positioned in a way that can prevent a minor compromise from becoming a large security breach. This all sounds fantastic, but how does this translate to actual technology? Below are some example data points on the technical aspects of Zero-Trust

•Remote workers no longer need to be directly connected to your corporate network to access corporate resources. This is usually achieved by using a service edge, sometimes called a secure access service edge (SASE). These can be cloud or perimeter based. These are fancy terms for proxies that present resources to clients if they are properly trusted. This subset of Zero-Trust is also known as Zero-Trust Network Access, or ZTNA

• All devices, external and internal, can pass through a single point of policy that decides what traffic or resources are allowed. This translates to both web applications on the internet (CASB), and internal corporate resources. This means that all your devices, at all locations, always adhere to consistent access control. This also means in the event of a device becoming compromised, an attacker could be extremely limited in what they may access. This is enabled by a combination of cloud service edges and local service edges (for internal assets). Zero-Trust software clients can force all traffic from devices to route through the service edges, while other traffic is dropped at the device.

• Devices can be identified as trusted through a unique signature that gets created at the time of provisioning. In combination with a unique certificate and encryption key pair, this prevents an attacker from impersonating a device, even if they have stolen user credentials

• Users are identified against the Identity Provider (IdP), typically with multi-factor authenticationor other supported factors

• Device posturing can also be considered when evaluating the trust of an asset. Checks such as Operating System version, domain, company certificate, or whether a particular antivirus solution is present and is working can all be considered.

• Zero-Trust policy can dictate specific access roles for users that are very granular, consistent, and follow least-privilege principles to ensure your users can only access what they need and nothing more, whether they are onsite or offsite. Since all traffic passes through the service edges, the result is not too far from network micro-segmentation

• Compromised devices or suspicious activity can quickly be detected and isolated, no matter the device’s location by issuing automated policy changes that quarantine the device from reaching the service edges

Fully adopting the Zero-Trust model requires a lot of time and planning, but studies have shown that even companies that partially adopt Zero-Trust drastically reduce their risk profile. The future of work will continue to be a hybrid workforce, and companies must adapt their security strategies to accommodate this change. Our networks must safely support access for remote workers, cloud applications, and the like, while still being flexible enough to adapt to business changes. Zero-Trust helps these goals by leveraging identity in a powerful way. In a 2019 survey by Zscaler, Inc., it was found that 78 percent of companies surveyed were looking to embrace Zero-Trust in the future, while 15 percent of those companies had already fully adopted the model. With this level of interest, it’s clear to see that the time is upon us to evolve and explore the benefits of this new paradigm.