Is Zero Trust model the final frontier in enterprise security?

The network firewall as we know was established somewhere in the ’90s. System admins everywhere deployed these “perimeters” which essentially isolated the organization’s internal servers from the internet. Things were going great until the cyber attackers figured out how they could pierce the perimeter. They knew about the perimeter of the firewall; they also knew that customers and trusted suppliers were given access through the perimeter. So instead of attacking the big company, cybercriminals started targeting these trusted partners and customers. It came to a point where the firewall had lost most of its value and the attackers didn’t really care about it anymore.

At this critical point in time, some cybersecurity enthusiasts started suggesting the idea of eliminating the perimeter. These people were tired of the network perimeter.  They believed that establishing a mere firewall as the protection for your internal servers wasn’t really cutting it.  Cyber attackers were adapting. People were asking for a change, and what started out as a discussion between a few enthusiasts in the Jericho Forums in 2004, gained traction and was even given a name in 2010. The Zero Trust Model.

Recently, our CMO and Director of Operations, Rachana Vijayan sat down with Dr. Chase Cunningham also known as Dr. Zero Trust, at HexCon20 to have a talk. He is a cybersecurity expert and an advisor to several federal bodies in the US. He has also authored a book called Cyber Warfare- Truth, Tactics, and Strategies. He talked about the zero-trust model and how it could well be the future of enterprise-level cybersecurity. Some of the key takeaways from his talk are the backbone of this article.

Where to start?

The question is, where should organizations focus their efforts early on when it comes to zero trusts for optimal ROI? Sounds like quite a loaded question but the answer is somewhat simple. As Dr. Cunningham would say, “for most organizations the answer would be binary “I.e., focus on users and devices. One of the fundamentals of zero trust is you do not trust the user nor do you trust the device. So, in essence, the users have to prove that they are who they say they are and the devices have to prove it is what it is. This is a good place to start. Ensure validation of any transaction or any access attempts.

Now the next question arises, how? There are solutions that ensure compromises don’t happen on the user level or the device level. This solution could be a UEM, something in the lines of what Hexnode would offer. So, if you are an organization looking to maximize ROI when it comes to zero-trust cybersecurity, this is the way to go.

Is the zero-trust model foolproof?

The implementation of the zero-trust model does not ensure 100% safety from cyber-attacks. Some of the biggest cyber-attacks in recent years happened because the company’s systems weren’t segmented to a controllable level. With higher levels of segmentation, the company can limit the radius of attacks by limiting the attacker’s access inside the system.

A system that is 100% secure from cyber-attacks will be unusable. The premise of Zero trust is that you are willing to compromise certain device features for security, the quality of security depends on what you are willing to give up. The advancement in technology is opening up workarounds to ensure better security with lower compromises but as it stands, companies should find the sweet spot where they don’t have to give up the necessary device functionalities for security.

Zero-trust model for everyone

The issue when it comes to SMBs is that they feel that they are too small for a cyber-attack. In fact, according to a recent survey conducted by BullGuard, 60% of SMBs have this similar mindset. This cannot fly in the present cyber environment. In his session, Dr. Cunningham said “They (SMBs) should be looking at the big enterprises and saying how can I leverage that same strategic approach to Zero Trust and make it specific for them. “

Approaching the problem of cybersecurity with the mindset of a big company is key when it comes to establishing a level playing field on the cyber security front. To be clear, we don’t expect a small company with a few workers to establish a huge data bank or anything. The efforts made by the company should reflect the same kind of earnestness put forth by a company, twice its size. In the end, the aim is to establish a field full of hard targets that cyber attackers would find difficult to crack.

But what about larger enterprises?

The bigger enterprises see the value of having a security strategy that can enable an outcome. They see a benefit in the translation that occurs between security objectives and capabilities and business objectives and capabilities which result in happier employees, higher revenue generation, and less time spent trying to solve security concerns.

The plan isn’t necessarily about adding more technology and more security but about doing what makes sense to solve the physics of the problem. The security plans when strategically aligned help resonates with the goals of the business.

UEMs and the Zero-Trust model: How do they relate?

In an environment where the baseline is “trust nothing and verify everything,” it is important that you stay up to date, especially regarding various aspects of a device, like updates and its various capabilities. The easiest way to ensure this happens in an automated manner is through a UEM solution. The zero-trust model and UEMs are self-fulfilling in the sense that, UEMs manage one of the basic avenues of compromise when it comes to Zero trust, the device.

UEMs enable you to apply controls on this basic component of cybersecurity and is key when it comes to establishing a zero-trust model.

The use of identity and access management services in conjunction with UEMs is considered as doubling down on the zero-trust security model.  Passwords are one of the main areas where organizations get compromised, users have over 90 online accounts per device. Ensuring strict password policies, taking care of the device, making sure it’s patched, restricting user privileges, and addressing the core requirements for the adversary will help you increase your security.

Anything more than what’s needed for the purpose of a user’s work will only hurt your company. Preventing users from being the entity that causes harm and keeping the systems relatively simple without affecting user experience will be well accepted and is the end state experts are trying to reach with zero-trust.

How long does it take for an organization to reach a zero-trust end state?

The time taken for completing the adoption of the zero-trust model depends on the size and type of organization. Some organizations may already be on track and can reach the end-state fairly quickly while for new ones it can take years.

All cybersecurity revolves around data at some point and the zero-trust model helps users understand it. Users often tend to stop at compliance policies which are only a part of zero-trust and are far from the end-state of the model.

The time required can be exponentially decreased by using vendor solutions like Hexnode that allows users to reach a zero-trust end-state quickly and at scale with policy engines that make the process controllable. The constant updating and monitoring of the systems will help you get to the end-state faster, which may still take a while, but you will certainly see the benefits along the way.

How do you know if a zero-trust model is successful?

Once you have established a zero-trust model in your organization, you obviously would be curious regarding the level of success that was brought forward by this model. Some of the key parameters that can be used to measure success when it comes to zero-trust is visibility and transparency. Compare the cybersecurity posture of your organization before and after deploying the zero-trust model in your organization.  Are you able to view more devices? Can you pinpoint who is using what devices? Are the transactions that happen between devices transparent? As Dr. Cunningham said in his session, “I don’t think in reality anyone will ever say that they are going to get a 100% real-time accountability on every asset. But when you move towards a more zero-trust state you would find yourself getting closer to that 100% mark.”

A successful Zero-trust implementation would also reflect an optimized budget when it comes to cybersecurity. As you inch closer to a zero-trust state, you would know what solution would solve what problem. Then you could easily get rid of other solutions or processes that weren’t useful to you.

The relevance of zero trust in 2020

Since the first quarter of 2020, many organizations have been forced to enact remote working protocols. This meant that the perimeter no longer existed. The devices deployed by organizations were spread across a large area. And by the look of things, it seems we are would be remote and mobile for a while at least. 
The optimal way to deal with the problem of cybersecurity at this juncture would be to adopt a zero-trust model.  Dr. Cunningham added,” 84% of organizations that I’ve talked to, in my data, are moving towards zero trust, this is because of the move that has taken place due to remote work. 
”

Most of us are going to be remote and most of us are going to be outside the perimeter. It is the ideal time to move towards a zero-trust approach.

Dr. Cunningham wrapped up the session with a piece of advice for all the organizations looking to adopt the zero-trust model “Be compliant, get compliant, know what the value of your data is … but don’t stop there go further”.

Zero-trust is an evolving concept, the developments in security with the zero-trust model solves all the security issues we had in the past but it doesn’t end there, the issues of the present and future can only be addressed by constantly updating and securing your users and endpoints.