Is Trust a Vulnerability? Is Zero Trust Architecture a Good Idea?

The Zero Trust (ZT) architecture is a modern concept shaping cybersecurity in the public and private sectors. The growing use of SaaS applications, migration to cloud-based architecture, a rising number of remote employees, and bring-your-own-device (BYOD) have rendered perimeter-based security obsolete. The concept of a network perimeter where those outside of the enterprise's control are malicious and insiders are trustworthy — is no longer a viable approach to cybersecurity.  ZT moves away from network-centric security that grants broad access to data resources, systems, and granular, data-centric access based on attributes to each access request and continuous authentication of devices, people, and applications.
 
The Forrester Wave ZT report extends the ZT architecture to encompass the entire attack surface and proposes an ecosystem including protection for data, workloads, devices, users, automation, orchestration, visibility, and analytics. Forrester's research also showed that Zero Trust could reduce an organization's risk exposure by 37% or more. An organization deploying Zero Trust can reduce security costs by 31% and realize significant savings in cybersecurity expenses.
 
ZT is a multi-faceted approach, encompassing multiple products and flexible security architecture.  It builds on the principles of least privilege, micro-segmentation, deep inspection of network traffic, and encryption of all data at rest and in transit. DLT ZT partners with many vendors relevant to ZT, including CrowdStrike, AWS, IBM, FireMon, Pulse Secure, OneLogin, Palo Alto, IIIumio, NETSCOUT, Nuix, TripWire, Adaptive, Centrify, LogZilla, LogRhythm, BeyondTrust, and more.

The 'new normal' marks the best time to implement ZT.

Government agencies face a surge of threats perpetrated against an unplanned remote workforce. It is a "new normal" that could last for months or even until 2021 and requires swift action. Previously, many in the public sector might have believed that the idea of implementing "zero trust authority" was simply a new buzz phrase to be applied sometime in the future. Still, with a changing cyber landscape, implementation should be an immediate priority.
While the COVID-19 pandemic has presented an immediate need for swift action, government agencies should always be prepared for the unexpected and do everything in their power to protect their critical networks, data, and endpoints. As adversaries continue to evolve and adapt to benefit from any circumstance, the public sector must adopt safe and modern practices to stay a step ahead and protect the nation's critical infrastructure.

Federal agencies lead the way by embracing ZT in pivotal initiatives
The Department of Homeland security's Continuous Diagnostics and Mitigation (CDM) program and the Department of Defense's comply-to-connect program (C2C) use ZT principles to protect data resources. This critical program provides real-time, continuous monitoring of federal networks while also auditing systems for unauthorized changes. 

CrowdStike (Real-time visibility) 
The CrowdStike (CS) Falcon platform provides real-time, continuous visibility and security across the organization's assets regardless of whether they are on or off the enterprise network. CrowdStrike helps customers establish a comprehensive security strategy, including Zero Trust principles, to create a cybersecurity solution that is customizable Falcon dashboard, complete continuous visibility, and security across a variety of touchpoints, including endpoint hardware type, firmware versions, operating system versions, patch levels, vulnerabilities, applications installed, user logins, and security or incident detections.

AWS Implements Zero Trust architecture
AWS believes that in the ZT security model access to data should rely on multiple criteria, not just network location. Users and systems must prove their identity and trustworthiness and meet fine-grained identity-based authorization rules to access applications, data, and systems. The AWS Zero Trust architecture uses identity to reduce surface area, eliminate unnecessary data pathways, and provide straightforward security.  AWS’ myriad of services incorporates security in every component of DLT’s Zero Trust architecture including Network Architecture, Monitoring, Access Control, Automated Response, Threat Intelligence, Visibility, Data Protection, Application Security, and identity & Access Management.

IBM Zero trust is a security model that shifts the access conversation from traditional perimeter-based security and instead focuses on secure access to applications based on user identity, the trustworthiness of their device, and the security policies you set instead of the network from where access originates. 

Trust is built on an expectation for delivering innovation, as well as protecting and safeguarding our intellectual property, customer data and employee information. For us, this requires a comprehensive IT strategy executed securely. this requires flexibility to empower IBM lines of business to access and use the tools they need to create, deliver, and market the innovations client expect. It means providing a stable, reliable environment for teams and individuals to connect to the applications and technologies they need to do their job — even in the midst of a pandemic. Most importantly, our approach is underpinned with multi-faceted security integrated tightly into the daily operations of our business, providing ambient protection of both our users and our data. IBM fits several solutions in ZT architecture including IBM Security QRadar, IBM Security X-Force Exchange, IBM CloudPak for Security, IBM Security Verify for Workforce IAM and IBM Security MaaS360.

FireMon is the only real-time network security policy management (NSPM) solution built for today’s complex multi-vendor, hybrid enterprise environments. With support for the latest firewall and enforcement technologies spanning the data center to the cloud, only FireMon can deliver complete visibility and control across the entire IT landscape to automate policy changes, compliance, and minimize policy-related risk.

For organizations that want to start the migration to zero-trust now, network security policy management from FireMon is an essential technology that connects the dots between today’s network-based security environments to a zero-trust future. With support for microsegmentation and advanced device discovery, only FireMon offers a real-time policy management platform that can support the complex needs of large organizations as they embark on their zero-trust journey.

Palo Alto Networks was one of the first vendors to embrace Zero Trust and has continued to add to its portfolio through acquisitions that broaden its offerings to include cloud and workload security. Through these added technologies, Palo Alto has developed a robust Zero Trust solution.

Palo Alto walks customers through a five-step process to implement Zero Trust: Define the attack surface, map transaction flows, architect Zero Trust network, create Zero Trust policy, then continuously monitor and maintain the network.

Illumio (enables micro-segmentation for ZT)  
Illumio contributes to Zero Trust through its capability to deliver a well-defined and illuminated map of all assets across your infrastructure. They also feature in encryption, enforcement and newly discovered applications, and control of user access to systems in real time. Illumio's collection of robust APIs leverages existing solutions and enable Zero Trust, adding value to current toolsets.

Centrify (Beyond identity and access management (IAM)) 
Centrify believes that identity is the cornerstone of an effective Zero Trust strategy. This identity-centric approach is centered on the view that securing the network perimeter and protecting the intranet has become obsolete. The focus on access controls has shifted to individual devices and users. Concentrating on identity allows agencies to apply one Zero Trust method to any platform – on-premises, cloud, or hybrid.

In Conclusion 
The journey to adequate Zero Trust security may be shorter than you think because you probably won't have to start from scratch or rip and replace existing tools. It is likely that your agency already has crucial components of Zero Trust in place – identity & access management, multi-factor authentication, role-based access controls, perhaps even micro-segmentation. To achieve these goals, use disparate solutions to enforce a true “never trust, always verify, least privilege” practice. A solid Zero Trust strategy provides the most significant security for agencies by only granting authorized people demonstrated access to appropriate resources.

Getting to your destination is not simple, and it won't happen overnight, but the DLT team, together with our vendor clients, is ready to help you find your way along the path to Zero Trust security.

DLT has recently launched the Zero Trust Hub to guide public sector agencies through Zero Trust implementation. Access our free resources and tools to better understand Zero Trust from multiple perspectives, and to identify common themes that emerge from the major frameworks and initiatives. Get insights on common challenges and sought-after solutions addressed by the Zero Trust framework.

References 
1. The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q42019
2. https://www.meritalk.com/articles/cdm-the-story-so-far/
3. Draft NIST SP 800-207: Zero Trust Architecture