Part of what you do in a Zero-Trust approach is, every time a particular asset is accessed
you evaluate that access according to a set of policies …
policy-driven evaluation would have identified, I believe, a pattern of activity here
where … an IT professional accessing this kind of information … would have been questioned.1
–Navy CTO Don Yeske
The US military is in the process of moving to a Zero Trust networking framework. But before they began that process in November, a Cape Cod-stationed National Guardsman leaked 350 classified documents over the course of between six and fourteen months before his detection and arrest.2 And Zero Trust – that enforces stringent policies or rules over permitted network activities – might have stopped the rogue airman sooner (he was serving as an IT admin without need to access those military secrets).
This type of breach is called an insider attack. Insider breaches make up 20% of all breaches.3 Zero Trust is useful to handle these and many of the other attacks that begin outside an organization’s network.
What is Zero Trust?
Zero Trust is an IT approach that can help your organization outright stop or contain damage caused by a cyberattack. It is not a product-based solution – it’s a model that exists to raise an organization’s security posture.
Zero Trust assumes a breach situation. Zero Trust accepts nothing and no one outside your network’s perimeter (the traditional point where cybersecurity solutions are applied: for example, firewalls stop incursions from the outside). But Zero Trust also accepts nothing and no one within your network (this is the foundation of Don Yeske’s assertion of Zero Trust’s ability to limit the National Guard breach).
Zero Trust similarly treats your organization’s own network as compromised, and so protects users’ data from the network itself.
Through a series of checks, the Zero Trust method of security verifies and reverifies each user, each user’s device and the network before it grants access to each digital or hardware asset.
Continuous scrutiny is the security mechanism capable of halting the lateral movement of criminals. In other words, if a criminal gains a user’s credentials without Zero Trust it is likely the criminal will move from the point of the breach to other, valuable assets in the network.
Single Sign-On and Zero Trust, an Unlikely, but Effective Pair
One of the tradeoffs of Zero Trust is gaining security at the expense of usability. With all the credential challenges, how can we keep the network usable? Bryley partner Microsoft has right along advocated the pairing of Zero Trust and Single Sign-On. Single Sign-On is when a user is granted network access once – advisedly through a multi-factor authentication process – and then can go about their work.
However once a Zero Trust approach is in place, it continuously monitors user behavior, device health and other contextual factors (like time of day and user location). So if unusual activities are detected, access can be restricted dynamically or additional authentication proofs can be asked of the user. This is why Single Sign-On’s ease-of-use marries well with Zero Trust’s rigorous network control.
Learning from the US Government’s Phased Adoption
In 2021 President Biden issued an executive order to move the government’s systems to a Zero Trust architecture. Clearly from the Cape Cod breach and others, a sooner-than-later adoption would have been preferable, but the government is enormous and diverse.
Maybe your organization feels rooted in its way of networking (or ways if you have multiple departments/systems). Maybe you have crucial legacy machines and/or software.
Because of its complexity, the US’ Cybersecurity and Infrastructure Security Agency, tasked with executing the president’s order, has begun a phased Zero Trust implementation.
This is also a good idea for many organizations. Phasing-in Zero Trust would include these steps:
- Identifying the users on the network
- Zero Trust means granting minimum necessary access based on a user’s identity and context
- Identifying your assets
- Zero Trust is controlling access to contain a breach, so every hardware and digital asset must be accounted for – including cloud assets, legacy items, BYOD devices, IoT devices
- Identifying key processes and evaluating the risks associated with execution
- First candidates for Zero Trust deployment are processes that handle sensitive data, support core operations, have high vulnerability risk and are central to achieving organizational goals
- The process risks may include altered ways of working, user confusion and user adoption
- Formulating policies to support Zero Trust
- This can be done in Microsoft Active Directory and other tools that help formulate policies, like scanning tools that collect and analyze network security logs and events
- Identifying candidate solutions
- Evaluate which security tools and processes will work best for achieving Zero Trust in your environment
- Deploying and monitoring
- Deploying Zero Trust can be complex and require changes to workflows and user behavior. So user training and monitoring via software and in conversations is critical to success
Guidance in Considering the Zero Trust Framework
Zero Trust is a network model that can allow your organization peace-of-mind because it addresses both insider attacks and incursions into your network. Is it right for your organization? It is not inexpensive or simple to implement and requires incorporating more powerful technologies as threats evolve. It is among the handful of soundest approaches to security and can pay for itself in protection (the average cost of a data breach for a small business is over $3 million, per IBM4), but your organization may be reliant on legacy systems that may have been built on the older perimeter-defending paradigm. Zero Trust also has a learning curve for both IT people – its stringency can yield false positives – and end users’ workflow.
To begin to find out if Zero Trust is the right framework for your organization’s network, consider a complimentary 15-minute consult with Roy Pacitto, or contact Roy at ITExperts@Bryley.com or 978.562.6077 x2.
1 https://www.c4isrnet.com/cyber/2023/04/26/zero-trust-could-have-limited-pentagon-leak-navy-cto-says/
2 https://www.nytimes.com/2023/04/13/world/europe/jack-teixeira-pentagon-leak.html
3 https://securityboulevard.com/2023/07/verizons-annual-data-breach-incident-report-dbir-shines-spotlight-on-ransomware-trends-insider-threats/
4 https://www.ibm.com/reports/data-breach
Lawrence writes about networking and security. He’s written for Bryley since 2015.