Director of Avenga Labs
Money and reputation losses due to security breaches have never been acceptable, but with the digital era, the number of attacks and their sophistication is growing bigger than ever.
With multiple access points to business APIs and data, personal devices used to access company services from anywhere and at any time, however now the reality is becoming more and more complicated.
Zero Trust Architecture used to be a concept, now it is a security strategy.
The previous popular strategy was called perimeter security – when the organization was divided into trusted internal parts and the untrusted externals. Firewalls and filtering content helped separate the networks; the trusted from untrusted. The assumption was that when you are inside of the network of the organization, you are trusted. Well, that security model is no longer suitable in the current digital era and with the new family of threats.
The principles were developed around 2010 and are true to this day. Different sources represent them differently, but there are common elements that I’ll describe below.
The main meta principle is to abandon the false sense of security and stop believing in overly optimistic ideas about the security levels of IT systems and entire organizations. It’s the most important point of the Zero Trust philosophy.
The Zero Trust mindset starts with the Zero Trust networks that connect users, devices and services. Multiple checkpoints should be implemented to ensure a constant monitoring for threats and quick reactions to security violations.
And, it applies in the same way for all the internal and external networks. Any access point is insecure by default, there’s (you guessed it) zero trust model, no matter if it’s an ethernet cable at the office or a LTE connection via smartphone from another country.
Traditional network segmentation techniques and firewalls are not obsolete immediately, but certainly they are no longer considered as guarantees of network security.
All the devices connected to the networks should be treated as a threat. This includes company issued laptops, as well tablets and smartphones from remote users. Assume that all devices can be compromised at any time and then prepare for that. Ransomware and viruses can allow adversaries to take over any device; it can and does happen.
It gets even worse when you take into account a remote workforce and thousands of IoT devices.
All the applications deployed in your internal network, as well any APIs from the cloud, or even applications deployed in any cloud environments, all are considered equal threats. Advanced authentication techniques, which include multi-factor authentication, should not be an exception but a default. Using TLS and certificates for authentication, even in internal apps and networks, is highly recommended as well.
Recommendations also include mutual TLS connections to require certifications, to include from the clients; usually only the certificates from the servers are required. In other words, the servers should be able to identify the clients as well.
Unfortunately, it cannot be done for the customers whose devices cannot be controlled, but it works very well for company issued devices.
Containers have become the preferred way to package, deploy and manage applications. Zero Trust model in this context means that we all should remember containers are vulnerable to attacks and the packages they contain can be insecure. There’s a need for regular updates of the base containers and scanning containers for security issues, and they should be a standard element of any deployment pipeline. Modern DevOps cannot ignore the security aspect and should include DevSecOps practices by default. Insecure containers should never be deployed to production in the first place. We should not wait for the problem to happen, but try to prevent it as early as possible.
→ Read more about DevSecOps – DevOps with security
All the users should prove they currently have access. You can never assume that if once they were given access to the systems, that access should be always granted.
It can mean a little inconvenience for the users, but with the current state-of-the-art biometrics and multi-factor authentication mechanisms, which are both secure and (relatively) convenient, it does not necessarily mean a user experience nightmare.
→ Explore what Avenga Customer Experience Offerings
Decentralized identities can also be of great help.
→ Read more why Decentralized identity – security and privacy of the future
Capturing activity data as much as possible seemed to be a costly exaggeration until recently. However with the current revolutionary analytical tools, vast amounts of log data can be turned into useful information which then can be used to detect previously invisible activity patterns, that may mean security threats.
Zero Trust architecture also benefits from data science and real-time data analysis.
→ Explore how to make sense of your data with Avenga Data Services
It’s one of the interpretations and believes there’s no point in trusting local networks, so internal portals, aka intranets, are no longer a viable option as everything they provide is available in the cloud. Collaboration is done using internet cloud services and even more often now than using internal intranets. Still there are many who disagree with that, but the trend is clear, traditional intranet is ending.
Zero Trust architecture and security are holistic approaches to security. Which means, the changes required to achieve it span across everything IT related in your organization.
It is expensive, both as a change project and then to maintain the Zero Trust approach at the highest level.
Also, it means another culture shift, both for IT departments, DevOps, and software developers as well as all the users and business partners.
→ Read more about What happened to NoOps?
It’s a long term strategy, not an one-off project. It’s hard to find quick wins or workarounds, because it’s a total security strategy, and it’s not local.
The adoption statistics are very different, with some claiming that two-thirds of all organizations have planned and started the implementation of the Zero Trust strategy, while others say that only one-third have started to do this.
The critics talk about the ‘fallacy of the Zero Trust’. The main points are that it’s too complicated, too expensive, and close to impossible to be realized in the reality of business organizations. It’s also described as a kind of wishful thinking when it comes to a security strategy, and too far away from what is possible and acceptable economically.
The Zero Trust label is being added to security products and services; there are so many ‘Zero Trust’ compatible products available now. That’s why Zero Trust architecture has unfortunately become another popular buzzword.
Another criticism is that Zero Trust approach is interpreted as something different by each vendor, and there are no two vendors who understand the concept in the same way.
IT security budgets are increasing even when overall IT budget growth has stagnated.
Zero Trust architecture and security are viable strategies, not just buzzwords used to promote various security products and services.
Which elements to implement, in which order, and how is always a specific approach for a given organization.
Avenga is a vendor agnostic organization. We are not selling magic boxes with promises to enable Zero Trust model, as it requires a more holistic approach, a real strategy, cultural shift, as we mentioned before.