Give me zero trust or give me…the incoherent ramblings of an RSA Conference attendee…
James Saturnio here reporting for MobileIron from this year's RSA Conference at the Moscone Center in San Francisco. The weather is cloudy and rainy, and the prevailing winds are overwhelmingly about zero trust security. Zero trust has slowly gained momentum over the past decade, but this year, it has achieved mainstream status! This report hopes to filter out what is marketing hype versus what are actionable steps to start implementing a zero trust security framework in your organization. This is a recommendation; your mileage may vary.
To understand zero trust you must first wade through some of the misconceptions. Zero trust is a security framework. It is a strategic process and architecture that is dynamic and extensible. It isn’t a single product or one-size-fits all-solution. It is a mindset that is rooted in the idea that the traditional castle and moat model of layered security is no longer enough to stop today’s sophisticated adversaries’ intent in circumventing your defenses and breaching your connected devices to steal your users’ and company’s important data. Simply put, the Internet and the Intranet have now converged in this new mobile-centric and cloud-based world!
Now here’s my laundry list of zero trust components:
- Behavioral-based and liveness biometric identity used for user authentication and authorization
- Multi-factor authentication
- Device verification via endpoint posture checking
- Strong cryptography used to encrypt and digitally sign data at rest and data in motion
- Central policy enforcement engine to enforce access rules and compliance
- Threat defense
- Traffic visibility and risk-based analytics
- Machine learning threat intelligence shared across all components
- User education against social engineering exploits like phishing
How do I get started down the path to implementing zero trust security? Devices must first be threat-free. Users, devices, and apps are not initially trusted and must present a strong identity to authenticate and then be allowed to connect. Once authenticated, these components are assigned the least privilege and then constantly verified for authorization as they pass through gates within the micro-segmented contexts to access their critical organizational resources. Micro-segments extend to network micro-perimeters, users and groups, their devices, their apps and data, their current location, and time.
Here’s some zero trust trivia. Gartner calls their version CARTA (continuous adaptive risk and trust assessment). Forrester came back with Zero Trust eXtended (ZTX). Google calls theirs BeyondCorp. Microsoft called theirs Conditional Access which is the old Network Access Control (NAC) solution. Intel called theirs Beyond the Edge, but both vendors are now adopting the zero trust term. The 451 Research version is called Universal Access Control (UAC), and Symantec is converging their web gateways into a single CASB coupled with Software Defined Perimeter (SDP) with web isolation technology to sandbox, obfuscate, and cloak all web traffic.
And still others mention cyber deception as an evolution from the old honeypot security to lay a minefield of dynamic decoys that imitate routers and switches, bank ATMs, medical devices, and so on as traps to impede an attacker’s lateral movement across the network. Compromised decoys trigger alerts on the network's warning system and provide real-time analysis and threat intelligence for zero-day threats to the security operations center (SoC). Under the covers, the principles are the same to achieve zero trust security, but their framework and implementations differ.
In parting, here is a simple form of cyber deception for the rising number of personal attack threats that you can use. Do not provide truthful answers to those security questionnaires that ask for your mother's maiden name, your favorite pet's name, the name of the street you grew up on, so forth to verify who you are if you forget your online password. Bad actors use these answers to guess your other online passwords if one of your internet accounts get breached. Of course, you must remember the answers if you use different ones or simply reuse the same false answer for all.