Zero Trust Security – Part 1 – Trust No One
This is the first part in a two-part series on taking a Zero Trust security.
Can you remember what you were doing ten years ago today? Thanks to one of my favorite Internet tools, tenyearsago.io, I know that 10 years ago ESPN was discussing a long-shot deal to get Alex Rodriguez on the Yankees. Pundits on CNN were arguing whether the candidacy of Illinois Senator Barack Obama was viable, and the front page of Amazon.com was introducing visitors to a new device that some reporters covering the 2008 Consumer Electronics Show weren’t sure there would be a market for:
(Image copyright Amazon.com)
Among many important cultural milestones in 2008 was one that slipped by (mostly) unnoticed: 2008 was the year the number of connected devices exceeded the number of people on Earth. It was a time when few organizations depended on cloud computing, had a “BYOD” policy (the first commercial Android phone, the T-Mobile G1, was released October 2008), or even thought about anything “as-a-Service,” since Microsoft Office 365 was still more than three years away.
The nature of the IT landscape was something most security professionals had a handle on. Hackers were somewhere “out there,” and they were trying to get “in here.” Organizations weren’t focused on building “Borderless Networks,” in fact, it was quite the opposite. Companies could consider themselves reasonably secured by treating their own networks like a castle – a big moat, some nice thick walls and guards at every door. The guards validated the four most important aspects of external network traffic – source address, destination address, port, and protocol – and if the connection met specified requirements, the traffic was granted access. Save for all but the most glaring of activities, very little attention was paid to behavior on internal networks once the external traffic had been validated.
This approach to security was in place in November of 2013, when malicious actors first gained access to the systems of two key contractors for the United States Office of Personnel Management (OPM). It remained in place in May of 2014 when OPM IT security personnel conducted a regular audit of those systems and gave them a clean bill of health, and persisted, still, until a second OPM system was breached, allowing hackers to steal detailed information about OPM IT systems and the personal information of as many as 18 million federal employees.
In their review of this breach, the U.S. House of Representatives Committee on Oversight and Government reform issued formal guidelines and recommendations for federal agencies to harden their systems. The recommendation guided agencies and contractors towards implementing “Zero Trust Architecture,” a term introduced by Forrester Research.
The term, Zero Trust, may have been new at the time, but the concept is something IT professionals have long been aware of. Zero Trust security is the natural extension of the Principle of Least Privilege. By restricting access to information, systems, and services only to those who absolutely require it for their job duties, the overall attack surface and list of potential exploits shrinks dramatically.
Today, in this era of more than 11 billion connected devices, IT organizations of all sizes and types need to steer towards implementing Zero Trust more than ever. The new threat landscape can easily overwhelm and exploit traditional security models built around flat, open networks, and the idea that internal traffic is inherently safe. By comparison, Zero Trust mandates that ALL traffic, internal and external, should be logged, inspected, and verified. Furthermore, microperimeters should be set around systems and data in order of increasing complexity, validating credentials and behavior at each step. Today’s hackers aren’t brute-forcing through firewalls. Rather, they are adept at forging and compromising credentials, effecting critical changes on networks that traditional IT teams don’t notice until it’s too late.
The call, so to speak, is coming from inside the house.
Stay tuned for Part II: War on Two Fronts, where we evaluate strategies for managing Identity and Behavior as they relate to Zero Trust security.<< Back to Resources