The infamous SolarWinds breach, disclosed in December last year, impacted such government agencies as the Department of Homeland Security, the State Department, and the Treasury Department, among thousands of other clients of the IT service provider, including Fortune 500 companies. The attackers added a malicious code into the company’s software system, Orion. This code was then unleashed on SolarWinds’ clients through a regular software update.
In the wake of this successful attack – the scale of which is one of the largest ones in recent history – government agencies are urged to switch from their traditional architecture to zero-trust security. So let’s zoom in on the subject and break down the benefits of a zero-trust approach to cybersecurity.
What is zero-trust?
The US National Institute of Standards and Technology (NIST) in its Special Publication 800-207 defines zero-trust as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources…Zero-trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location…or based on asset ownership.”
In other words, zero-trust models operate under the assumption that nothing and no one can be trusted by default – not outside and not inside a network, irrespective of whether they are connected to a managed corporate network or have been verified in the past. Every user and every request must first be verified before being granted access. This includes authenticating a user/request, ensuring this user’s authorization for access, and encrypting data in real-time. Furthermore, this model provides access of “least privilege,” meaning access will be provided only to the extent that is needed.
Now, zero-trust is a concept. It’s a framework for cybersecurity. Its architecture – the implementation of the framework – is a combination of technology products, workflows, and policies.
Traditional architecture vs. zero-trust architecture
The traditional security architecture, also known as the perimeter model, focuses almost exclusively on preventing outside threats by putting in place multiple layers of security. Securing the perimeter usually involves installing firewalls, anti-malware software, etc. This model does not effectively address two problems:
- Users, or employees, increasingly require flexibility in terms of the location they work from and the devices they use to access data. There are dozens of events that can give hackers a window of opportunity: a remote device runs an unpatched operating system, data on remote devices is not encrypted, a user’s router’s password has not been changed from its default password, a user has not set up multi-factor authentication for their accounts, etc. These events happen outside of the perimeter, yet endanger the security of an entire network.
- Cybersecurity threats often come from inside the perimeter. Whether knowingly or unintentionally, your organization’s employees and vendors may be putting your entire system at risk. 85% of organizations admit that they struggle to determine the actual damage caused by an insider attack. The rate of insider threats has increased by 70% in the last two years.
As a result, attacks often go undetected for months.
This model’s flaw of assuming anyone and anything inside the perimeter is “trustworthy” can, of course, be somewhat alleviated by such solutions as internal vulnerability scanning, a cybersecurity dashboard, and a managed threat detection & response program.
Now, if you do not employ a zero-trust security model, utilizing these solutions is a must. They significantly strengthen your cybersecurity.
Let’s now break down how zero-trust architecture works.
Many organizations hesitate switching to zero-trust architecture, thinking it will require an enormous investment and a complete replacement of their existing architecture. That’s not the case.
Since zero-trust is based on the assumption that no one and nothing can be trusted, the architecture of this model requires the network to verify every access request for the integrity and access authorization of every device, application, and user making the request. That means that security needs to shift from the paradigm of guarding a perimeter to guarding identities and access.
Here’sNIST’s visualization of the architecture.
As you can see from the diagram, the Policy Engine and the Policy Administrator are in the control plane. They decide whether to grant an access request in the data plane. The determination is made through the employment of multiple tools: activity logs, a data access policy, security information and management systems, etc.
However, this is one of the possible ways to structure your zero-trust architecture. It can also be achieved by micro-segmenting your network, device sandboxing, and other methods.
All of these types of architecture can be achieved using an existing infrastructure and simply require an addition of certain software solutions and a set-up of workflows.
Ideally, though, a zero-trust model would be built in a Secure Access Service Edge (SASE) environment. SASE is a cloud-native network architecture. It is “The Future of Network Security in the Cloud,” as described by Gartner. SASE networks are distributed globally across multiple Points of Presence, thus offering a fast and seamless experience to users, applications, and devices. They are identity-driven, which ensures secure access.
Deloitte identifies the following processes and technologies to be at the basis of zero-trust architectures:
- Data discovery and classification: As an organization, you need to have a full review of your data – what you have, where it is stored, how it is tagged and classified, and who should have access to what data.
- Asset discovery and attack-surface management: You need a comprehensive review of your entire IT environment and its internal and external assets – cloud resources, subdomains, IP addresses, social media accounts, etc.
- Configuration and patch management: You should have a system in place to efficiently manage and document baseline configurations of key technology systems, deploy appropriate patches, test patched systems, and document new configurations.
- Identity and access management: The identity lifecycle should be managed through a robust, automated system.
- Third-party risk management: Whether it’s your vendors, implementation partners, or other third-party entities, you need to have a comprehensive review of the cyber risks of external parties.
- Logging and monitoring: Volumes of detailed logs need to be automatically analyzed by AI- and ML-enabled solutions to identify potential threats.
Benefits of zero-trust security
The most obvious benefit, and the explanation of what zero-trust means makes it evident, is significantly improved security of your data. It is much better suited to address the evolving needs of organizations, be it remote work or an increasingly complex IoT infrastructure.
Another strong benefit of zero-trust security is compliance with such regulations as HIPAA, GDPR, GLBA, CCPA, and others. As explained by Forrester Research, a zero-trust framework allows organizations to achieve stringent compliance faster.
Furthermore, a zero-trust network is highly scalable. For example, while with a traditional model, access to an internal application often leads to granting access to the entire network, with zero-trust architecture, access is granted to only a micro segment of a network. This allows us to add more applications without compromising the security or speed of a network.
Finally, the scope of the damage of a successful attack is drastically reduced with a zero-trust approach. Since every request requires verification, hackers can’t complete many actions without alerting IT staff.
In light of the fact that cyberattacks are on the rise, and healthcare, educational, and government institutions are the most common target, your organization will have to transform its approach to cybersecurity sooner or later.