Zero Trust: The Right Way to “Never Trust, Always Verify”

Zero Trust: The Right Way to “Never Trust, Always Verify”

Zero TrustWhen I think of big data breaches, a few incidents come to mind. Who can forget the 2013 instance of data theft that affected all three billion Yahoo user accounts? A few years later Anthem, the U.S.’s second largest health insurance provider, disclosed a digital attack that compromised the personal information of 79 million people. Anthem agreed to a $115 million settlement for the data breach. This amount is considerably larger than the £500,000 fine imposed by the Information Commissioner’s Office for another large attack, the 2017 breach at Equifax that compromised the data of 143 million Americans and up to 15 million UK citizens.

These security events may seem to have nothing in common other than their large scale. But they’re more alike than they first appear. In fact, they all share the following characteristic: they’re all cases where firewalls and other perimeter security measures failed to protect organizations against cyberattackers.

How could this happen? Well, to understand that, it’s important to first review how perimeter security works and why this model doesn’t provide sufficient protection for organizations in today’s world. From there, I will discuss how and why businesses are now turning to what’s known as the “Zero-Trust Model” to meet their security needs.

Perimeter Security in Short

Perimeter security is synonymous with the phrase “trust but verify.” Firewalls uphold this expression by framing the internal corporate network as a “trusted” zone where all connections can be trusted outright. The same cannot be said about what’s outside the network, or what’s known as the “untrusted” zone. In this model, security analysts and tools, by default, distrust what comes from outside the trusted zone until it’s verified as safe.

The perimeter security model worked in the early years of the Internet. But in recent years the Web has changed in ways that render perimeter security ineffective as a standalone model. Chief among these developments is the expansion of networks to include remote employees, mobile users, and cloud computing solutions. These new off-site connections muddy the border between the trusted and untrusted zones.

At the same time, cyberattackers are becoming craftier. Bad actors steal credentials to gain access to trusted networks without targeting it from the outside. This doesn’t stop sophisticated attackers from penetrating perimeter defenses, either. Presenting at DEF CON 22, IT security researcher Zoltan Balazs shared that it may take as little as 20 seconds for an attacker to bypass a firewall.

Looking to the Future with Zero Trust

The evolution of both IT environments and digital threats has helped make perimeter security an unviable security model in today’s world. This realization begs the question: what are organizations doing in response?

IDG’s 2018 Security Priorities Study provides a clue. For the second year in a row, IDG surveyed organizations to better understand their current and future security posture. Their responses revealed that more than half (52 percent) of organizations are currently researching or piloting technologies that support the Zero-Trust Model. Eighteen percent of respondents said they plan to increase their spending on such solutions going forward, whereas three in 10 survey participants said the Zero-Trust Model could serve as inspiration for future investments.

It’s not hard to understand why organizations are making the transition. In contrast to “trust but verify” perimeter security, the Zero-Trust Model begins with a simple philosophy: “never trust, always verify.” This attitude extends all the way to the internal network, as a digital attacker might have already achieved free reign inside one or several corporate systems as the result of a previous breach. Security analysts and tools, therefore, must first validate something as safe before it can receive a “trusted” designation.

In their report on zero-trust networks, Forrester Research helps us understand what organizations can do to shift their security architecture towards the Zero-Trust Model:

  • Ensure secure access by identifying sensitive data and mapping the flows of this information. Organizations also need to make sure who the users are, what applications they’re using and the approved connection methods for them.
  • Implement a least-privileged access strategy. Enforce access controls, giving each user the most limited access necessary to do their job, to prevent both external actors and potentially malicious insiders from gaining access to sensitive systems.
  • Always verify by logging all traffic with the help of trust boundaries and the segmentation of sensitive resources. Per Dark Reading, organizations can specifically use segmentation gateways in their network to send all data flowing through them to a security analytics tool for inspection.

This latter point is significant, as there is the potential for organizations to go too far with it. For example, if they implement a full quarantine and go crazy with segmentation, organizations will find it more difficult to maintain their complex security architecture. It’ll be especially difficult if something goes wrong and they need to fix it.

Such complexity is part of the reason why it can be so costly to maintain an overly enthusiastic Zero Trust network. So too is the issue of analyzing the massive volume of newly logged network traffic data and figuring out what’s meaningful or possibly malicious. They might decide to raise their headcount to help analyze all this information, but this response isn’t a long-term fix for a Zero Trust implementation run amok.

Giovanni Vigna, our Co-founder and CTO here at Lastline, agrees that organizations need to do something else to make sure they don’t get buried in unnecessary costs and traffic data analysis:

“Trust is central to the Zero-Trust Networking Model. It’s in the name, after all. But shifting to Zero Trust is more nuanced than just distrusting all connections and assets at the outset. Organizations need a balanced approach that augments their security without affecting productivity. Oftentimes, this means finding the right type of security solution that meets their business requirements.”

The Right Approach to Zero Trust

Giovanni’s words emphasize how organizations don’t need to go overboard and segment everything under the Zero-Trust Model. A better approach is for them to implement robust authentication and encryption measures, and monitor the network for anomalous activity with the help of sensors.

Lastline can help with that last point. Our technology enables organizations to deploy lightweight sensors to monitor North-South as well as East-West traffic, both in the cloud and in the on-premises data center. These sensors bring organizations one step closer to fulfilling the Zero-Trust Model using passive, non-intrusive monitoring that yields better visibility and detection with minimal false positives. These sensors also don’t get in the way of the operations of the business, and they don’t add to the complexity of existing security architecture, so you can increase your trust of internal network activity without impacting productivity.

Swarup Selvaraman

Swarup Selvaraman

Swarup is the Senior Director of Product Management Cloud at Lastline. He is a security industry veteran having worked at leading security companies, including FireEye and SonicWALL. He has expertise in multiple security categories, spanning cloud security, network security, email security and security platforms for the SOC. He brings a broad security experience and know-how to solve problems as organizations migrate their infrastructure to the cloud.
Swarup Selvaraman