It seems that nearly every week there is a report of yet another company suffering a massive security breach. While the nature of these breaches varies widely, they all point to one underlying truth: The conventional approach to IT security is not working. That being the case, it seems inevitable that organizations large and small will have no trust but to adopt the zero trust model for security.
As its name implies, zero trust security is based on the idea that nothing is trusted until it proves itself to be trustworthy. This approach stands in stark contrast to the way that most organizations do things now.
Conventional IT security works similarly to the way that security works in American airports. (Many of the airports that I have passed through in other countries do things a bit differently). In the United States, before travelers can go to their boarding gates, they must pass through a security checkpoint. The security officer checks to make sure that the passengers’ tickets are valid, and compares the information on the tickets against the information on the passengers’ IDs or passports. From there, passengers pass through a screening area where the authorities verify that the passengers are not attempting to travel with any prohibited items.
Once passengers make it through the security checkpoint, they are given free access to the rest of the airport terminal. The passengers are free to wander through any of the airport terminals regardless of which terminal their flight is departing from.
In this example, the airport security checkpoint is a bit like the authentication engine on our networks. Once user are authenticated, they are given access to the network at large and are free to access any resource for which they have been granted permission.
The big problem with this approach, of course, is that it is based on a “once trusted, always trusted” model. Once users prove to the authentication engine that they are who they claim to be, then the system assumes that the users are trustworthy throughout the duration of their sessions.
The other problem with this approach is that it is completely outdated. The security model that I just described was created at a time when it was safe to assume that anything within an organization’s internal network was trustworthy. At that time, the big challenge was to prevent external threats from making it into the perimeter network. Today, though, most networks are no longer centralized. Companies usually have resources both on premises and in the cloud. This renders perimeter defenses ineffective at best and obsolete at worst.
Going forward, organizations will have little choice but to adopt a zero trust mode for securityl. The actual implementation of a zero trust model can vary widely, depending on which vendor’s solution is being used, but the basic idea is that many of the trusts we have come to take for granted are no longer assumed to be true.
The extent to which the zero trust model is applied varies based on the solution that is being used. I have personally seen some really extreme examples. For instance, one implementation would not allow a keyboard to be used until the desktop had determined that the keyboard that was plugged into it was authorized.
If we were to apply the zero trust model to the airport example that I gave earlier, it would make the airport much more secure, but far less pleasant.
Imagine for a moment that you have just cleared security and then decide to visit a coffee shop. Under a zero trust model, the coffee shop could not assume that you have already cleared security. It would repeat the full security screening process all over again before you would be allowed to enter. You might undergo an additional security screening when you place your order, and still another security screening at checkout. The checkout screening might even go further than checking your ticket, ID and the contents of your bags--it might even include calling the bank to make sure that you are authorized to use your credit card
The takeaway from this nightmarish scenario is that no assumptions are made with regard to security. The user (the passenger in this case) is checked and rechecked every step of the way.
Now, obviously, this security model is something that nobody wants to see implemented in an airport. It is so excessive that nobody would ever fly again. Even so, it may be exactly what is needed on our corporate networks.
One of the common misconceptions about hacking is that the bad actors break into a network and immediately try to go after the administrator’s account. In real life, most successful hacks target end user accounts. Once a hacker has managed to log in as an end user, they begin making a series of lateral moves in an effort to slowly gain access to more and more resources. This is exactly the type of thing that zero trust security can put a stop to.
Ultimately, IT pros will have no choice but to use the zero trust model for security. The trick will be to implement it in a way that is palatable to everyone involved.