By Eric Ooi, Director of Security and Research
The key to trusting your zero trust architecture is understanding that it’s not a cybersecurity silver bullet, but rather a set of guiding principles to improve overall security posture.
As zero trust has vaulted to the forefront of the cybersecurity conversation, organizations of all sizes feel the need to do something with “zero trust” in the name. It might even be why you’re reading this right now. However, without clarity on what zero trust is and isn’t, organizations risk depleting security budgets and distracting their teams with new technologies that lack purpose.
So, how do we learn to trust zero trust?
Let’s start by answering some key questions: What exactly is zero trust? Does zero trust make you more secure? How do you build a secure zero trust architecture?
What Exactly is Zero Trust?
Despite what some industry marketing may suggest,zero trust isn’t a single solution you can purchase.It turns out that zero trust ultimately comes down to two classic security creeds: “Never trust, always verify” and “enforce least privilege.” At its core, represents a mental shift away from defending traditional network perimeters with implicit trust of internal assets and towards consistent and continuous authentication and authorization for access to systems, services, and data, regardless of an asset’s ownership or location.
Does Zero Trust Make You More Secure?
It’s a question worth asking given how resource-constrained most organizations already are: Will your investment in zero trust protect your organization from all security attacks — past, present, and future?
Will it prevent all third-party supply chain attacks like the SolarWinds Orion breach?
It might prevent some of these types of incidents, but more likely only limit the impact.
Does it eliminate the risk of my trusted identity and access management solution getting breached and used as a gateway into my network?
It might prevent some of these types of incidents, but more likely only limit the impact.
Would it have prevented the latest zero day or ransomware attack?
It might prevent some of these types of incidents, but more likely only limit the impact.
Part of learning to trust zero trust is recognizing that it won’t eliminate or prevent every attack, risk, or vulnerability. But if implemented with realistic expectations and as part of an overall security strategy that applies defense-in-depth with a layered approach, it may prevent some incidents, limit the damage of others, and improve your overall security posture.
How Do You Build a Secure Zero Trust Architecture?
An oft-overlooked aspect of zero trust is the infrastructure used to build a zero trust environment needs to be secured itself. You shouldn’t implicitly trust your zero trust architecture, but instead, should harden your zero trust systems based on industry-recommended secure baselines, perform timely vulnerability and patch management, and conduct regular security tests and audits. You know, the basics.
Consider the following scenarios within a “secure” zero trust environment:
Can we trust a “next-generation firewall” with advanced access control policies that performs deep packet inspection if it’s still using the default administrator password and hasn’t been patched in a year?
If we enable mobile phone push notifications as second authentication factors for our users, can we trust they won’t blindly approve them if spammed repeatedly? Would a user even notice if someone added a new authentication factor?
Does it prevent an attack if nobody deployed a prevention and detection policy for it? What about preventing users from simply disabling and bypassing it?
Without secure configurations and settings, zero trust infrastructure can quickly become a vulnerability itself – especially in our cloud-first, work-from-anywhere landscape. For organizations to trust their zero trust, it’s imperative to both implement strong controls and proactively monitor those controls and the environments they support.
The ECS Difference
Do you want to start trusting your zero trust, but you’re not quite sure how to get there or what steps to take next? That’s where ECS comes in. We will assess your organization’s zero trust architecture, identify gaps, and deliver solutions that close them.
