Putting Trust in Zero Trust
The rising number and sophistication of cyber attacks against public and private sector organizations calls for a more comprehensive approach to organizational cybersecurity to supplement traditional firewalls and passwords.
One method embraced by federal agencies and moving into commercial firms is zero trust, which calls for multiple levels of security and authentication to access sensitive data and to move around in a network. Zero-trust architecture offer a considerable security advantage because it limits how much information attackers can potentially access or damage and it prevents easy movement across a system.
While zero trust offers many benefits to organizations, it is not an out-of-the-box solution, says Ed Cabrera, chief cybersecurity officer at Trend Micro. Instead, it is a toolbox of methods and applications that can improve a network’s security. But that flexibility comes with challenges because an organization needs to know what its vulnerabilities are and how much risk it is willing to accept for a given security level—an appraisal that many entities aren’t familiar with, he says.
The seeds of the concept that would become zero trust originated in the federal government, specifically in the Department of Defense and intelligence agencies, but it soon moved into more public civilian agencies. Unlike many other IT trends that came from the private sector and moved into government space, zero trust’s evolution has been in the other direction.
While the concept and strategy for zero trust is the same in both sectors, the difference is in how the architecture is applied, Cabrera says. One commercial example is the financial sector’s use of zero trust, which perhaps most closely matches the federal government’s due to the risks involved. He adds that Trend Micro has been helping deploy such architectures in the financial sector for some time.
Defining Zero Trust
One of the challenges of zero trust is defining it. Cabrera notes that customers often look for a one-point or product solution to solve one part of a much bigger zero trust architecture—a box to check. But he explains that a proper zero-trust architecture is a series of security solutions.
“It needs a fabric of solutions to be able to enforce zero trust. There are security controls that you can enforce with your products collectively to achieve your zero-trust goals,” Cabrera says.
An important consideration is that zero trust isn’t monolithic. How it is applied depends very much on an organization’s needs and risk profile. “There’s machine-to-machine, there’s man-to-machine, and then you have systems-to-systems,” he says. “There is simply no one-size fits most approach; each implementation will be unique with its own architecture, policy engine and risk posture.”
Another key issue for zero trust and any other security approach is trust, which is also not monolithic. “It’s not static, it’s not binary. Trust, like risk, is dynamic. It’s a squishy thing,” shares Cabrera. He notes that in an organization, there may be individuals who were trusted at one point, but then were promoted or migrated into higher-risk categories, causing that initial level of trust to degrade.
One of Trend Micro’s goals is developing concrete solutions to help customers manage that trust, approaching the question not from an authentication perspective, but one that measures inherent risk, Cabrera says.
For private sector organizations, precisely defining their needs depends on factors such as what industry they are in, how risky is the business model and how mature the entity is. Using the federal government as an example, Cabrera notes that he previously was the chief information officer for the U.S. Secret Service. The agency’s cybersecurity posture was more akin to the Department of Defense, even though its classified footprint was much smaller, he says.
“The point is that our approach to cybersecurity and our posture was much different than say the Department of Commerce or smaller agencies,” Cabrera explains, adding that this differentiation makes it a challenge to discuss zero-trust architecture requirements and needs.
Trend Micro uses a customer-centric approach for its use cases, determining what the organization needs and then working from there. “What is the customer trying to achieve? And what can I do to help them achieve that? It’s all those outcomes they want to achieve, so what do we have and what visibility can we provide them,” Cabrera says.
One way to help customers is through the company’s Vision One approach to create a risk-based zero-trust strategy. This applies a risk-based approach to users, endpoint devices, emails and anything mobile or cloud-based that connects to the network.
Cabrera notes that Trend Micro tries to solve an organization’s security issues from a chief security officer’s perspective. However, he adds that this means different things to different chief information security officers, or CISOs. Among the things recommended for organizations implementing a zero-trust strategy are factors such as authentication and microsegmentation.
“It’s all about trust nothing and verify everything,” Cabrera says, adding that what makes zero trust a hard topic to pin down is that it encompasses “many different use cases and so many different needs.”
Risk and Making the Right Decisions
Determining an organization’s risk level is a key part of a zero-trust architecture. Organizations must understand the nature of the threats they face, their adversaries and their own vulnerabilities. “That’s the point you’re starting from—an assessment perspective. You have to have a healthy understanding of that,” Cabrera says.
Based on this assessment, organizations can determine what to defend and to develop a defense in depth strategy built outward from those “crown jewels,” Cabrera explains.
But once a strategy is laid out, executing it might take multiple steps. One issue is resources, such as funding and manpower, something many organizations struggle with, he says. Additionally, when planning a zero-trust architecture, the current state of an organization’s security is another consideration.
“What’s our security stack? What are your existing tool sets? Can we abstract data from that tool chain to support a dynamic policy engine? Is that security abstraction layer rich enough to support a zero-trust approach?” notes Cabrera.
After this, it is about identifying solutions and people processes that can be deployed. But in the end, CISOs must make decisions based on the risk analysis of such assessments. “Do we have the funding and resources to deploy a complete zero trust architecture?” he says.
When it comes to implementing a zero-trust architecture, one thing CISOs should avoid is the temptation to box-check their way to a solution, Cabrera explains. Organizations and their CISOs should have a practice-oriented view of what they want to achieve and how a partner like Trend Micro, who also brings a practice-oriented approach to zero trust, can get them there, he adds.
Zero trust must extend beyond multifactor authentication to embrace other practices such as logging, monitoring and whether organizations are applying a risk-based approach to their architectures.
Another challenge facing CISOs is one of scale. Cabrera notes that CISOs with mid- or large-sized companies can afford to think strategically about how they want to deploy zero trust, and they also have the time and resources to develop the right strategy and implement it.
Smaller companies, departments and agencies usually can’t do this as they don’t have the resources to plan out a deployment. This also depends on an organization’s use case and how it approaches issues such as authentication and access control to IT services and data, Cabrera says.
Another factor is funding. He notes that a major challenge facing chief technology officers at the federal level are IT security mandates that aren’t backed with funding. “It creates an incredible amount of anxiety at the agency level” due to compliance requirements that don’t provide the money to meet those goals, Cabrera explains.
But despite such challenges, there are advantages to operating zero trust in federal space. The most important is that there is a top-down understanding about the need for security. In contrast, the private sector still lags the federal government in widely prioritizing security, although the increasing numbers of cyber attacks and their economic impact are pushing many firms to modernize, he says.
For many private sector companies considering deploying zero trust, approaching a deployment can appear daunting. Cabrera describes this as “trying to eat an elephant one bite at a time.” Properly achieving zero trust is a process that requires partnerships with solution providers like Trend Micro and service providers.
“When you look at zero trust, it’s analogous to digital transformation. How do we identify the goals that we want to achieve in zero trust down the road and how do we develop the strategy to get to those goals or achieve them?” Cabrera says.