2 minute read
Zero Trust Will Reduce an Organization’s Attack Surface
How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
The Zero Trust Model was a term first coined in 2010 – it codified two basic concepts:
Advertisement
• Being present on a particular network should not grant any additional trust to a device or user
• Permissions granted to a user or device should be as granular as possible rather than granting broad access to all applications on a network.
At the time of its definition by John Kindervag of Forrester Research, the concept mainly applied to on-premise networks — a year before this research was published, Google’s in-house implementation of what came be known as Zero Trust called BeyondCorp illustrated this point.
Over the intervening years, Zero Trust has become more “cloudy” and has often become synonymous with SaaS-delivered Zero Trust Network Access (ZTNA) which is the modern replacement of VPNs which conform to the Zero Trust ethos.
Do you believe that technologies that support zero trust are moving into the mainstream?
Yes, they are. The concept of least-privilege is a pillar of Zero Trust and focus on this approach can be seen in many identity platforms. ZTNA offerings are part of the reimagined virtual network which connects users to the internet and corporate applications which are part of a network renaissance called Security Service Edge (SSE). And micro-segmentation efforts in networks are also part of the Zero Trust model.
Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
Yes. While the trend toward use of SaaS applications and public clouds was already well underway by 2020, the pandemic put this migration into overdrive. When most of an organization’s staff were sent home and became remote employees, Zero Trust became table stakes.
In addition, IT departments are realizing that 3rd and 4th parties are required to run many of their process, thus pushing the concepts of Zero Trust beyond the castle walls to mitigate risks of those parties.
How can companies get started with zero trust?
I would recommend starting with:
• Constrain the privilege granted to end-users while aiming for a reasonable approximation of least-privilege.
• Constrain network connectivity by implementing more granular firewall policies while aiming for a reasonable approximation of micro-segmentation.
• Replace your VPN with a ZTNA offering with granular access policies.
• Given that all of the above will take time, strengthen your detection and response coverage to protect you through this journey.
Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
No technology or approach is a silver bullet. The Zero Trust approach will reduce an organization’s attack surface. But attacks which remain within the granted privileges of the user and within the firewall policies of the network can still wreak havoc. To protect against in-policy attack techniques, the best practice is to rely on sophisticated detection and response capabilities for each of your five attack surfaces: endpoint, network, public cloud, identity, and SaaS applications.
What according to you are the limitations of zero trust?
Any one security approach or philosophy solves only part of the security puzzle. Broadly speaking, several approaches (including Zero Trust and timely patching of vulnerabilities) reduce your attack surface, thus making an attack less likely to succeed and constraining its blast radius when it gets past the first line of defense.
Detection and response coverage takes up where attack surface reduction leaves off and your in-house or managed SOC will need to handle alerts which can signal an attack that is progressing towards a high-value target in your environment. The mission of the SOC is to head off such an attack before it does undue harm.
