How to implement zero-trust security with real-life examples
Understanding zero-trust security is relatively easy in theory. Figuring out how to implement zero trust on the ground is more difficult. Here's how to make it work.
A decade since the term's inception, zero-trust security is still more often said than done. Despite widespread enthusiasm for the model -- which experts agree is a superior alternative to traditional, perimeter-based network security -- research suggests the vast majority of organizations have yet to put its principles into practice. A recent IDG survey found that, while nearly one in two cybersecurity professionals is actively researching how to implement zero trust in their environments -- a 12% increase over the previous year -- just one in 10 report having relevant technologies in production.
Zero-trust security is a guilty-until-proven-innocent approach to network security that John Kindervag -- formerly a principal analyst at Forrester Research and now CTO at Palo Alto Networks -- first articulated in 2010. The model assumes active threats exist both inside and outside a network's perimeter, with internal and external users alike required to meet stringent inspection and authentication requirements before gaining access to a given resource. Identity-driven, context-based policies predetermine which network entities can communicate and under what conditions. Every user is granted the least access possible, limiting the damage a threat actor can accomplish via lateral movement once inside a network.
To illustrate the difference between legacy and zero-trust architectures, independent analyst John Fruehe pointed to the post-9/11 airport security model. Travelers must show their personal identification to gain access to departure areas inside a well-defined perimeter. As in traditional network environments, once they've received authentication, they can put away their credentials and are free to roam the restricted zone. "99.99% of the time, that model is fine," Fruehe said.
The zero-trust security model, however, tries to account for the calamitous .01% of instances by continually querying traffic both beyond and within the network perimeter, taking no one and nothing for granted on either side of the wall.
In the airport scenario, imagine travelers present their IDs and boarding passes at TSA's perimeter-based checkpoints as usual, Fruehe said. After this initial authentication, however, they encounter continuous, additional screenings as they make their way through the concourse, in and out of shops and restaurants, toward their respective gates and onto their aircrafts.
Philosophically, everybody wants to do zero trust, but practically, it is very challenging to enable.
Tony VellecaCISO, UST Global
"The zero-trust model says that, even though you passed through security, I'm not going to assume [TSA] did its job right or that you necessarily deserve another level of clearance," Fruehe said. "I'm still going to stop you and say, 'Hey, do you need to be here? Show me your ID.'"
While the concept is relatively straightforward, figuring out how to implement zero trust is anything but.
"Philosophically, everybody wants to do zero trust," said Tony Velleca, CISO at digital services company UST Global. "But, practically, it is very challenging to enable."
John Burke, CIO and principal research analyst at Nemertes Research Group, based in Mokena, Ill., said he has seen "a solid uptick" in conversations around the zero-trust approach in the past 18 months, with many enterprises planning to move in that direction. He added, however, that most organizations have yet to position themselves for such a challenging and substantive transition.
"Zero trust is based on the idea of being able to say in advance who gets to talk to whom," Burke said. "If you don't have that knowledge -- a long-standing problem in IT security planning, generally -- you wind up making your policies very liberal, defeating the purpose of zero trust in the first place."
Velleca agreed, calling "good internal housekeeping" more than half the battle. "The fundamentals include getting a good handle on your user -- authentication, roles, access, etc.," he said. "Some of it requires a set of tools, but a lot of it is just administration, making sure you're giving people the minimum amount of access required to do their jobs. That goes a long way toward implementing zero trust. It's the foundation."
Who needs to implement zero trust?
Despite its challenges, many experts say most -- if not all -- organizations should explore how to implement zero trust in their environments as part of their long-term network security strategies. According to Burke, any entity with a data center or substantial operations running on IaaS should start evolving toward a zero-trust security environment, assuming it hasn't already.
"I can't see, in this day and age, how organizations are going to survive if they don't have a zero-trust network," cybersecurity consultant Michael Cobb said. "Even if it is just the local football team, they're still handling a lot of personal data."
And, with new compliance legislation, like the European Union's GDPR and the California Consumer Privacy Act, he added, mishandling data will become increasingly costly.
Fruehe argued that, while zero trust makes sense for high-profile targets, such as governmental agencies, critical infrastructure and financial institutions, it would be "overkill" for many organizations.
"This is not something you do lightly. It's an all-or-nothing proposition," he said. " Either you're all in and you trust nobody, or you're all out and say, 'Once I've authenticated you, we're going to trust that all the data that comes from you really does come from you.'"
Implementing zero-trust principles in some areas of the network but not others can create confusion and cause problems without substantively improving security, Fruehe added. Implementing and operating a zero-trust security model require far more resources than a legacy, perimeter-based architecture, so transitioning from one to the other can mean significant business interruptions.
"Returning to the airport analogy, you would have to add checkpoints throughout the airport -- at every restaurant, store, lounge and gate -- with hundreds of employees constantly asking to see IDs," he said. Such a framework can prove extremely cumbersome for both a network's staff and its "travelers," or end users.
In his experience, Velleca has found the on-the-ground realities of zero-trust initiatives can make them a tough sell. "You end up with a lot of pushback because it slows down the business," he said. "Digital organizations that want to be nimble really struggle with some of those controls."
Unlike Fruehe, however, Velleca argued that zero trust isn't necessarily a one-size-fits-all proposition. To minimize user frustration at UST Global, for example, the CISO said he has backed off making some particularly stringent preventative controls universal, reserving them for the most sensitive areas of the network.
"You have to think through the possible loss events that you're most keenly worried about -- for us, it's our clients' data -- and spend a little more time and energy designing for those," he said.
In that vein, Velleca's team has developed a zero-trust approach it calls the "use case factory," identifying and defining specific attack scenarios and then reverse-engineering prevention, detection and response measures. Where overly zealous prevention policies would unduly restrict users' ability to do their jobs, they compensate with aggressive monitoring efforts.
"It's very hard to look at zero trust from a preventative standpoint only," Velleca said. He sees his role as CISO as supporting security, while also enabling the business, he added. "That's why we also think of detection and response as a control -- as opposed to a mitigation -- strategy."
So long, VPN
Cloud service provider Akamai Technologies, based in Cambridge, Mass., began exploring zero trust after suffering a data breach in the 2009 Operation Aurora cyberattack.
"There wasn't really a roadmap to follow," CSO Andy Ellis said. "We just said, 'We need to figure out how we can better protect our corporate network and our users.'"
Akamai initially aimed to restrict lateral movement within the enterprise network using microsegmentation, a common zero-trust goal. That presented a challenge, however, since lateral movement often happened between applications that had permission to talk to each other.
"It's really difficult to microsegment things when your backup server can talk to everything," Ellis said. "That's where you get compromised."
First, the Akamai team focused on securing domain administrators' accounts, working on authentication protocols and mandating separate passwords for each additional level of access. They also explored using X.509 certificates to enable hardware authentication on a device-by-device basis.
"But we were still thinking in network terms," Ellis said. Then, they had a breakthrough. "We realized it wasn't about the network; it's really about the application."
They wanted to find a way to let employees securely access internal applications from a login point on the company's content delivery network (CDN), thus keeping end-user devices off the corporate network entirely. Ellis' team opened a hole in the firewall and started manually integrating one application at a time, a slow and tedious process. "Let me tell you, our system administrators were getting pretty cranky," Ellis said.
But, about halfway through the project, they discovered a small company called Soha that enabled an alternative access model: dropping a VM between Akamai's firewall and application servers to connect apps on one side with the CDN-based single sign-on service on the other. Ellis and his team found the Soha connector supported granular, role-based access for employees and third-party contractors on a user-by-user and app-by-app basis, via a browser with no VPN required. If hackers managed to commandeer an employee's credentials, they would theoretically see only the limited applications and services that particular worker was entitled to use.
Akamai deployed Soha's technology, ultimately buying the company and folding the technology into its Enterprise Application Access service, enabling customers to gradually offload VPN traffic as they build their own zero-trust environments. Gartner predicted that, by 2023, 60% of enterprises will phase out most VPN-based access.
"You don't have to do it all at once," Ellis said, pointing out that Akamai's zero-trust journey unfolded over the course of years. "It's step by step. You're going to transform your whole business by the time you're done."
"You can't buy zero trust out of a box," he said. "There is no zero-trust product. It's an approach, and it isn't easy or quick if you start from a traditional infrastructure."
Organizations should think about zero trust from policy and enforcement perspectives, Burke added.
Here are three steps for getting started.
1. Take inventory. For organizations wondering how to implement zero trust and where to start, Cobb suggested beginning with a comprehensive data discovery effort.
"At the end of the day, that's what you're trying to protect," he said. "And, if you don't know where the data is, you can't protect it."
Don't underestimate the demands of this process, which can prove surprisingly long and painful, he added. Burke also recommended IT leaders assess what existing mechanisms they already have on hand that can help them:
Understand how traffic flows (policy).
Control how traffic flows (enforcement).
"You have switches and access control lists on switch ports, and you probably have some routing and firewall capabilities," he said. "Do you have any other enforcement tools you can use?"
2. Start experimenting. Next, Burke suggested picking some low-risk systems to start the transition toward zero trust, experimenting with creating granular controls using existing network tools.
"You might analyze your data and say, 'System A needs to talk to System B but not System C or D,'" he said. "In that case, build access control lists that allow B but block C and D."
While policy enforcement in a true zero-trust architecture is dynamic and automated -- with an access management system making changes in real time, for example -- network managers can start manually experimenting with applying static zero-trust principles in their environments.
3. Add and iterate. As organizations experiment with existing control mechanisms in their networks, they can start evaluating and trialing centrally managed zero-trust-type systems to dynamically enforce policy changes throughout the data center, Burke said.
"As you develop an understanding of how traffic needs to flow, you can start building up your tool set and get ready for proper zero trust."
Burke noted, however, that, while vendors now market a plethora of products and services as "zero trust," organizations should regard that label with a healthy degree of skepticism.
"Many of them are perfectly solid security tools; they're just not related to zero trust," he said. "If it doesn't do zero trust -- let you say in advance who gets to talk to who, on either the policy or enforcement side -- then it's not zero trust."
