The difference between a traditional networking model and a zero-trust networking model is just that: the level of trust involved, said Jack Burbank, IEEE senior member and senior wireless network engineer at Sabre Systems.
Traditional networks focus on protecting a trusted user base from outsider threats by establishing a secure perimeter. These networks effectively defend against external dangers, but insider threat protection is usually lacking.
In response, the zero-trust model, which was first introduced by Forrester Research in 2010 and has gained steam since Google's and Cisco's adoption, is becoming increasingly popular. The concept is to trust no one -- as the name implies.
"The model is built upon the idea that threats come from both outside and inside the network, and any user of the network is potentially malicious -- even administrators," Burbank said.
Contrary to the traditional networking model, zero-trust networks employ multiple levels of security perimeters, stringent need- and role-based access control, and an inherent assumption that users will try to do something they aren't supposed to, Burbank added.
Here, Burbank dives into how modern enterprises can benefit from a zero-trust approach, the zero-trust challenges IT teams can expect to face, adoption tips and more.
How are changes in the enterprise and threat landscape altering networking methods?
Jack Burbank: Threats are becoming increasingly sophisticated. Modern threats aren't usually outsiders testing outer firewalls for a way in. While this is still a threat and outsiders are still trying to 'siege the castle,' this is no longer the predominant threat. Threats are much more likely to come from within the network. Targeted phishing attacks, malware and other techniques can be used to turn an insider -- an authorized user of a network -- into an unwitting accomplice. The most impregnable outer security perimeter can do little to protect against this threat.
When does it make sense to adopt a zero-trust approach for enterprise networking?
Burbank: The world is not black and white. There are many subtle degrees of trust, and it behooves any enterprise to employ some degree of distrust. Defense in depth, something we've preached for years, can be thought of as a zero-trust-like approach and is recommended in all cases. Limiting user access to only portions of the network they need access to is always a good practice.
The short answer is that zero trust always makes sense. How far you take it is going to be case by case and will be based on your threat environment and the criticality of what you're trying to protect.
How does zero trust relate to software-defined perimeters and VPNs?
Burbank: Software-defined networking is a technology that enables network administrators enhanced control over their network and the experience they present to users. It enables rapid reconfiguration of network rules and policies and can be used to enforce user access policies, quickly change network security policies and respond to incidents. Software-based approaches also enable an administrator to potentially control security perimeters at much finer granularity, enabling the notion of microperimeters that are flexible.
VPNs necessitate advanced software-based approaches and reduced trust approaches. With VPNs, topologies are abstracted, and the network can now be anywhere -- across town, across the country, in the cloud. Mission-critical information may move within your network. Consequently, protection areas need to be movable and flexible to accommodate moving data sets.
What are the top zero-trust challenges?
Burbank: The primary challenge is manageability. Zero trust potentially brings a lot more complexity, and the risk is always the manageability of complex systems. Another key challenge is maintaining usability. The system cannot be so cumbersome that users are discouraged from using it. Imagine a house where every internal door, cupboard, drawer and appliance all required independent multifactor authentication to access. Sure, it's a lot more secure than just a locked front door opened by a key. But I'm guessing not many people would want to live in that house.
How intensive is this process for security admins to set up, deploy and manage zero-trust networks?
Burbank: This is the key question. The more sophisticated the system, the more difficult it is to administer. There are lots of tools that claim to automate and simplify this management function. But this will likely vary by organization based on the complexity of system and IT capabilities. This is the area that would concern me the most if I were rolling out an aggressive zero-trust system.
How can security teams plan to integrate zero-trust network access into their systems? What are the key tools for zero trust?
Burbank: The key here is having the right IT staff in place and fostering the right kind of user culture. Education and training are going to be key. I'd recommend organizations initially roll out these types of systems:
- Deploy small-scale trials.
- Put them through user trials.
- Subject them to security evaluations.
- Get experience managing these types of systems.
- Give users experience using these types of systems.
- Give security teams experience responding to incidents.
Learn from those experiences, and expand rollouts from there. The worst thing you could do is try to jump in too fast and too aggressively. The result would be a lot of confused IT teams and a lot of angry users.
How is zero trust adopted?
Burbank: Zero trust is not a single product, nor is it a single approach or technique. It is a mindset, a decision. It is an organization saying, 'Network security is a priority' and then putting its resources behind that statement. Yes, zero-trust approaches involve technology. You need strong authentication mechanisms. You need systems to define, enforce and adapt user access policies. You need the technical tools to flexibly create and adapt security perimeters, and you need intelligent systems to plan and manage the network. But zero trust also involves humans and workplace culture. It involves organizational policy and sometimes requires organizational change. You need it all in order to make it work.
Strong technology can be defeated by poor culture. Strong technology can be defeated by policy gaps. Moving toward a zero-trust model requires not only technology, but also potential shifts in organizational policy and culture. These types of changes are often the hardest to accomplish. And, with the increasing sophistication of the threat, it is these aspects that future threats are more likely to exploit.
Jack Burbank is an IEEE senior member and senior wireless network engineer at Sabre Systems, where he designs, develops and evaluates next-generation wireless systems. Burbank is an expert in the areas of wireless networking, modeling and simulation, wireless system development and wireless network security. He has published over 50 technical papers on wireless networking topics and has contributed to multiple books related to wireless networking, modeling and simulation. He taught courses on network engineering and wireless networking at the Johns Hopkins University Engineering for Professionals Program for over a decade. He is active within the IEEE community acting as technical reviewer, organizer and chair for numerous IEEE conferences and periodicals. Burbank is also co-editor of the Wiley-IEEE Press book series on IEEE standards.