How banks, fintechs, consumer groups agreed on open banking

by · October 17, 2022

Without a doubt, zero trust is “the most misused and misunderstood term in security today,” said Heath Mullins, senior analyst at Forrester.

Depending on who you ask, zero trust is an architecture, a strategy, a goal — or probably all of the above. The concept of zero trust first gained momentum at Google in the wake of the “Aurora” attacks in 2009, attributed to Chinese government hackers, which included the theft of source code from the company. As a security term, “zero trust” was popularized beginning in 2010 by John Kindervag, then a Forrester analyst.

However you prefer to define zero trust, the potential is great for organizations to improve security by adopting the principles associated with it, such as providing stronger control over access to corporate resources and ensuring that users are not authorized to do more than necessary for their role, according to experts.

But with all the hype and abuse of the idea, information security practitioners are pretty burned out on the term at this point, said Matthew Prince, co-founder and CEO of Cloudflare, which counts zero-trust security technologies as one of its core focuses. areas.

“Literally every vendor says, ‘We have zero trust,'” Prince told Protocol. “The risk is that if everything is zero trust, then there might be nothing.”

For Mullins, among the most common questions he gets from a client who has just implemented a new cybersecurity tool and wonders, “Do I have zero trust now?”

The answer, overwhelmingly, is no.

The risk is that if everything is zero trust, then maybe there is nothing.”

That’s because zero trust isn’t something you can buy in one package. There are many tools that can help an organization begin to embrace the concept—including across identity security, access management, and network segmentation—but no single product can deliver the whole thing.

“There’s nobody out there doing everything,” Mullins said. “The first company that gets there is going to clean house.”

A recent survey by the Cloud Security Alliance found that the majority of organizations, 80%, now see zero trust security as a priority. Almost as many, 77%, planned to increase their spending related to zero trust over the next year, according to the survey.

Don `t trust anyone

The question of what zero trust really means is still a common question. But perhaps an equally instructive question at this stage of the game is, what doesn’t it mean?

Alex Weinert, vice president and director of identity security at Microsoft, has a favorite quote about zero trust, he said during a recent online panel hosted by Protocol. Weinert once asked an information security manager to define zero trust, and the answer he got was, “It means whatever the person on the other side of the table is trying to sell.”

Less flippantly, zero trust can be seen as an organizing principle for how to stop modern cyberattacks. Today, attackers tend to follow a certain trajectory: After gaining initial access to an environment, they move around the network, taking over multiple accounts and elevating account privileges to allow them to perform more, more damaging actions.

While the result may be the deployment of ransomware or the theft of valuable data, the attacker must navigate through IT environments before they can actually reach that point. It is during these phases of an attack that an organization has an opportunity to shut things down and mitigate the damage from a breach. The promise of zero trust is that an attacker who steals a password or manages to thwart multi-factor authentication will not necessarily succeed in achieving their end goals.

There are different ways to achieve this, for example by examining data about a user’s device or behavior before deciding to grant access to a sensitive resource or by dividing an IT environment into different sub-segments that may each have their own guidelines.

But the unifying idea is that “trust” must be eliminated from the equation, specifically “implicit” trust, according to Weinert. In other words, users should not be automatically trusted to access applications and data simply because they were able to authenticate and access the network.

The promise of zero trust is that an attacker who steals a password or manages to thwart multi-factor authentication will not necessarily succeed in achieving their end goals.

Instead, to grant access to a sensitive resource, “we explicitly verify aspects of that request,” Weinert said.

While Google’s “BeyondCorp” initiative in the wake of the Aurora attacks is credited with pioneering zero trust, there have been many attempts since then to simplify the concept for businesses that don’t have the same resources or complexity found at Google , but still has valid cybersecurity concerns and a budget.

Implementing a zero-trust architecture has become a greater priority amid intensifying cyberattacks as well as the shift to working from home, which has moved countless workers beyond the safety of corporate firewalls. That has driven the need for a more secure approach than the virtual private network, or VPN, which is supposed to be a “secure tunnel” from a client device to a protected corporate network, but has actually proven to be highly vulnerable. For example, the ransomware attack against the Colonial Pipeline in 2021, which led to gas shortages across the southeastern United States, stemmed from a compromised VPN password.

“More confusion than clarity”

Some security product categories are overtly associated with zero trust, such as Zero Trust Network Access, which is a VPN replacement built around zero trust principles. For example, zero trust network access tools may use additional data sources to verify a user beyond just their credentials, such as the location or security posture of the device.

But adopting that particular technology does not on its own achieve zero trust. And given the fact that zero trust encompasses a number of different technologies, it has led to a number of cybersecurity vendors taking some liberties with the term.

At the RSA Security Conference in June, for example, “every vendor on the show floor has zero confidence in their marketing, to some degree,” Forrester’s Mullins said. “It has created more confusion than clarity.”

That brings up the second question: What isn’t zero trust?

First, “It’s not every single security control in your environment,” said Andrew Rubin, co-founder and CEO of zero trust segmentation provider Illumio, during Protocol’s recent panel.

In particular, traditional firewalls meant to support the corporate “perimeter” are clearly unable to help with zero trust.

That hasn’t stopped vendors that offer traditional network firewalls and VPNs, which “are all trying to claim that they have zero trust,” Jay Chaudhry, founder and CEO of Zscaler, a major provider of zero-trust network access, said in an interview with Protocol in June.

“Zero trust was created to overcome the network architecture,” Chaudhry said. “Firewalls and VPNs, versus zero trust, are fundamentally the opposite.”

“Don’t listen to a supplier when they talk about [the definition of] zero trust. It’s going to be biased.”

Zero trust is a “complete paradigm shift,” according to Cloudflare’s Prince, and “there’s a natural inclination to try to make everything old fit into the new paradigm.”

“Anytime you’re talking about a perimeter, you’re probably not in a zero confidence model of how this new paradigm works,” he said.

Rather than placing restrictions on what users are authorized to do, the traditional network security approach was fundamentally about defining the trusted local area network, Prince noted.

“And so when I hear traditional firewall vendors say, ‘We have zero trust,’ that’s where I’m like, ‘That just doesn’t make sense,'” he said.

Who can you trust?

Kapil Raina, vice president of zero trust marketing at CrowdStrike, has a rule of thumb for determining whether or not a product has anything to do with zero trust: Check it against the National Institute of Standards and Technology.

According to NIST’s 2020 publication on Zero Trust Architecture, the core of zero trust is around secure access—and making sure the right people have it and the wrong people don’t. “The goal [is] to prevent unauthorized access to data and services combined with making access control enforcement as granular as possible,” the publication’s authors said.

If a security product conforms to something in that document, it has a valid claim to help achieve zero trust, Raina said. Despite working for a major security vendor, his best advice is to trust NIST, not industry.

“Don’t listen to a supplier when they talk about [the definition of] zero trust, he said. “It’s going to be biased.”

Anyone who claims they can deliver zero trust quickly or easily should also be treated as suspect, according to Mullins. Most organizations are still in the early stages of working toward zero trust security because it takes time, he said.

“You’re not going to do that in a year,” Mullins said. “If you can have zero trust in a year, please call me and tell me how you did it.”

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *