The traditional approach to IT security, which aims to secure a perimeter around the corporate network, is under pressure from cloud adoption, from home working and more. Zero trust security architectures offer an alternative approach, in which access to individual applications is determined by security policies and business rules. At a recent Tech Monitor webinar, sponsored by IT operations and security company ManageEngine, experts shared their views and experience of zero trust security, what it means, how to implement it, and how to measure its impact.
What is zero trust security?
‘Zero trust‘ is an approach to IT security in which access to systems or data is denied by default, according to IT analyst company Forrester Research, which coined the term. Unlike perimeter-based approaches to security, in which anyone who has access to a corporate network is assumed to be a legitimate user, zero trust establishes security policies to determine who can access individual networks and applications and in what circumstances.
The internet has basically become a new corporate network, which makes it pretty hard to control. Zero trust aims to tackle that problem by taking back control.
Victoria van Roosmalen, Coosto
“Having a traditional, network-centric architecture where anything is connected automatically [and] trusted no longer fits where we are right now,” explained Victoria van Roosmalen, chief information security officer and data protection officer at social media management provider Coosto. “The internet has basically become a new corporate network, which makes it pretty hard to control. Zero trust aims to tackle that problem by taking back control, by no longer creating those safe zones which you implicitly trust.”
The pandemic has accelerated two drivers for zero trust security architectures, says Vivin Sathyan, senior technical evangelist at ManageEngine. “Number one is [that] networks aren’t just on-premise anymore, so we are not talking about just a building anymore when we talk about networks. Number two, networks are not just Windows shops anymore, so you have a variety of systems, applications, servers to deal with.”
Lloyds Banking Group is in the process of implementing a zero trust security architecture. For Paul Vincent, director of IT cybersecurity at the UK bank, it offers an opportunity to break out of the ‘arms race’ to rapidly deploy zero-day patches on legacy systems before exploits become available.
Like many banks, Lloyds operates a complex infrastructure of legacy IT systems, some of which have been running for 30 years. This means that, despite its constant efforts to keep everything patched, there will always be a risk that something hasn’t been updated. Zero trust allows Lloyds to minimise the potential impact of that risk, Vincent said.
Lloyds has adopted the definition of zero trust from US standards body NIST. This has helped to debunk some of the misconceptions about zero trust, says Vincent. “I’ve had people, even security professionals, say that zero trust means taking away access [to information that developers] don’t need to have, or zero trust means restricting internet access, so you can’t get to YouTube or LinkedIn, and you can only get to relevant business services. That feels like a misinterpretation of what what NIST … is saying,” Vincent said, and hardly business enabling.
It has also helped set realistic expectations for how long it takes to implement a zero trust architecture. “NIST is very clear about this: [zero trust is] a set of philosophies; it’s a set of architectural principles; it’s a set of deployable technologies and principles and standards. But it’s something you probably are going to have to move to over a period of years, and it suggests seven or eight years as a minimum for a lot of companies” with complex IT systems.
How to implement a zero trust security architecture
Although each organisation’s zero trust architecture will be specific to its needs and risks, there are some common components, Sathyan explained.
For Van Roosmalen, the most important capability underpinning zero trust security is the ability to understand the business context and to translate it in security policies. “The most important thing, I would say, is to understand how these connections [between users, devices, and systems] are made, not only on a technical level, really from a functional level,” she said. “Some designer who only talks in Photoshop and Pantone colours is not going to connect in the middle of the night … to access financial data. That doesn’t make sense. So you really have to have those business rules. That is the first thing that you have to have in place before you can even talk about technology and other components.”
Vincent explained that using an analogy from within the banking sector – the way in which payments are assessed for the likelihood of fraud – has helped him explain the rationale for zero trust to stakeholders such as regulators and budget holders.
The organisational impact of zero trust
For smaller organisations, with generalist IT security staff, a net zero architecture may not require much adjustment to working practices, van Roosmalen said. “It’s a different way of thinking [but] the skill set that we actually need is not that much different. We all know, for example, how firewalls works or identity and access management (IAM) works.” What’s essential, she reiterated, is designing policies that reflect how the business operates.
For a large organisation such as Lloyds Banking Group, where IT staff are more specialised, zero trust may require some adjustment, Vincent said. The move to zero trust means that security policies that were once implemented at the network level, by a specialist network security team, are increasingly being applied at an application level, which requires different skills and tools.
Vincent has therefore encouraged the network security specialists to focus their career progression within Lloyds either on other network-related work or on application security. “Unless you address the cultural shift, people worry about the future of their own careers [and] you’re not going to have people on board,” he said. “Worst case, you could actually get people trying to row in the opposite direction, which stops you from delivering successfully.”
Measuring success and the future of zero trust
At Lloyds, the impact of zero-trust-related projects is assessed according to their cost, risk reduction, and the simplification of security management processes. “At the end of the day, the people that are providing the budget for [zero trust] will understand if you’re making things simpler, faster, cheaper and lower risk,” he said. “And so you do need to articulate things in those terms.”
Van Roosmalen says a further consideration is the impact on employees, both technical and non-technical. “It has to make their lives … easier,” she says. “If it becomes more complex for [IT staff] and for the end-users, we’re not achieving the goal that we aim to achieve.”
Zero trust is not a project that will be complete in one or two years, said Satyan. “We are not just talking about one area of the network or one parameter that you are going to change. We are talking about a lot of things that you’ll have to first classify and then you’ll have to assess and audit and then fix. It’s going to be an evolving process.”
Vincent is optimistic that in ten years’ time, zero trust will be the standard approach to security – as long as it is implemented purposefully. “I think it could be extremely successful if it’s delivered correctly,” he said. “If it’s delivered carelessly without a clear idea of what you’re trying to achieve, I think there’ll be a lot of failed projects and lots of money spent.”