Maybe you’ve just found out that your company’s IT organization is implementing Zero Trust. Does that mean they don’t trust you? “Zero Trust” sure sounds that way. Maybe you’ve read about it online or heard somebody talk about it in terms that equate Zero Trust with the idea that users and devices are never trusted. It’s hard to feel good about an IT organization that doesn’t trust the company’s own employees. But I don’t think that this view of Zero Trust is the right one. Zero Trust is about putting in place systems that help safeguard both the employees and the company, systems that help ensure that an innocent mistake will not cause terrible damage.
Funny story (sort of): A couple of years ago, as a form of schwag for our Zero Trust product team, we created some t-shirts that just said “Zero Trust” on the front. Well, the first time I wore that shirt at home, it got a less-than-stellar response from my wife and children. They wanted to know what it meant. Did it mean that I don’t trust anyone? Did it mean that I cannot be trusted? Was I going to go out advertising these qualities to the world? If so, they didn’t want to be anywhere near me. Needless to say, I have not worn that shirt since.
I don’t think Zero Trust is a great name, but given this term’s market momentum, I am not going to make any attempt to change it. Besides, I’m not sure I could come up with a better one. Instead, I am going to explain why I think Zero Trust, in addition to being a good thing for enterprise security, is also a good thing for the employees.
Zero Trust is really a strong form of the ages-old principle of least privilege, and least privilege is an important principle not because employees can’t be trusted but because it leads to better security outcomes. With Zero Trust, every access is tightly controlled. Only after an employee has been strongly authenticated and granted access can they even see an application. Systems automatically block attempted access to sites that violate acceptable use or are determined to be phishing or otherwise malicious. In addition, once access is granted, systems inspect the traffic flow to ensure that it does not contain malware or data being exfiltrated. Indeed, every time an employee tries to access an application, their access is tightly controlled and their traffic is inspected.
An employee might, then, be tempted to view this tight control and inspection as a form of spying and a lack of trust, but I don’t see it that way. Instead, I see it as a strong form of least privilege, and really, I don’t want any privilege that I don’t need. It’s safer for the company and safer for me. Suppose there was no such access control or inspection. Through no fault of my own, I might somehow end up with malware on my laptop, and then that malware could find vulnerable applications, spread, and do great harm. Likewise, despite all of my anti-phishing training, I could make a mistake and click on a dangerous link that then does great harm. I would feel horrible if a simple mistake on my part led to great harm to my company.
I feel better knowing that my company’s Zero Trust systems are tightly controlling my access and inspecting my traffic. These automated controls help keep me and the company safe, and they cover me in case I do make a mistake. So if your IT organization is implementing Zero Trust, be glad. It’s not because they don’t trust you; it’s to better protect both you and the company. Embrace Zero Trust. But don’t put it on a t-shirt.
In its new implementation guidance, the National Security Agency defines Zero Trust as a security model that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.” Described like this, it sounds very complex, so naturally it gives people pause when it’s raised as something to be considered.
I would argue that it’s just the opposite. I believe complexity is the enemy of security, and Zero Trust is, in fact, a simple protection model grounded in two key fundamentals: focus on least privilege and protect and verify the user. By embracing these principles, it is possible to accelerate the path to a Zero Trust security posture in which security and accessibility are both priorities.
Focus on least privilege
Before defining least privilege, let me address one misleading notion. The term Zero Trust, in itself, was a hard one for me to adopt because it seems to imply that technology leaders shouldn’t trust employees. However, that’s not the case. I want to protect my employees and want to help my customers protect theirs, so I don’t believe the burden of security should fall on employees.
A protection model focused on least privilege takes the decision about whether something is malicious off the employees’ shoulders. It gives them access to the applications they need to do their jobs, through the devices they chose to use, while allowing smart, carefully constructed policies to do the rest. This also takes network access off the table entirely, removing a significant source of risk for the organization, and removes complexity for IT and security teams because decisions are based on well-designed policies.
So, what happens when you combine least privilege and the cloud? The simple answer is it allows companies to rethink their approach to protection while also reducing potential new spending. Recently, I read some interesting research from Gartner that noted the fastest-growing segment in cybersecurity is expected to be cloud security, where spending is forecast to increase by more than 30% a year. If you’ve embraced the shift to the cloud, where applications are already remote — in other words, neither in the office nor local to the employee — moving to Zero Trust is just the next step, not a giant leap.
Protect and verify the user
No discussion of security, remote access, and Zero Trust is complete without talking about employee login practices. Although complexity is the enemy of security, simply trusting and verifying a user — even after multi-factor authentication (MFA), such as authorizing a login attempt from an application on a user’s phone or by text message — is not enough. As a colleague recently wrote, today’s cybercriminals are using off-the-shelf tools to launch attacks that make it easy for employees to get confused and accept fake push notifications, which was the case for several U.K. banks last summer.
Therefore, my view of MFA is based on the same core principle of protection that underpins least privilege. Companies need to take the burden of decision-making off employees so they are never put in a position to accept or deny that push notification. Fortunately, MFA solutions, based on new standards, such as FIDO2, make it possible to detect fake MFA notifications so they never even reach employees.
The new normal
While there’s lots of discussion of remote work as the new normal, I encourage you to move away from thinking about remote as being in or out of the office and remote access as remote “network” access. At the same time, companies must remove the burden on employees to determine if something is suspicious. As I hope you can tell by now, I believe focusing on application access over network access and shifting to a Zero Trust model based on least privilege should be the new normal for our internet-centric lives. Doing so will benefit employees, IT organizations, and companies alike.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Robert Blumofe. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/RYpCqEDTbsI/zero-trust-should-not-give-it-a-bad-name.html