Demystifying the Concept of Zero Trust Security

Fundamentally, cyber security is a risk management function where we need to make decisions on trade-offs or risk acceptance when we implement controls, says Vishal Salvi, Chief Information Security Officer & Head of Cyber Security Practice – Infosys.

The Cybersecurity hazard is at an all-time high due to several changes in the business environment. The proliferation of personal devices and the adoption of the hybrid work model and digital technologies are creating multiple vulnerable nodes that are exposed to security breaches.

Organizations and their CISOs are challenged with the evolving threat landscape. The need for strategic thinking and rehashing the fundamental security architecture construct is much higher than ever. In this context, the Zero Trust Security Architecture is one approach that’s increasingly getting a lot of traction. At a higher level, Zero Trust assumes that your business is continuously compromised, and the aim of the architecture is to mitigate that.

Zero Trust Architecture: Looking at security with a different perspective

Fundamentally, cyber security is a risk management function where we need to make decisions on trade-offs or risk acceptance when we implement controls. It is difficult to imagine a world where we would only have absolute controls. Another important factor to note is that trust is contextual. The security world has built various models and solutions for adaptive controls or transparent controls. These models are based on answering questions around who, where, why, when and what of a transaction before any verification, approval or denial is made.

Security architecture has always relied on trust models. There are many technical controls that we trust before we grant or deny access to resources. For all this to work properly, security teams must ensure highest degree of integrity to handshakes or trust.

The Zero Trust model challenges the risk management principles, adaptive nature of controls, defense in depth and trust relations across entities in security management. Essentially, it assumes that an organization is constantly under attack and therefore controls and responses are built based on that assumption. It does not assume any trust across the controls and therefore subjects the transaction to maximum level of scrutiny that’s possible. The traditional model of perimeter-based security is replaced with continuous security practices built across people, devices, networks, data, and cloud within as well as outside the organization.

This does not mean that one can make each control self-sufficient. The concept of defense in depth, and building trust across entities will remain, however this approach helps in designing and building strong multi-dimensional and comprehensive controls.

We must not view Zero Trust as a replacement to the existing security architecture, but a complimentary approach. Zero Trust focuses on deciphering the context by understanding user behavior and expectations based on IP addresses, locations, access devices, time of day and more. For this to work, organizations must implement security controls within and outside the external perimeter. It can be achieved by a combination of strategies including strong identification, authentication, authorization, isolation, segregation, encryption, obfuscation, and automation tools.

The key construct of Zero Trust

Zero Trust security needs to be enforced across all the five fundamental pillars of the enterprise fabric. These include Identity, Device, Network, Application Workload and Data. The Zero Trust framework must be applied to each of the five pillars and minor improvements over time can lead to a fully optimized security architecture.

Identity: Identity being the latest and the most important perimeter for the enterprise, identity-centric zero trust strategy is becoming mainstream. Organizations must lay down the policies to define what is a trusted user identity and what are the accesses associated with that identity. There are solutions such as Identity and Access Management as well as Identity Governance Application Controls which establish trust between user or devices and enterprise resources. Security controls should include aspects such as single sign-on, multi-factor authentication, biometrics, password-less authentication and more. Security needs to recognize that apart from employees, users could also be contractors and vendors. Therefore, the security protocols need to be extended beyond just traditional business perimeters.

Devices: It’s no longer just company-issued laptops that are used as workplaces become dynamic. Zero trust applies security controls to every device and keeps real-time watch to ensure compliance to security mandates.

Networks: Cloud-first strategies and remote working have made Zero Trust in network security critical. Here again, micro-segmentation and trust level definition helps. Secure Access Service Edge (SASE) solutions play an important role here. SASE is a cloud-first network architecture framework which brings together native cloud security technologies and wide area network capabilities to securely connect not just users but also systems, application endpoints and services.

Data: Data must be identified, classified, and encrypted for zero trust security to be successful. Preventing data loss or leakage, providing secure storage, and building the capability to recover information in real-time are essential steps. Data must be made available irrespective of where it is stored or what state it is in.

Application Workload: These include computer programs and services that execute on premise and cloud environments. Zero Trust security must be applied to the workload and applications within the core of the business. Security controls such as Host AV/EDR, Vulnerability Management, Cloud Access Security Broker, App Security, DevSecOps among others can be employed in the Software Development Life Cycle process.

Organizations are already embarked on the journey to enforce zero trust security by implementing identity security for employees, business partners and contractors, customers, and even non-human devices. With the Zero Trust framework, defense-in-depth is applied technically across all the pillars of the enterprise. When adopting zero trust, perhaps there is a need to define a standard taxonomy in the context of information security and cyber security since trust is not absolute but contextual.

By Vishal Salvi

maildqindia@cybermedia.co.in