Skip to navigation Skip to main content Skip to footer

The Zero Trust Model: Security Inside and Out (Part 2)

26 February 2020

By NCC Group

In Part 1 of “The Zero Trust Model: Security Inside and Out” we discussed the history of the Zero Trust security model, how it removes implicit trust in the traditional “trust but verify” model, and benefits and potential pitfalls. Part 2 provides guidance around how to gain stakeholder support to adopt the Zero Trust model.

In order to better protect your organization from all potential threats, it is imperative that organizations go beyond “Castle-and-Moat” models, defence in depth, and traditional employment screening and background checks.

We always hear the phrase “Trust but verify” thrown around, but what if we remove (implicit) trust…? We are only left with verify, and that is exactly what an organization implementing Zero Trust should be concerned with—verification. This ensures implemented controls are operating as intended and allows for process improvement over time. Additionally, removing inherit trust drastically lowers chances of a breach to the organization.

6 Steps for adopting a zero-trust model

  1. Identify Assets. Well this seems like a no brainer huh? Wrong, it is more common than I wish to admit that an organization severely lacks in asset management; be it too many inventories, or no inventory at all. Creating and maintaining an active inventory of all devices across the network greatly reduces the time needed to identify an anomaly in the network. Additionally, once identified, assets should be tracked through their life cycle until disposal to ensure no data is leaked. It is recommended to use a network scanning tool to ensure all assets are discovered.
  2. Segment Sensitive Data. Lets take a step back, before you segment your sensitive data, you should know exactly what you collect, store, and where it currently resides in the network. (Quick Tip: Perform a periodic review of the sensitive data stored on the network, anything that cannot be supported with a business justification should be removed. This can greatly reduce an organizations data footprint.) Organize your network to separate data based on sensitivity. Files and resources that are considered sensitive should be identified and grouped accordingly. implementing additional controls such as, DLP as necessary to ensure only authorized users gain access.
  3. Map Data Flows. By understanding your data flows you can better understand weak points and where an adversary might attempt to eavesdrop or gain access. Going a step further, this allows for quick identification of malicious or unnecessary traffic, while simultaneously removing some of the auditors burden during audits. It is imperative to understand where your data rests, how it is transmitted, and to where it is going; any and all changes to data flow should be run through a change management process.
  4. Verify Users. All users and their respective access within the environment must be verified on a regular basis (i.e. monthly/quarterly or upon job rotation/termination). Without knowing exactly what permissions have been assigned and correlated to active users, if an adversary gained access through an exploit, hypothetically they could create a duplicate account, or generate a random one; and the organization would be none the wiser. This could be compounded if an elevated user account is compromised, leaving the malicious threat with the potential to do severe harm.
  5. Validate Devices. Devices attempting to connect to the network should be verified against a set of requirements before gaining access to the network, such as Aruba ClearPass, or Cisco ISE. The goal of these products is ensuring that only an authorized device can enter the network through comparing such things as location, time of day, etc. with known baselines. This circles back to the inventory of assets and why it is imperative to maintain currency with the asset inventory. (Note: In some SaaS NAC solutions you can also manage inventory, such as Forescouts CounterACT)
  6. Limit Privileged Access. Limit the access of trusted individuals to only what is required for a job to drastically lower the probability of an attacker escalating privileges or gaining administrative access to the environment.

Considering the above steps, I am sure you have formed a rough idea of your organizations security posture, and possibly a few key discussion points to take back with you. I recommend to speak with peers and security experts alike to gain insight and a better understanding of each of your organizations security functions. These insights will prove extremely useful when presenting your thoughts to the executive leadership team.

Gaining stakeholder support

There are a few key discussion points to consider before approaching management that fall right in line with how this will affect the business.

  1. Cost/Benefit Analysis. An effort like the above proposed steps can be very costly. A cost/benefit analysis should be performed, taking into consideration both initial capital expenditures, as well as estimated continual operational spend. Depending upon the organizations budget and what they are securing, Zero Trust may not be on the cards yet, however, that does not mean principles of Zero Trust cannot be implemented to provide for a more secure environment. In those cases, I recommend bringing in a third party to assess cyber security maturity and work with the organization to establish a road map for success, outlining the companies goals, and the strategical plans for achieving those goals. This, Combined with a Cost Benefit Analysis may yield surprising results, learning that Zero Trust is not only on the cards for the future, but it also may check a significant number of boxes towards achieving the organizational goals.
  2. Organizational Culture. It may not be very popular to implement a zero trust model for employees within the organization. Adding stricter permissions and removing additional access could cause concerns. In addition, the perception of this change could impact the overall culture. The organization must communicate extensively to explain the reasons for the change before it begins to take place; this allows employees ample time to plan, submit input, and consider possible pitfalls.
  3. Implementation Timeline. Migrating to Zero Trust should be a multi-phase, strategic plan over a period of time . With that being said, prior to speaking with executive leadership, I recommend identifying 2-3 areas that would greatly benefit from Zero Trust or some of its underlying principles. Once identified, collect feedback to gain a better understanding of what is actually needed to support the change. It is worth mentioning that prior to approaching management, you should establish a justification, as you are unlikely to gain support if the end does not justify the means. In some cases it may help to bring the SME with you to answer any related technical questions from the board.
  4. Configuration and Management. This by far is the hardest pitch to throw, as there can be potential downtime during the configuration period or shortly thereafter if configured improperly. At this point id suggest to bring in an SME representative from each of the core departments in an effort to provide more in depth details to senior leadership, as well as, answer any questions that might be out of your realm. This can include developers, engineers, Database Admins, System Admins, and many others.
  5. Integration with Existing Programs. Some organizations have taken measures to secure their environment against additional threats (e.g. Vendor Risk Management), and special consideration should be taken when determining how programs such as VRM integrate with Zero Trust. Integration, however, does not necessarily spell out forming one singular program. It is important to understand the goal here is to have the existing, and newly forming programs build from one another. While on one hand it may be inconvenient, and a point of contention for a vendor to use such things as MFA, strategically it makes sense – reducing the odds of compromising a user account. The inverse is also true, when building out a Zero Trust network, programs already in place should be leveraged in an effort to streamline implementation and assist with any issues that arise (e.g., Vendor Communication).

Conclusion

Organizations today are still having trouble getting the basics right; however, through a strategical approach to Zero Trust, a secure environment is not entirely out of reach. Get back to the basics. As mentioned above, such things as identifying assets, segmenting data, verifying users, validating devices, and limiting privileged access are paramount to your networks security.

Without knowing the ins and outs of your network, you are behind the power curve, and give up the high ground against malicious threats. Take control of your environment back—both inside and out, and begin the process of securing your network with Zero Trust.

Go back and read Part 1 of the Zero Trust Model: Security Inside and Out series, or reach out with questions about how to implement for your organisation.