Zero trust: Know thy users
Ask 10 people what zero trust is, and you’ll get as many different answers, said Roland Daccache, a systems engineering manager at CrowdStrike.
Delivering his address at the ITWeb Security Summit 2021 this week, Daccache offered his version: the ability to control access to a system in real time.
“It’s about access validation. That’s the key concept. What am I authorised to do? Which systems am I authorised to access?”
Daccache said a recent Forrester survey said that over 80% of organisations polled said they needed a zero trust approach to transform their security function. Less than half said they were implementing it, which he thought was due to the complexity of the modern security estate with its mix of hardware, software, people and expertise.
“If it takes all this to achieve zero trust, no wonder very few enterprises actually adopt it.”
Daccache said identity was at the core of the methodology, but also included the management of endpoints, applications, network, and analytics.
Organisations should also be cognisant of industry standards, such as NIST 800-207.
Rule-based detection not good enough
He said zero trust will use behavioural data to determine if a company insider has ‘gone rogue’, or if an application service account has been hijacked or a malicious actor has compromised legitimate credentials.
“Rule-based detection doesn’t cut it anymore, unfortunately.”
It was also important to segment the network, as well as implement a least-privileged access protocol, which he said should help with containing the ‘blast radius’ of the attack.
“Segmentation seeks to limit the ability of an attacker to move laterally from vulnerable areas to other areas, which is difficult to defend.” Likewise, least privilege access also seeks to contain threats.
Daccache said automation and orchestration are important principle in zero trust architectures, and this would replace manual processes of analysis and response.
“More context means more accurate and faster response.”
He said resource access should be continually verified.
“Zero trust validation means never trusting, always verifying for every request for access to a resource or data,” he said.
Daccache said a new trend in cyber security was that it should be ‘frictionless’. “By reducing friction you increase the adoption of technology. You reduce complexity and costs and accelerate the journey of maturity.”
He said there were different maturity levels of zero trust, which CrowdStrike calls visualise, mitigation, and optimise. Without unified visibility, security leaders and IT teams have no way of seeing gaps in their IT estate.
“At any given time, you should know who your users are.”
He said many vendors provided visibility in a specific area, such as endpoints or identities. Here, a central dashboard will be invaluable.
On mitigation, Daccache said controls should be put in place to prevent attacks in real time.
Automating analytics based on behavioural signals, user risks, device postures, and endpoint hygiene should improve the veracity of the data.
Finally, on optimisation, he asked how firms can deploy conditional risk-based access to their assets and applications, and how protection can be extended to managed and unmanaged devices in the data centre and private and public clouds.
“For the complete adoption of a zero trust model in the enterprise, you have to reduce the risk through pre-integrations that cover multiple systems and resources across the whole digital footprint that you present.”