Zero trust – not a one-size-fits-all model
As organisations evolve their security to take a zero trust approach, it’s important for them to note that one size doesn’t fit all.
Zero trust is emerging as the natural evolution of information security, bringing security from the perimeter right down to users and data; allowing the organisation to understand who and what is on the network, whether they should be there, and whether any anomalous and potentially risky behaviour is taking place. Unlike traditional defence in-depth approaches, which made it relatively easy for insiders to exfiltrate data, the zero trust model protects the organisation from all sides, particularly from within.
“South Africa, never known as a particularly early adopter of new trends, is not yet seeing widespread adoption of the zero trust model,” says Brad Stein, GM of security at First Distribution. “However, local CIOs and information security professionals are now keenly researching the zero trust model and related technologies, considering the implications and potential benefits for their organisations.”
It is important to note at this early stage of adoption that zero trust is not a cookie cutter model – there can be no one-size-fits-all strategy and set of solutions for all organisations. Stein says: “Approaches will vary according to the organisation’s own risk appetite, which data is most critical, who should have access to particular data, and what processes should be considered normal, and which should not.”
Within this model, organisations will also have to develop baselines for normal behaviour on the network and determine procedures for managing anomalies. They will need to consider whether the entire model should be automated – locking down users who carry out suspicious activities – or whether they would prefer an orchestrated approach in which suspicious activity is flagged and a human makes the decision on whether to allow the activity or block the user.
“As with all information security, implementing a zero trust model can prove complex, layered and challenging. Many organisations may lack the necessary skills resources to manage a zero trust environment, and they may have to look to third-party service providers for implementation and management support. Organisations will also need to consider what technologies they will add to their stack – including firewalls, zero trust network access solutions, data loss prevention and continuous monitoring solutions,” he says.
A key solution to help organisations implement and manage a zero trust environment is dynamic user protection (DUP) user access management system, which allows organisations to allocate certain levels of trust and then monitor and analyse activities on the network. DUP provides meaningful visibility into how users interact with data, analyse usage patterns, and can automatically adjust policies to stop data theft or loss before it takes place. A DUP solution should have a machine learning component that allows it to learn and baseline typical user activity unique to the organisation and its various departments, in order to prevent data loss without impacting business as usual.
This is where customisation ability becomes important: should a sales rep allocated 10 data downloads per day, for example, suddenly be required to download a list of 50 top customers, a fully automated system might well lock them out of the system when they attempt to do so. This could cause delays and spark a lengthy and unwanted workflow. But in a system customisable to allow orchestration and a human element, the attempt to download 50 data items would spark a notification, which would require a quick authorisation by management, and delays would be avoided.
Dynamic data protection, a subset of DUP, should be similarly flexible and customisable to meet the unique data protection needs of each organisation. It should enable individualised, adaptive data policies by intelligently applying risk scores, to prevent data exfiltration without hampering productivity.
“In the zero trust environment of the future, operating without DUP will be akin to trying to achieve full visibility without depth perception. It will be possible to have zero trust without DUP, but it is highly recommended that organisations roll-out DUP for full visibility and customisability,” concludes Stein.