It seems that every tech security vendor is talking up 'zero trust' as an answer to increasingly dangerous cyberattacks, but UK cybersecurity experts warn customers its definition is a bit slippery and they should proceed with caution.
The UK's National Cyber Security Centre (NCSC) this week said zero trust has become a "very fashionable term" in the tech world. To address the slipperiness of its definition, NCSC has outlined a few traps and pitfalls that organizations running a zero trust migration should be mindful of.
So what is zero trust, according to the NCSC?
"Zero trust is the idea of removing inherent trust from the network. Just because a device is within the internal "trusted" side of a firewall or VPN, it should not be trusted by default," it explains in a new blogpost.
"Instead, you should look to build confidence in the various transactions occurring. You can do this by developing a context through the inspection of a number of signals. These signals are pieces of information like device health or location, and can give the confidence needed to grant access to a resource."
However, NCSC acknowledges that not every organization will be ready to adopt a zero trust architecture. It also stressed it isn't a standard or specification, but rather "an approach to designing a network" — meaning it can be difficult to know if you're doing it right.
On top of this, there may be direct and indirect costs that arise from a migration to a zero trust network design. Direct costs include new products, devices, and services. Indirect costs include training engineers, new licensing costs, and subscriptions. NCSC notes that these ongoing costs could, however, be less than the cost of maintaining and refreshing existing network services.
"Moving to a zero trust architecture can be a very disruptive exercise for an organisation," NCSC warns. "It can take several years to migrate to a "fully zero trust" model due to the extent to which changes may need to be made across your enterprise.
"Defining an end state for a migration is difficult when the model you're aiming for may evolve during rollout."
There are also broader implications for the many organizations that run big systems that just don't mesh with zero trust concepts, for example a legacy payroll system that lacks modern authentication methods, such as two-factor authentication.
Then there are products and services that don't mesh well with zero trust, such as BYOD architectures. Organizations could have difficulties assessing whether devices are secure without intruding on the privacy of workers. Alternatively, an air-gapped network might not able to use a cloud-based zero trust service.
Finally, NCSC warns of vendor lock-in and cloud lock-in that may restrict an organization's ability to move some systems to other services in the future.
Just last week, Google announced a $10 billion commitment to help the US improve the security of critical infrastructure after a meeting with US president Joe Biden. Microsoft committed $20 billion. Both companies are focussing on zero trust capabilities to address recent software supply chain and ransomware attacks on critical infrastructure. IBM is also boosting its zero trust services through the relatively new category of Secure Access Service Edge (SASE) services. All three, including 15 more vendors, are working with the US NIST to create benchmarks for zero trust architectures.
NCSC lays out five reasons why zero trust might be a good philosophy to adopt:
- In a zero trust model, every action a user or device takes is subject to some form of policy decision. This allows the organisation to verify every attempt to access data or resources, "making life very difficult for an attacker".
- Zero trust allows strong authentication and authorisation, while reducing the network overhead of extending your corporate network out into your users' homes.
- Some zero trust security controls can enable a much better user experience. For example, by using single sign-on users only have to enter credentials once, rather than every time they want to use a different application.
- Greater control over data access means you can grant access to specific data to the right audience.
- Enhancing your logging capability to include events from user devices and services gives you a much richer picture of what's happening in your environment, allowing you to detect compromises with more accuracy.