The complexity of today’s cybersecurity environment doesn’t escape anyone. Yet, adopting a holistic and effective approach is nothing short of daunting. Somewhere at the intersection of threats, breaches, and break-ins lies the nebulous world of protecting data, devices, and systems. “Trust is always a vulnerability in a digital system,” according to John Kindervag, Field CTO at Palo Alto Networks.
Kindervag approaches Zero Trust from a unique position: he created the concept of Zero Trust, coined the term, and promoted the approach while serving as a vice president and principal analyst at Forrester Research. Although the idea is fairly straightforward— trust is the root cause of all data breaches and most other negative cybersecurity events; we don’t need trust in digital systems when the only beneficiaries of it are attackers—putting the concept into motion can prove challenging.
Zero Trust represents a different model for cybersecurity. Recently, Kindervag discussed Zero Trust with Security Roundtable. Here’s a look at what the approach is about and how your enterprise can tap into the concept to build a better cybersecurity framework.
Security Roundtable: Why is Zero Trust important and how does it differ from a conventional approach to cybersecurity?
John Kindervag: Business and IT leaders are used to hearing a narrative that revolves around the idea that internal networks can be trusted and external networks cannot be trusted. So, once a person using the network is verified, everything is fine. We’ve injected this concept of trust into digital systems, but it should have never been there, because trust represents a vulnerability for digital systems. It’s something malicious actors can exploit and use to their advantage. What’s more, it leads organizations down a specific technology path that does not maximize security.
SRT: What should executives focus on and how should they begin to approach the Zero Trust concept?
JK: Business and IT leaders must think about cybersecurity in a completely different way. Cyber-threats have changed dramatically over the last several years. The problem is that most organizations rely on old-school concepts and strategies that have not kept pace with the profound technology changes we’re witnessing. They’re attempting to use a 20th century security model in the 21st century. So, the first step is to recognize a need to change.
SRT: Could you provide an example or two of what you mean by organizations relying on an outdated model?
JK: Think about Edward Snowden or PVT Manning They were trusted users who could do pretty much anything they wanted to do on an internal network. They took advantage of their situations and stole classified documents. These same types of events occur all the time within corporate networks—sometimes from insiders and sometimes from outsiders. People misuse or abuse data and information, or someone steals another person’s credentials—perhaps through social engineering methods—and gains access to the network. When you look at breaches, Target and Experian are two recent examples that come to mind. They took place because antiquated trust models were in place. Once the malicious actors gained access to the networks, they had elevated privileges and no one noticed. In fact, almost all breaches are discovered by a third party and usually after a significant period.
SRT: How can business and IT leaders formulate a Zero Trust strategy and put the concept into motion?
JK: First, recognize that everything you have been doing up to now is a tactic, not a strategy. Recognize that there’s a big difference between a tactic and a strategy. This means moving away from the idea that it’s critical to focus on everything coming into a network. It’s far more important to keep an eye on what’s travelling out of the network. In addition, you don’t keep tossing ad hoc and piecemeal solutions at the problem and expect positive results to follow. Today, malicious actors aren’t interested in scaling the castle wall and capturing the flag. They want to exfiltrate the flag. This requires a fundamental change in the way your organization approaches security.
In a Zero Trust world, there are no trusted devices, systems, or people. This doesn’t mean that people are fundamentally untrustworthy; it means that they generate data packets which appear to be coming from them–and sometimes it isn’t them. Once every packet has the same trust level, zero, you can begin to address the problem. You can start focusing on the core security issues. These revolve around business outcomes; designing from the inside out by identifying the assets and data that require protection; determining who or what requires access to specific data through a need-to-know and least-privilege model; and inspecting and logging all traffic. Instead of examining the user’s physical location or the originating network, a Zero Trust framework examines information about the device, its current state, and who is using it.
SRT: What are the major obstacles and challenges to implementing a Zero Trust model?
JK: The biggest problem, aside from changing the fundamental thinking and approach to cybersecurity, is dealing with the turf battles, silos, and competing interests. It’s a very real problem because business and IT leaders are often disincentivized, mostly by vendors, to move to a different model. They have been trained to think there’s a product or solution for every problem. But it’s important to recognize that thought leaders in this space are embracing this model. This includes Google CIO Ben Fried, who has publicly advocated Zero Trust. Google has introduced BeyondCorp, a new type of Zero Trust network. Fried has described it as the “future of network security.”
SRT: How would you recommend that both business and IT leaders approach Zero Trust?
JK: Zero Trust isn’t something to put on the back burner. It isn’t an abstract concept to keep an eye on. It’s a powerful methodology that organizations should embrace immediately. Defense in-depth and multi-layered security strategies don’t address or solve the fundamental problem: that no person—as abstracted by a packet—or device can be trusted. Tossing a barrage of best-of-breed point solutions at the problem ultimately increases the risk, because it creates more gaps and more vulnerabilities, while at the same time greatly increasing operational complexity, which, of course, also massively increases risk. Zero Trust is a concept that will gain traction and become the norm within the cybersecurity arena. It represents the future of enterprise security.