on 08/30/2022, by Christopher Burgess, IDG NS (adapted by Jean Elyan), Security, 877 words
Zero trust, or zero trust, is not a product, but a security methodology based on the concepts of defense in depth and least privileged access.
When it comes to zero trust and its implementation, it seems like the buzz is all there. start with government guidelines. Comments made in January by the White House on the Office of Management and Budget’s (OMB) Federal Zero Trust Strategy for all federal departments and agencies were both pragmatic and ambitious. Their observation, drawn from the vulnerability of Log4j, sums it up well: The zero-trust strategy will allow agencies to detect, isolate and respond to these types of threats more quickly. Except that, for a zero-trust strategy to work properly, those who implement it must understand what it is and on what basic principles it is based.
Zero trust, really new?
As part of the Black Hat conference, Douglas McKee, principal engineer and director of vulnerability research at Trellix, pointed out that beyond buzz, defense in depth and the principle of least privileged access頻 were the true foundations of zero trust. The CISOs in charge of business operations must collaborate and coordinate access to the information necessary for their colleagues to carry out their part of the work. What they don’t need is unlimited, continuous access to information when it’s not needed. This requires continuous and dynamic monitoring of needs throughout the business ecosystem. When people change jobs, their needs adapt and the access they are allowed must also adapt. When people leave the company, their access must be removed. This seems easy to say, but apparently difficult to achieve for a large number of entities. As Code42 CEO Joe Payne said, let your people do their jobs with confidence, but with a safety net all around, so that if they stray from processes and procedures – for example, load a web storage – it will recall the order on the spot.
No zero trust without at least privileged access
This is where bt hurts. If CISOs do not apply the doctrine of least privileged access, it is not possible to venture outside the boundaries, since access is both permitted and authorized. As an old veteran of counterintelligence, I have to make the following remark: detecting the theft of information by an individual who stays in the nails is a difficult exercise. By this I mean that someone who follows all the processes and procedures of the company, accessing only what he naturally has access to, can harvest with impunity.
A problem of perception
Zero trust is more complex than a fad. Steve Malone, vice president of product management at Egress, says zero trust is sadly misunderstood: it’s often misrepresented by vendors, leading buyers to misunderstand it. The most important thing to understand about zero trust is that it is not a product! It is not possible to buy zero trust from a supplier. Zero Trust is a security methodology, framework of technologies and best practices that a company should define and adopt in its IT environments over time. We can compare zero confidence to a kind of healthy and permanent paranoia! Mr. Malone is right. A healthy and permanent paranoia allows everyone to stay alert and focus on how information is accessed, moved and stored. This way of thinking must be embraced by leaders down to the individual employee. Security implementation may be supported by the CISO and his team of infosecurity gurus, but it is at the operations and production level that the bt hurts.
No implementation possible with a single product
Malone continues: Some companies struggle with implementing a zero-trust strategy. The biggest mistake I often see is that security teams misunderstand what a true zero-trust approach means. Some companies think they can achieve zero trust by using individual security solutions here and there to provide a quick solution to the problem. However, zero trust is not limited to the deployment of individual solutions. Mr. Malone concludes: Don’t be fooled by this flashy name. Zero trust is neither a fad nor a one-size-fits-all product. This is an essential security initiative. The importance of people, process and technology cannot be overstated. They are at the heart of the principles of least privileged access and the strategic implementation of defense in depth. There is no universal implementation of zero trust. On the other hand, the principles of zero trust exist, and trust is the key to the success of the zero trust strategy. As the Navy would say, without trust we are sunk.