[BreachExchange] Are CISOs ready for zero trust architectures?

[Destry Winant]

https://www.helpnetsecurity.com/2020/02/20/zero-trust-architectures/

Zero trust is a concept that is gaining an increasingly large and
dedicated following, but it may mean different things to different
audiences, so let’s start with a definition. I refer to an excellent
post by my friend Lee Newcombe and I agree with his definition of zero
trust:

“Every request to access a resource starts from a position of zero
trust. Access decisions are then made and enforced based on a set of
trust metrics selected by the organization. These trust metrics could
relate to the user, their access device, the resource to be accessed,
or a combination thereof.”

The concept of zero trust architectures is not new. During my career,
I was a member of the Jericho Forum, a group that essentially invented
the concept. At that time technology was not mature enough to support
a true “zero trust architecture”. This has changed and I firmly
believe that today, technology is at a suitable level for enterprises
to move to architectures without perimeters.

That said, a true full-scale transition to a zero trust architecture
will require more than just changes to network, application and
supporting technologies – it will also need to drive large scale
security and general IT policies or be driven by a large scale
transformation program. And as usual, training will play a big role.

In my opinion, CISOs should prepare for zero trust architectures by:

1. Engaging expert advice to review the current IT and security
architecture, assessing the feasibility to migrate to zero trust;
which will deliver a roadmap highlighting:

- Required technology investments
- Sunsetting of legacy systems
- Business applications updates
- Updates to policies to ensure alignment to legacy information and
privacy frameworks
- Training all stakeholders on the concepts of zero trust

2. Evangelizing lower cost of exposure by correctly implementing zero
trust architectures to CISOs peers and C-suite executives and legal
counsel, highlighting that the change may be long and costly during
transition (while supporting legacy architecture), but can be shown to
have the following benefits:

Business competitiveness as to being able to scale business
applications and places of business without costly investments in
traditional network security
Limiting potential breaches as the access between applications is
limited only to required communications
Improved compliance levels with the “state of the art” requirements of
GDPR, potentially limiting the maximum penalty if a less-likely breach
occurred

What other business justification could CISOs spell out? One of the
benefits is micro-segmentation, which is both a cause and a
pre-requisite of zero trust architectures – depending on the
organization’s starting point. Micro-segmented systems deliver vast
benefits in reducing attack surface, compartmentalization that support
DevSecOps team structures, and – last but not least – improved
monitoring.

On that topic and similarly to current security architectures,
monitoring for event anomalies, sometimes leading to security
incidents, is paramount in zero trust architectures, especially when
feeding the monitoring events into an AI engine where a machine
learning model is regularly updated by DevSecOps teams (trained to
understand data science).

Finally, and probably most importantly, if we accept that the formula
of zero trust equals to:

Access granted if [Sum(device score),Sum(user score), Sum(resource
score)] > [required device score, required user score, required
resource score]

Zero trust architectures are only possible when organizations know
exactly what their users, device assets and applications are, and how
these are configured, interrelated and secured.

It may not be a big stretch to jump to a conclusion that the CIS 20
Controls 1-6 are, in fact, the cornerstones for zero trust
architectures. And herein lies a problem that most CISOs will face: A
high percentage of organizations would attain very low maturity in
design and implementation of these 6 core CIS controls, meaning a move
to zero trust architecture without sorting the basics first should be
avoided.

In conclusion, given the complexities of a zero trust retrofit into
existing networks and systems, CISOs should focus their energy on A)
embedding zero trust into wider organizational transformation
roadmaps, and B) focusing on automating the basic security controls
(e.g., CIS 1-6) before attempting potentially costly and
doomed-to-fail zero trust re-architecture programs.