Are CISOs ready for zero trust architectures?
Zero trust is a concept that is gaining an increasingly large and dedicated following, but it may mean different things to different audiences, so let’s start with a definition. I refer to an excellent post by my friend Lee Newcombe and I agree with his definition of zero trust:
“Every request to access a resource starts from a position of zero trust. Access decisions are then made and enforced based on a set of trust metrics selected by the organization. These trust metrics could relate to the user, their access device, the resource to be accessed, or a combination thereof.”
The concept of zero trust architectures is not new. During my career, I was a member of the Jericho Forum, a group that essentially invented the concept. At that time technology was not mature enough to support a true “zero trust architecture”. This has changed and I firmly believe that today, technology is at a suitable level for enterprises to move to architectures without perimeters.
That said, a true full-scale transition to a zero trust architecture will require more than just changes to network, application and supporting technologies – it will also need to drive large scale security and general IT policies or be driven by a large scale transformation program. And as usual, training will play a big role.
In my opinion, CISOs should prepare for zero trust architectures by:
1. Engaging expert advice to review the current IT and security architecture, assessing the feasibility to migrate to zero trust; which will deliver a roadmap highlighting:
- Required technology investments
- Sunsetting of legacy systems
- Business applications updates
- Updates to policies to ensure alignment to legacy information and privacy frameworks
- Training all stakeholders on the concepts of zero trust
2. Evangelizing lower cost of exposure by correctly implementing zero trust architectures to CISOs peers and C-suite executives and legal counsel, highlighting that the change may be long and costly during transition (while supporting legacy architecture), but can be shown to have the following benefits:
- Business competitiveness as to being able to scale business applications and places of business without costly investments in traditional network security
- Limiting potential breaches as the access between applications is limited only to required communications
- Improved compliance levels with the “state of the art” requirements of GDPR, potentially limiting the maximum penalty if a less-likely breach occurred
What other business justification could CISOs spell out? One of the benefits is micro-segmentation, which is both a cause and a pre-requisite of zero trust architectures – depending on the organization’s starting point. Micro-segmented systems deliver vast benefits in reducing attack surface, compartmentalization that support DevSecOps team structures, and – last but not least – improved monitoring.
On that topic and similarly to current security architectures, monitoring for event anomalies, sometimes leading to security incidents, is paramount in zero trust architectures, especially when feeding the monitoring events into an AI engine where a machine learning model is regularly updated by DevSecOps teams (trained to understand data science).
Finally, and probably most importantly, if we accept that the formula of zero trust equals to:
Access granted if [Sum(device score),Sum(user score), Sum(resource score)] > [required device score, required user score, required resource score]
Zero trust architectures are only possible when organizations know exactly what their users, device assets and applications are, and how these are configured, interrelated and secured.
It may not be a big stretch to jump to a conclusion that the CIS 20 Controls 1-6 are, in fact, the cornerstones for zero trust architectures. And herein lies a problem that most CISOs will face: A high percentage of organizations would attain very low maturity in design and implementation of these 6 core CIS controls, meaning a move to zero trust architecture without sorting the basics first should be avoided.
In conclusion, given the complexities of a zero trust retrofit into existing networks and systems, CISOs should focus their energy on A) embedding zero trust into wider organizational transformation roadmaps, and B) focusing on automating the basic security controls (e.g., CIS 1-6) before attempting potentially costly and doomed-to-fail zero trust re-architecture programs.