Is Zero Trust Achievable?

By Phil Robinson, Principal Security Consultant, Prism Infosec

The concept of Zero Trust is “never trust, always verify” so that in a Zero Trust Architecture (ZTA) every access request is regarded as potentially hostile and so needs to be authenticated, authorised and continually validated. It’s become the technology to invest in, with a survey by the Cloud Security Alliance revealing that 94% of IT and security professionals are involved in implementing the strategy and 77% foresaw they would increase spend over the course of the next 12 months.

Zero Trust is not new, however, with the term first bandied around in 2010 when deperimeterisation of the network was the issue of the day. It’s now come of age due to two factors. Firstly, the explosion in remote working which revealed the vulnerabilities associated with VPNs making it necessary to come up with a replacement in the form of Zero Trust Network Architecture (ZTNA). And secondly due to the maturation of identity authentication and authorisation solutions such as Identity Access Management (IAM), Privileged Access Management (PAM) and Cloud Infrastructure Entitlement Management (CIEM) etc.

In the minority

Yet full Zero Trust deployments are few and far between. According to Gartner, only 1% of large enterprises have a mature and measurable Zero Trust program in place today and only 10% will achieve that by 2026. The inference is that most businesses are either beginning or part way through implementation and this can ironically increase the risk of attack on specific areas such as public-facing APIs. The analyst firm warns that, come three years’ time, more than half of cyber-attacks will target the areas not covered by zero trust.

That said, there’s no arguing with the fact that ZTNA can significantly improve security. It effectively limits the impact of any breach, preventing attackers from penetrating further into the network and compromising systems by escalating privileges. Zero Trust can see increased efficiency in network monitoring and reporting by the SIEM and improve Mean Time to Detection (MTTD) and Mean Time to Respond MTTR for the Security Operations Center (SOC). It’s also essential given that the attack surface has expanded and continues to do so, with the move to the cloud, increase in distributed endpoints and proliferation of new technologies such as the IoT.

Other operational advantages include: the inventory of all data, applications, services and users; a more user-focused approach that promotes the use of more secure forms of access such as multi-factor authentication; and, a centralised approach to the migration of data, applications and services. So, pursuing a ZTNA is definitely something the business should be doing. But now realistic is it that most businesses will achieve the nirvana of a mature program?

Cultural change

Gartner also stated last year that one of the reasons more than half of all organisations will struggle to achieve Zero Trust is because they will fail to realise that it is both a security principle and an organisational goal that requires a cultural shift and clear communication tied to business outcomes. In other words, it’s not just about technology but about effective planning and engagement.

It’s an important point because there’s an entire army of vendors that have leapt on the Zero Trust bandwagon when the reality is that there is no one-size-fits all approach to implementing Zero Trust. It’s a bespoke project requiring significant rearchitecture of systems and processes in most cases. That can be daunting which is why the success of Zero Trust is lies all in the planning.

A Zero Trust project should take a phased approach, prioritising high risk areas and gradually expanding the controls across the organisation. It should start with an inventory of all the organisation’s networks, data and devices that contains all user accounts to help with Identity and Access Management (IAM) before carrying out a service discovery phase.

In terms of implementing controls, some may already be in place such as authentication, least privilege or Data Loss Prevention (DLP) but other aspects will be new, such as microsegmentation. This sees the network compartmentalised by being divided into segments, with separate controls assigned to each as well as security policies, access permissions and other technical security measures. Similar zones can also be created to manage workloads and applications on virtual machines (VMs) or in the cloud.

Microsegmenting as a major issue

Microsegmentation is often the biggest hurdle businesses will face when implementing Zero Trust and many decide to forego it. Because the architecture is now based on security need, it can be complex to implement, particularly over on-premise private networks which tend to be flat and have high levels of implicit trust. Microsegmentation projects can run on for months and failure rates are high. Forrester’s Best Practices for Zero Trust Microsegmentation found that out of the 14 vendors who attempted to microsegment their private networks, 11 failed and concluded that in order to succeed, senior management buy-in is needed that oversees the removal of implicit trust between identities.

However, there are other issues that can see projects flounder. Many organisations have legacy systems in situ, for instance, that were designed to function on a perimeterised network so assume trust. Realistically, the business may have to build the ZTNA around these until they become are retired or replaced by cloud-based SaaS alternatives, suggests the National Cyber Security Centre in its Zero Trust Architecture Principles.

Gartner concurs, saying that migration of DMZ-based applications to ZTNA is likely to take several years. It also mentions other threats to implementations ranging from a failure of a ZTNA trust broker to the takeovers of ZTNA administrator accounts, not to mention the fact that relying too heavily on any one vendor solution rather than designing the implementation from the ground up could backfire if the vendor goes bust.

Ease of use

Finally, there’s the issue of user experience. Without ensuring adequate training and explaining the rationale of the changes to access procedures, it will be very difficult for the organisation to secure buy-in from their employees who will simply see it as an obstacle. For example, should the employee change roles they’ll need access to different systems and for access to be assigned, so the implementation needs to include processes that can expedite changes in access requests in concert with HR systems. Just In Time (JIT) protocols can also help here by providing temporary access via ephemeral certificates which are issued instantaneously and act as short-lived security tokens.

When you take into account all these considerations and the need to scale the ZTNA, it soon becomes apparent why so many organisations are having to take their time. Zero Trust is complex and needs to be rolled out little by little. It’s as much about the business culture as it is about technology. And there will inevitably be some areas of the network that just are not convertible.

For these reasons, some businesses will never achieve ZTNA. But perhaps they don’t have to. If they implement it sufficiently to jettison the VPN or improve their access and authentication mechanisms whilst ensuring  MFA, or simply safeguarding systems that were previously exposed to the internet, these are still security wins. The hope is that over time, the business will build on these small wins, the market will mature, and ZTNA will become established. But getting there is likely to prove disruptive, painful and costly for many organisations.

Phil Robinson has worked in information security for over 25 years and is the founder of Prism Infosec which offers cutting edge penetration testing, red teaming, incident response and simulated exercises, and security consultancy services over cloud and traditional on-prem architectures and enterprise applications.

Phil has been instrumental in the development of numerous penetration testing standards and certifications. He was involved in the original formation of the Council for Registered Ethical Security Testers (CREST), chaired the management committee of the Tiger scheme and established key CESG Certified Professional (CCP) roles on behalf of the British Computer Society (BCS), and has also contributed toward the Open Source Testing and Security Manual (OSSTMM).

An Associated Member of the ISSA, an (ISC)2 CISSP, ISACA CISA and a CHECK Team Leader, Phil has worked as a CLAS Consultant/Senior CCP Security and Information Risk Advisor and in this capacity has delivered cybersecurity advice and guidance to HMG departments and agencies. He regularly speaks about penetration testing and e-crime to help promote cybersecurity awareness and industry best practice.