Zero trust: what does it mean?

22/08/22

The world of security is constantly evolving and with it, the language used by technicians and the security industry and new technologies.

One of the terms increasingly present in the last year is "Zero Trust". But are we sure we know what it is?

As I always do in these cases it is advisable to proceed from the beginning, that is, from the definition.

To understand what it means Zero Trust it is useful to find a reference publication and in this case it is NIST 800-207. As mentioned many times, the NIST (National Institute of Standards and Technologies of the Department of Commerce of the United States of America) is an inexhaustible source of information.

Publication 800-207 in particular deals with the framework Zero Trust

At the moment it is the reference standard both for American government organizations (mandatory from May 2021 following an executive order from President Biden) and for all those who in some way have to do with the distributed and cloud work model. . According to Gartner, by 2025 at least 60% of organizations (public and private) will employ the framework Zero Trust.

The key principles of the 800-207 framework are essentially three:

- continuous verification. That is, never trust anything or anyone;

- limitation of the range of interest in the event of an accident. Implement a series of procedures and technical measures to limit the damage caused by a possible accident;

- automatic and continuous collection of context and behavioral data to ensure an accurate response.

The specialised farming model Zero Trust is based on the assumption that the one-off verification of the user, his privileges and the devices and services used is not sufficient to guarantee the security of a constantly evolving system in which technologies and risks are also constantly evolving.

The term "Zero Trust" was introduced by John Kindervag (Forrester Research Analyst) with the meaning of never trust and always check!

Of course, this means collecting a lot of data and information, which when processed, allow you to have a precise idea of ​​the situation of users (privileges, times, places of probable connection, etc.), devices, services and risks to which our organization is subject.

As you can guess, this is not an easy job, but given the current level of risk, it is probably necessary. 

The transition to a "Zero Trust" organization is not easy as it impacts the way people work and therefore can cause natural resistance to change, which is why the task of a CISO becomes even more complex at least in the phases of project definition and more generally in the first application phases.

In some markets, this could mean companies need to anticipate an increase in consultancy fees in the immediate term.

On closer inspection it would be necessary to apply the principle Zero Trust also at the level of software development and interaction between the different components of an infrastructure. In fact, many attacks are based on the absence or weakness of authentication tools and continuous integrity verification between the different modules. Model Zero Trust it finds applicability both at the micro level (hardware, Operating System, software components ...) and at the macro level (interaction between systems, business organization ...).

In general, for the success of such a program, internal communication and the ability to support user needs but above all internal staff training are extremely important, both to raise the level of awareness of cyber risks, and to minimize resistance to change. 

The NIST 800-207 is the reference framework, as we have said, but of course the main security signatures have their own declination of the "Zero Trust" concept, which often refers to their own products. 

This means, as always, risks of vendor lock in, that they must be carefully evaluated before implementing any program, but this is always the case.  

Alessandro Rugolo, Maurizio D'Amato, Giorgio Giacinto

To learn more:

What is Zero Trust Security? Principles of the Zero Trust Model (crowdstrike.com)

What is Zero Trust? | IBM

Zero Trust Model - Modern Security Architecture | Microsoft Security

Defining Zero Trust in the Wake of the Biden Administration's Cybersecurity Executive Order | Forcepoint

Executive Order on Improving the Nation's Cybersecurity - The White House

Universal ZTNA is Fundamental to Your Zero Trust Strategy | SecurityWeek.Com