Over the last few years, zero trust has become the latest buzzword in the security industry, right up there with digital transformation and shift left. For many, zero trust is seen as a marketing ploy, designed to sell yet another product. For others, zero trust is an abstract ideal with no clear implementation path.
In a practical sense, zero trust architecture is a group of cybersecurity capabilities; updated policies and practices that enable a company to limit the blast radius of any incident within their environment. A zero-trust framework starts with the assumption that a breach is inevitable, and your environment should be designed to be cyber resilient, or “anti-fragile”, able to withstand an attack because user access controls and data and network security policies have been put in place to restrict lateral movement and limit the fallout of any impact.
Zero trust is undoubtedly a complex topic, but it is one worth exploring. In this post, we lay out some of the key elements of zero trust, as defined by organizations such as Forrester, NIST, and Gartner, to provide a starting point for retail and hospitality companies just beginning their zero-trust journey.
Zero Trust: Forrester Definition
“Zero trust” was first introduced into the security lexicon by Forrester in 2010 to describe the idea that organizations should not implicitly trust any entity, even within their own perimeter. The term “zero trust” was new, but the concept behind it was not. Early adopters of cloud computing had been realizing for years the shortcomings of a perimeter-based approach to security. In 2004, the Jericho Forum was founded to promote an alternative framework, “deperimeterization.”
Forum member Paul Simmonds’ ’04 presentation reads like an early primer for zero trust, declaring the perimeter method of security unsustainable and introducing deperimeterization as a solution, with the end goal of data-level authentication, where data will “only operate in validated secure environments by authorized people.”
Today, Forrester’s definition of zero trust is not too far off. Their recent blog post presents their current definition of modern zero trust as “an information security model that denies access to applications and data by default.” The two important takeaways from that definition are:
- Zero trust is an information security model: Zero trust is a framework, an approach to security, as opposed to a product you can buy off the shelf. There are solutions and features of products that help achieve the principles of zero trust, but you can’t just buy “zero trust.”
- Denies access by default: Fifteen years ago, it was assumed that anyone within your network perimeter was trusted, and anyone on the outside was not. Now with the cloud and remote work, that strategy doesn’t work. So, to be safe, we start by denying access by default and granting access only to entities that meet the criteria we provide.
So how do we do that? In August 2020, The National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-207, Zero Trust Architecture which defines zero trust and zero-trust architecture and provides a road map for zero trust implementation.
NIST Zero-Trust Tenets
NIST defines zero-trust architecture as: “an enterprise’s cybersecurity plan that utilizes zero-trust concepts and encompasses component relationships, workflow planning, and access policies.”
Think of “zero trust” as the core strategy and “zero-trust architecture” as the plan developed with zero-trust principles in order to achieve that core strategy. Once you deploy the plan, you have what you could describe as a “zero-trust environment.”
Section 2.1 of the NIST Special Publication provides a list of seven tenets that a zero-trust architecture should adhere to.
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy — including the observable state of client identity, application/service, and the requesting asset — and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
NIST summarizes the goal of the zero-trust architecture as “prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.”
Least Privilege and Microsegmentation
Least privilege and microsegmentation are two more terms you’ll commonly hear thrown around with zero trust. They’re essentially techniques for achieving the zero-trust tenets.
Least privilege means granting access only to the resources absolutely necessary to perform the operation that the user (either human or non-human) is charged with. It also puts in place and time restrictions on the length of access to those resources. This is ideal for preventing compromised accounts from accessing the entirety of an organization’s network, working to accomplish the “prevent unauthorized access to data” piece NIST describes. , working to accomplish the “prevent unauthorized access to data” piece NIST describes.
In order to effectively implement least privilege, you need to have some degree of microsegmentation in place. Microsegmentation means dividing your network into granular zones and defining security controls for those small regions. With microsegmentation and least privilege, you can control who has access to what at the most granular level (again achieving a piece of NIST’s zero-trust architecture definition).
Zero-Trust Network Access
We now have a core strategy (zero trust), a plan to achieve that core strategy (zero-trust architecture), and some techniques for achieving it (microsegmentation and least privilege), but we now need technology that has the capability to enforce these new policies.
Zero-trust network access (ZTNA) is a term coined by Gartner to describe the category of products and services that create an “identity-and-context-based, logical access boundary around an application or set of applications.” Zero-trust network access is also commonly used interchangeably with “software-defined perimeter (SDP)”.
Ultimately, ZTNA or SDP, are types of network access control solutions, which use user profile characteristics and machine-specific characteristics to ensure a connection is truly the intended user on the authorized device. Once a user and their device are authenticated, a secure connection is established to the server using mutual transport layer security (TLS). Unlike a VPN, which provides the same connection for everyone, network security access controls create a connection specifically for that user, allowing them to access only the resources they have been authorized to access based on their role. It offers the same type of encrypted tunnel that a VPN provides but creates a dark cloud preventing users from being able to see or access anything except the resources they need.
Zero-trust network access (ZTNA) tools can either be agent-based or service-based. In an agent-based model, devices need to have an agent installed on them that sends information about the device in order for the ZTNA to perform the device verification. If approved, traffic is routed through a gateway so that applications are not accessed directly through the internet. The alternative to an agent-based model is a service-based model in which access is granted by a service in the cloud, which is validated by an identity management tool like SSO.
ZTNA tools are available as their own standalone solutions, but increasingly they are being integrated into secure access service edge (SASE) products that also cover a wider range of cloud-based services such as secure web gateways, SD-WAN solutions, and cloud access security brokers. The idea behind SASE is to provide a central location for streamlined management of technology to enable zero trust.
What Does this Mean for Retail and Hospitality?
Zero trust was ranked in the top five CISO initiatives in RH-ISAC’s 2021 CISO Benchmark Report. It has also been the topic of recent discussion in the forums on Member Exchange and the focus of a recent CISO call to share best practices for zero-trust implementation.
Zero trust is clearly on the minds of retail and hospitality leadership, and for good reason. It offers valuable benefits, such as preventing threat actors from moving laterally through your network and gaining access to critical resources. Zero-trust policies can also provide visibility into user behavior, reduce likelihood of data exfiltration, and enable effective remote work.
Achieving zero trust, however, is not always easy. Many organizations have legacy technology and network architecture that is incompatible with zero-trust principles, requiring significant review of current systems and investment in new solutions. The good news is zero trust doesn’t have to be achieved all at once. Because it is a journey, you can apply some of the tenets of zero trust while you work towards a comprehensive zero-trust environment.
Start by defining the surface you need to protect and mapping the transaction flows. A huge part of architecting a zero-trust network is first simply understanding how traffic moves, what interdependencies exist, and who needs access to what, so when the technology is put in place it works and isn’t hindering how you do business.
Have questions about zero trust? RH-ISAC’s Member Exchange is the home for discussions among retail and hospitality peers. Not a member? Learn how becoming a part of the RH-ISAC community could benefit you.