I see so many people reference zero trust as a product, something that you achieve simply by plugging it into a network or installing it on a computer, but it is, in fact, quite the contrary. Zero trust is an action, a process in which you deny everything by default and only give access to what is needed. Unlike traditional methods, zero trust combines both user authentication with machine authentication and can apply dynamic policies based on user, device posture, or even geographic location.
One of my favorite movies in the past few years is “Ready Player One,” and there’s a scene in the movie that reminds me of what it means to lack any sort of zero trust. Without spoiling too much of the movie, it involves a virtual game of car racing where the objective is to be the first to cross the finish line. Unfortunately for the game participants, there are many things like a T. rex or King Kong that stood in the way, making it impossible for anyone to finish the race. However, through a backdoor (pun intended for those who’ve seen the movie), the main character and some of his pals are able to bypass those controls (see what I did there?) and eventually complete the race successfully.
The game’s objective was to prevent anyone from completing the race. We know that’s not possible in real life. So, we use traditional user-based access controls on the surface to restrict users to the specific resources they need. However, underneath, other things like their computer or IP address have access to all sorts of resources that, if put into the wrong hands, could result in significant damage. It is through this mechanism that some of the biggest threats, like ransomware, flourish.
Achieving Zero Trust
So, if zero trust isn’t something you can install, how do you achieve it, and what are some of the things you need to consider when applying this process?
When you land on a product that enables you to achieve zero trust—whether it be a Secure Access Service Edge (SASE), endpoint technology, or next-generation firewall—you need to fully understand your environment before you begin to apply your policies and turn the screws. It’s that act of screw turning, whether tightening or loosening, that achieves zero trust, not the product itself. Zero trust is a culture change, and if you dive in with zero-trust full force you’re going to break things and upset a lot of people.
There are a lot of things—especially in the IT administration space in particular—that fly in the face of zero trust. For instance, pinging a device—a common IT practice that many of us do to test the reachability of something— is no longer possible when the environment denies by default and combines user and machine authentication. NSLookup is another great example of a process that fails when zero trust is applied. As you move along your zero-trust journey, you need to be willing to make small steps, or prior to implementing any policies, build and educate viable alternatives to processes that rely on some element of trust.
I’m not going to lie; it’s a lot of work. Do not let any vendor tell you it’s easy. Zero-trust initiatives can be multi-year journeys if your shop is big enough. You’re going to run into a lot of bad habits and legacy processes that require remediation, such as running batch schedules or production reporting from utilities on an individual workstation, the over-reliance on remote desktop (think of your helpdesk here), connecting to IP addresses instead of fully qualified domain names (FQDNs), and everything these days seems to want to use Port 22 or SSH or SFTP to communicate. All of these layer three activities have to be considered when you begin your zero-trust journey, and they all take time to address.
Finally, in most cases, zero trust is not an absolute. There will still be some residual risk, no matter to what extent you apply zero trust. People, including your third parties, will still need access, and you’re going to have to make accommodations. For instance, not every environment will have identities that fit your zero-trust model. Without a bona fide PAM solution that is widely adopted, service accounts, application IDs, and other non-user accounts are going to be challenging to restrict. Based on the operational risk appetite of your company, you may also allow certain users, like your network administrators and their devices, unfettered access to the entire network. I’m not saying that’s ideal, but those are some of the battles you will face when you begin to take action. Speaking of network administrators, while zero-trust products can help reduce the need for firewalls, you still need them, so determining when and where you need them is something you want to flesh out before you begin your journey.
Is Zero Trust Worth It?
So, if you never really achieve zero trust, and it’s a lot of work, and takes time, why do it?
Life is complicated and so is technology; however, the efforts toward zero trust can be well worth it. For instance, many companies are now hybrid, and if you leverage a SASE, you can extend your acceptable use policies (AUPs), like URL filtering, as if people were sitting in the office. Those policies will always be on and will follow the user and their machine wherever they go; and as mentioned before, those policies can be dynamic, tailoring the access control to the specific situation the user is in at that time.
In some zero-trust solutions, devices never lose their connectivity, so managing them remotely also becomes much easier. You no longer need to ask the user to log in to the VPN to receive a security patch, install software, or reset their laptop password (which they wouldn’t be able to do if they weren’t connected to the network, nor could you if you couldn’t reach them). With these types of technologies, the office extends to the user, not the other way around.
Ultimately, following a zero-trust mindset can reduce risk in case an incident like ransomware does occur. The cleanup and impact to your business can be far less than the cost and effort of your zero-trust journey.
Finally, your efforts can enable you to take on more risk, such as allowing personal devices access to internal resources you may have otherwise prohibited in the past. This can lead to cost savings in computer equipment and software licensing required to manage those devices, including less network gear.
While zero trust isn’t 100% achievable, it’s the modern way of thinking, and technologies are starting to embrace that not everything needs to see or talk to one another. Perimeter defenses are also eroding, and more of the business is becoming a conglomeration of third parties helping us to achieve our objectives. There is also more work being conducted at home, or in other locations than in the office, and there is also an increasing sense of entitlement when it comes to using devices based on preference. Given all these changes to the working landscape, denying by default and combining user authentication with machine authentication seems to be the best approach toward enabling your business and protecting your data and systems. Are you ready to take action?