‘Trust nothing’: As breaches mount, a radical approach to cybersecurity gains favor
Four years ago, Lexmark International Inc. was hit with a stubborn computer virus that tied up some members of its cybersecurity team for months. The Kwampirs malware had “run rampant,” said Bryan Willett, Lexmark’s chief information security officer. “We struggled with getting visibility into it, controlling it and getting patches in place” across a network serving more than 8,500 users.
The incident, which even attracted the attention of the FBI at one point, “opened our eyes,” Willett recalled. Like many organizations, Lexmark had people working in offices, out of their homes and at coffee shops around the world. New devices were constantly being added to the network, sometimes without the knowledge of the information technology organization.
Clamping down on employees wasn’t an option, since competition for skills and the pace of a global business demanded a malleable IT infrastructure that adapted to the way people wanted to use it. But providing that flexibility within the context of a traditional approach to cybersecurity could open the door to a potentially catastrophic breach.
Lexmark decided go all in on an entirely different approach to cybersecurity called zero trust. Over a two-year period, the company completely overhauled the way it handles access to its network around the notion that no user or device can be trusted.
Every file request, database query and print command must be checked to be sure it comes from a user with the correct privileges. Every new device must be registered and validated before it can join the network. Every user who attempts to log in is presumed to be hostile until proven otherwise. There are no assumptions and no exceptions.
The approach sounds a bit Orwellian, but the paradox of zero trust is that, when done right, it ultimately liberates users from many of the restrictions of more mainstream approaches to cybersecurity, provided they buy into the concept. And early adopters also say it dramatically improves defenses.
Zero trust is arguably the hottest topic in enterprise security right now. As the annual RSA Conference convenes this week in San Francisco, the subject is again prominent on the agenda after headlining a dozen sessions last year.
The basic concept of zero trust is simple: Assume nothing and no one can be trusted. The concept isn’t new, having been first floated by a Forrester Research Inc. analyst a decade ago and used in some firewalls years before that. But until recently, the technology to make zero-trust security practical has been too immature and the disruption too risky for most organizations to consider.
Those attitudes are changing, though, thanks to the ever-increasing drumbeat of data breaches (2019 is expected to be the worst year on record for the number of records exposed), combined with a major endorsement of zero-trust principles by Google LLC. “It’s become the topic du jour in security,” said Garrett Bekker, principal analyst in the information security practice at 451 Research LLC.
“Zero trust has tremendous promise because it ultimately requires earning the trust of users, end point devices and enterprise applications instead of blindly granting access without consideration to the current threat landscape,” said Tina Thorstenson, CISO and deputy chief information officer for IT governance, policy and information security at Arizona State University, which is investing in zero trust as part of a campus-wide network overhaul. “This is an entirely new way of thinking about security.”
John Grady, a security analyst at The Enterprise Strategy Group Inc., agreed: “It really is a game-changer. It’s something every organization should be looking at.”
Where there’s a will
Current adoption levels are still low, but intentions are high. A recent survey by Pulse Secure LLC found that only 4% of enterprises have fully embraced zero trust but 69% plan to do so in the future, with nearly half of those planning rollouts within the next 12 months. 451 Research’s Voice of the Enterprise survey last summer put adoption at around 13%, Bekker said.
As with many hot new technology concepts, zero trust has been seized upon by companies eager to sell packaged solutions. The result has been some definitional confusion as well as misconceptions about how much cost and effort is involved in converting to a completely new cybersecurity model.
Early adopters say the technology expenses are modest, but the labor costs aren’t, particularly when it comes to convincing users that zero trust is a good idea. But you have to make the investment. “If the users get lost in this process, it’s going to fail,” said Lexmark’s Willett.
Zero trust is more a philosophy than a technology. In fact, many of the necessary tools – such as multifactor authentication, identity management, network segmentation and IT asset management – already exist in most large organizations. The tricky part is discovering and cataloging all the information assets a company has, classifying them according to sensitivity, applying automation and identity controls to protect them and dealing with exceptions on a timely basis.
There’s also a huge cultural component to consider. Zero trust requires users to get on board with the idea that security is everyone’s responsibility and that enduring a little short-term inconvenience pays off in improved resiliency and ultimately a better user experience. Gaining executive buy-in and user trust at the outset is critical because everyone will be affected. “It was important to build the trust of the user base, so they didn’t view the project as IT security clamping down on them,” said Lexmark’s Willett.
Why is zero trust such a game-changer? IT cybersecurity measures have traditionally been based on protecting perimeters, a strategy that dates to the Middle Ages. The thinking is that building moats and walls around castles keeps hostile forces at bay. Anyone outside the wall is presumed to be an adversary and anyone inside is friendly. “Early firewalls with stateful inspection were transparent and would let all the traffic through and then try to filter out the bad stuff,” said 451 Research’s Bekker.
That idea works fine if perimeters hold, but that isn’t the case anymore. One employee clicking on a link in an innocent-looking email can fling open the gates to intruders who, once they enter, may lurk inside the walls for months or years as they siphon away information. Studies have shown that many enterprises have hundreds of thousands of sensitive documents with misconfigured file permissions that essentially leave them open for all to see. The lateral movement that perimeter strategies permit has become the bane of cybersecurity organizations and is behind many of the largest breaches.
“You can’t just have broad data access anymore,” said Joseph Doyle, director of workplace technologies at Rubrik Inc., which is currently implementing zero trust companywide.
The profusion of devices and access points introduced by coffee shop Wi-Fi and smart phones has made perimeters hard even to define, much less defend. “You’ve got a contract employee accessing a [software-as-a-service] app from a Starbucks. At no point are they touching corporate resources,” Bekker said.
Another weakness of perimeter defense is that it requires rigorous attention to detail, since even one small hole can have far-reaching consequences. Breaches such as those at Equifax Inc. and Capital One Financial Corp. happened because attackers exploited seemingly minor human errors.
In short, security is based on trust, and the trust equation behind perimeter defenses is broken. CISOs are acknowledging that “trust is itself a vulnerability,” said Andrew MacMillen, a security researcher at Nucleus Research Inc.
Zero trust is a 180-degree pivot from perimeter protection: It assumes that the bad guys have already breached the perimeter and attempts to shut down their opportunities to do any further damage. That means that even a device or user that appears legitimate must provide evidence of trust before access to important information or services is permitted.
“It’s a set of principles that says we aren’t going to differentiate between insiders and outsiders,” said Baber Amin, chief technology officer west at Ping Identity Corp., a provider of zero-trust technology.
Amin draws an analogy to an airport. “You buy a ticket, which is a credential. You then exchange if for a boarding pass, which is a different credential,” he said. “Then you have to present a government-issued ID to gain access to another area. But you still don’t have carte blanche to go wherever you please without another form of authentication.”
Zero trust does the same thing with information, segmenting data and applications into buckets that each have their own permissions. Having logged on to the network, a user might be able to review benefits information and browse the cafeteria menu, but if she wants to peek at pay grades, she needs to present another credential. The burden of proof shifts from the device to the user. “Instead of looking at whether you’re in the office or connecting to a particular [virtual private network]. the emphasis is on who you are and what you have access to,” said Rubrik’s Doyle.
The upshot, say Ping Identity’s Amin: “Every network packet is considered hostile.”
If that doesn’t sound very friendly, it isn’t, but people on the front lines of the cybersecurity war are increasingly coming to the conclusion that it’s the only way. “The number of cybersecurity vendors has quadrupled over the last 20 years, but you don’t see any fewer breaches,” Bekker said. “What we’re doing isn’t working, so we have to do something else.”
Lexmark settled on three tiers of data classification and three tiers of network segmentation, Willett said. Critical assets such as source code repositories are guarded most closely. General business applications carry less-stringent authentication measures and office productivity and web browsing the least.
Microsoft Corp.’s Azure Active Directory is integrated with business applications to enable users to move around without constantly having to re-authenticate. Permissions are granted automatically by policies. “The source of truth for all identities is our human resource system,” Willett said. “When an employee is onboarded, it triggers a process that gives them an ID and specifies which apps they can access.”
The potential for short-term disruption is huge, but the reality is that the impact on users is minimal after the organization cuts over to zero trust provided it has the right tools in place. Identity management systems and directory services can now recognize users and attach digital tokens that follow them around to permit access to data and applications across both on-premises and cloud platforms, a property known as single sign-on.
In fact, experts say, the ultimate outcome should be more convenience for everyone. Zero trust is “more restrictive in terms of moving responsibility to the users, but in a lot of ways it’s less restrictive because it allows them to choose what network to work from and what device to use,” said Rubrik’s Doyle. For a company such as Rubrik, which must constantly recruit scarce technical professionals, freedom from rigid perimeter requirements is an employee benefit. “The users were demanding it, honestly,” he said.
What you must have
Trepidation in many organizations stems in part from concerns about whether they’re up to the major procedural shifts zero trust demands. There are also the cultural challenges of implementing a broad new set of cybersecurity procedures across a large and skeptical user population. Pulse Secure reported that 47% of the 400 enterprise security professionals it surveyed said their teams lack confidence in their ability to provide zero trust.
There are good reasons for concern. Experts agree that there’s no going back once an organization commits to this new philosophy. “Zero trust is an all-or-nothing mindset that must be incrementally introduced into your environment starting with the services that are most essential to your organization,” Thorstenson said.
In ASU’s case, that means core administrative and communications systems are cutting over first, followed quickly by systems that support the teaching and learning environment. “These systems tend to be required 24/7 and also house significant amounts of sensitive data,” Thorstenson said.
There are a few foundational components to any zero-trust strategy. One is multifactor authentication, which goes beyond passwords to limit access to the network until a user presents a supplemental proof of identity such as a hardware token or secret code sent to a cell phone. MFA is simple to implement and is considered one of the most effective cybersecurity measures an organization can put in place, yet an ESG study last year found that fewer than half of enterprises use it.
A second requirement is identity management software that federates user identities across on-premises and cloud platforms so they don’t have to re-authenticate constantly. A host of commercial and even open-source options is available. “At the end of the day, your end users are the biggest risk to your environment,” said Rubrik’s Doyle.A third necessity is microsegmentation, a classification discipline that isolates workloads and data from each other so access can be controlled at a granular level. Although microsegmentation is easy to administer in a software-defined network, finding and classifying the necessary applications and data can be overwhelming for some organizations. “You may end up having 25 or 30 elements to focus on and within each one is factors like domain and whether it’s in the cloud or on-prem,” said ESG’s Grady.
Although software-defined networking isn’t technically required, experts say it’s strongly recommended. Fortunately, most organizations are headed that way. A Verizon Communications Inc. study last year found that while just 15% of respondents’ companies had implemented SDN, 57% expected to do so within two years.
While organizations lay the technical foundation, practitioners advise investing in advanced technology such as machine learning that can boost their security profiles over time. Rubrik is using predictive authentication methods that learn individual users’ access patterns and adapt to their needs, reducing friction. “Everyone wants to get in on the cool new thing, so it’s hasn’t been too hard to get people on board,” he said.
Take your time
Early adopters say the biggest investment zero trust requires is time, both to find and classify resources and to convince users that it’s a better approach. Lexmark’s IT organization spent months explaining why default administrative rights were being revoked on personal computers as part of a Windows 10 upgrade and why people would now have to register devices before connecting them to the network.
CISO Willett’s solution was to talk – a lot. “I’ve taken any forum where I can get in front of users and explain the risk and what we need of them,” he said. “It comes down to their understanding that anything they can do, an attacker can do as well.”
Lexmark leavened the short-term inconvenience with transparency. The security group set up an asset tracking dashboard where users can monitor the status of devices they want to register on the network. It also created a service ticketing process that resolves most requests for permission changes within 24 hours.
IT leaders got commitment from top executives and moved quickly with a multistage program that completed the bulk of the work within a year. “If we slow-roll things, we end up with more technical debt than if we just get it out there,” Willett said, referring to the phenomenon of choosing easy solutions that cause more headaches in the long term.
So far, the ends have justified the means. The company’s security readiness score as measured by BitSight Technologies Inc., an independent security ratings service, has jumped from 550 to 750 on a 900-point scale. Just as important: Users have bought in and complaints about new procedures have been few.
For an enterprise-wide initiative in which the ultimate goal is for nothing to happen, that’s about the best you can hope for.
Image: Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.