#107: Security Briefing - Introducing Zero Trust

Continuing my mini-series on security, I introduce Zero Trust.

The traditional approach of security at the border is not longer enough in the modern IT world. Unlike the good citizens of Troy, you should "never trust, always verify" - you should have Zero Trust.

Or listen at:

Published: Wed, 03 Nov 2021 17:10:23 GMT

Transcript

Hello, and welcome back to the Better ROI from software development podcast.

In this episode, I'm going to continue one of my security briefings - in this episode, I want to introduce the concept of Zero Trust.

Traditionally, computer security has focussed on boundaries. We've largely put a boundary around our IT systems and focussed our efforts there - very much like putting a wall around a castle.

Traditionally, we've not really been looking at the granularity enough to really protect the resources within those boundaries.

Zero Trust is a recognition, and the growing recognition, that we need to do more, that we need to be looking at protecting within the boundary.

As with all things technology, it moves, we've been expanding the boundaries and blurring the lines on our boundaries for many years now with the introduction of cloud VPNs, remote working, collaboration with other organisations, Internet of Things, bring your own device policies. All of these activities have helped IT And the businesses thrive, but they've also blurred those boundaries, making it much more difficult to protect against, especially using our historic and traditional thinking about putting things in a boundary and protecting the boundary only.

For example, ten years into the Greek siege of Troy, the Greeks provided the Trojans with a gift. They gave them the Trojan horse, a large wooden horse.

It was taken by the people of Troy as a sign of victory. They took it inside their walls. It was their way of saying we have stood against the Greeks for 10 years and we have prevailed.

Later that night, the Greek forces in the horse open the gates for the rest of the army.

Troy fell that night.

Much of our traditional security thinking has been much the same. We're protecting the border - the walls and the gates of Troy in this instance. We focus all our efforts on making sure that the invaders, the Greeks, cannot get through the wall and the gates. However, once the Greek forces are inside the walls, what happens then?

Well, in this instance, Troy fell.

And most of our technical systems, most of our IT Systems, once a hacker is within the security boundary, the same happens there as well.

The Zero Trust initiative, however, would have us thinking differently. Zero Trust asks us to start with assuming breach and assuming least privilege.

So in this example, even if the horse was inside, the Greek force inside would still be unable to do anything because there are protections not just at the walls, but everywhere within the city.

There would be security stopping the movement of people through streets, between houses, between various locations within that protected boundary.

The guards of Troy will assume breach, thus not just protect the outside, but assume there's a possibility that somebody will be inside those gates inside those walls and protect as appropriate.

They will implement least privileged to make sure that people walking around in the middle of the night with spears and shields are where they're meant to be. Especially if they're dressed as Greek soldiers.

Wikipedia describes zero trust as:.

"The zero trust security model ... describes an approach to the design and implementation of IT systems. The main concept behind zero trust is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN and even if they were previously verified."

"The once traditional approach of trusting devices within a notional corporate perimeter, or devices connected to it via a VPN, makes less sense in such highly diverse and distributed environments. Instead, the zero trust approach advocates mutual authentication, including checking the identity and integrity of devices without respect to location, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication"

So going back to Troy; this is posting guards at every corner, posting guards at every doorway, every street corner, every major thoroughfare. And they will be checking people as they walk through to make sure that they're correct and doing what is allowed.

I refer you back to my comments in last week's episode about convenience is the enemy of security.

I should probably point out that zero trust is a major undertaking.

It will be something that will have to go to the heart of how your data moves and is stored within your organisation. It is fundamental to how your IT systems communicate and are used.

In setting up, there are five main steps:.

One; audit what is to be protected - your data, your applications.

Two; audit the data flow within your organisations. So what's actually happening with that data? Where should it go from and to what application should be using it?

Three; design and implement a zero trust architecture. Now, you are likely to need new hardware and software for your network for this. You'll need to provide segregation & inspection through that hardware and software - the equivalent of putting those guards on walls in place in the city of Troy.

Four; develop the policies of what is allowed. So what will the guards allow? And this can be based on:.

  • Who it is - Can we confirm the identity,
  • What they are trying to access? Are they permitted to access that?
  • When are they doing it? Are they allowed outside of office hours, for example?
  • Where are they? Do they have to be in a known physical location, may maybe the head office.
  • Why are they trying to access it? Are they going to read it or do they plan to update it? Do they plan to delete it?
  • And how are they doing it? Is it a trusted application they're using on a trusted device?

Five monitor and maintain the network based on how it is used and adapt it accordingly to how your organisation needs to behave.

Putting this in place gives us real time threat prevention and detection.

In Troy, it would have meant the city guards would have been alerted to the attack as soon as the Greek soldiers came out of the Trojan horse. It means they would have been able to react and isolate the Trojan horse. They would have been able to isolate and stop the Greek force from making it to the gates and open it for the entire rest of the Greek army.

The city of Troy would have stood.

So this might seem like a lot of work to you, and it probably is, so why would you want to do it?

And to be honest, it goes back to what I talked about in episode 103. It's the dangers of being attacked, of being compromised, the costs involved, the reputational damage, and, as a business leader, your own career.

More and more business leaders are being pulled up and being held to account for data breaches. And I think that's correct, because it has to be seen that it is a priority, that we are protecting customer data, our intellectual property, that reputational cost, that ability for people to trust our organisation.

This should be critical to leaders and owners of any organisation.

In this episode, I wanted to introduce Zero Trust as a direction of flight for changes in the security industry in terms of different ways of thinking. So rather than thinking in the traditional boundary protection, thinking much more granular and making sure that we're assuming that portions of our systems could be compromised, such as the gates of Troy. But then to stop any further egress. Making sure that we are able to protect our internal systems, making sure that just because a hacker has managed to breach one system, they haven't got access to everything.

We must remember we are in changing environments. Our organisations must become more technically adapt. We must use much more technology to be able to keep up in the modern environment. That technology must be more diverse and we need the security to keep up with that.

Thank you for taking the time to listen to this episode, and I look forward to speaking to you again next week.