Getting Zero Trust Right
At RSI, our priority is to help companies improve their Cyber Risk Management. While a lot of our clients’ attention is focused on our unique Automated Cyber Risk Management solution, powered by CyberCompass, we also assist our forward-thinking clients achieve Zero Trust Security through the adoption of our ‘Evolving Trust’ Framework. The purpose of this article is to provide some background on Zero Trust Security, highlight how RSI has re-imagined this strategy, and demonstrate how RSI can help you to adopt true Zero Trust using our Evolving Trust Framework.
A Brief History Lesson
Historically, network security hasn’t changed that much. Corporate networks were designed like a castle, where all users are screened at the gate (firewall) for appropriate credentials. Once a user is allowed access, they are trusted and therefore have access to all the goodies inside. In this model, it's difficult for a user to get into the ‘castle’, but the network is vulnerable to widespread turmoil if malicious users manage to get in. As the IT landscape has evolved into multiple devices per user, remote work policies, and sketchy Starbucks WiFi, the need for a better way of managing users/access has become dire.
Hence, Zero Trust is born. Originally known as ‘Zero Trust Network’ or ‘Zero Trust Architecture’, the idea was created in 2009-2010 by Forrester Research Inc.(specifically John Kindervag). While the concept was clever, it took a few years and a BIG company to provide a proof of concept. Google created an enterprise security model, coining it BeyondCorp, and achieved company-wide adoption of the Zero Trust model using home-grown, in-house tools and technologies. BeyondCorp achieved the previously inconceivable; it enabled every employee to work from untrusted networks without the use of a VPN. Since Zero Trust was only a concept at the time, Google had to create and piecemeal together a variety of technologies. Thankfully, there has since been widespread adoption and a variety of technologies created to help you achieve the same vision as Google, but we’ll get to that.
What is Zero Trust? I encourage you to read more about Google’s BeyondCorp solution to gain insight into the intricacies, but in a nutshell: the Zero Trust model asserts that organizations should not automatically trust anything or anyone inside or outside its perimeter(s). Instead, access controls are shifted from the network perimeter to individual endpoints/users and data analytics (i.e. location, time of day, employee credentials, etc.) are used to create meaningful decisions on whether an access request is appropriate. This all adds up to what is called a ‘Trust Score’, and it’s assigned every time a user attempts to log in. Remember the castle analogy above? Think about it like this: Zero Trust micro-segments your castle into a bunch of little castles. You now have the ability to determine which castle(s) your users have access to. If implemented properly, you no longer have to be connected to the corporate network and can work from any internet connection.
The Case for Evolving Trust Security
Early on, RSI understood the value of Zero Trust, especially as businesses increasingly allow remote work, BYOD, and SaaS solutions to accomplish daily tasks. Many companies have moved their most precious data to the cloud and manage an average of 1000 applications at any given time. RSI built a professional services arm to assist companies in understanding the value of this Zero Trust model as well as adopting it without any significant, upfront requirements. In order to accomplish this, we took the Google approach and adopted it ourselves (thankfully we didn’t have to build all the technology from the ground up). This journey allowed us to identify pain points, discern shortcuts from pitfalls, and ultimately develop a framework that adds tremendous value to each of our clients. What’s more, we took the time to look at Zero Trust from a non-traditional lens by including some non-traditional thinkers from our Innovation Center (and its data scientists with their big, beautiful scientific brains). What we identified is a gap in how Zero Trust is discussed, how it is interpreted, and how companies are leveraging the current solutions. RSI took that data and developed our Evolving Trust Framework. The following are some of our biggest takeaways:
No One Size Fits All
Arguably the most important point I will stress is that while advertisements show you can “adopt Zero Trust in minutes with our tool”, those marketing gurus are causing companies to put the proverbial cart before the horse. Even with incredible SaaS tools at your disposal, you still have to be extremely familiar with the implementation and all the nuances that stem from the process, such as certificate authority, device discovery, and inherent limitations. This requires members of your organization to take the time to understand Zero Trust, understand the variety of required tools, and figure out a launch strategy that doesn’t cripple your organization. Furthermore, while there are a variety of technical solutions on the market that claim ‘Zero Trust Security’ (i.e. OKTA, Duo Security), this is only part of the puzzle. There are more components to the Zero Trust Model than those addressed by these Identity & Access Management (IAM) tools. Without this knowledge and expertise, your Zero Trust strategy will gain zero traction.
2. Easy to Miss the Mark On Execution
Unfortunately, companies tend to fall into this pit of saying “let’s require every user to authenticate in three different ways every time they access any critical application”. Not only does this create a very difficult beast to manage for your IT department, but it also doesn’t even accomplish some of the biggest potential benefits of Zero Trust. This was the #1 reason RSI created the Evolving Trust framework, and the name says it all: we believe in incorporating deep monitoring/data analytics into the entire process so that checks and balances are strategically placed throughout a users’ access journey rather than just at the beginning. For example, when a user authenticates and meets our basic requirements (i.e. correct credentials, an appropriate device, relevant geo-location), we let them in. Next, we monitor those users and what they are trying to access. If they attempt to access any system/data we deem critical, then we require another authentication check. Finally, we keep an eye on the patterns of each user to detect anomalies in what/when/where they are accessing critical applications or data. This allows us to control the narrative for every user, every time, without creating huge inefficiencies in our organization.
3. Employee Education is Even More Important Than Technology
Zero Trust is just another component of cyber security and one of the biggest problems that security experts are facing is the fact that people LOVE to skirt rules. It’s human nature to make assumptions that we all know everything and we all deserve the best for ourselves, especially when some very nice Nigerian prince is trying to wire us FREE money. RSI discovered the hard way that this unfortunate mindset carries into the Zero Trust realm. The fact of the matter is, Zero Trust adds at least one extra step for every employee when they attempt to login to a critical application by requiring Multi-Factor Authentication (MFA). This causes some people to lose their minds (especially those pesky developers who are obsessed with minimizing clicks), which creates a snowball effect down the road when they decide to adopt a shiny, new SaaS tool and choose not to tell anyone about it. What’s more, IT experts have developed a mindset that firewalls keep bad actors out and that they can inherently trust their environments. The same people who haven’t changed their server admin passwords in 4 years are now required to shift their mindset to the opposite end of the spectrum, which takes time. Your Zero Trust model is only as powerful as the IT people, processes, and technologies you are in control of, which is why RSI identified other strategies to counteract these risks in the form of discovery tools, monitoring, and data analytics.
4. It Takes A Village Just to Manage A Village
Similar to the game of Monopoly, acquiring the esteemed Boardwalk space is only half the battle. You still have to enforce and manage your acquisition or the positive effects are moot. Zero Trust requires a SOC team to actively manage access, evaluate trust scores on a periodic basis, track new assets, and manage vulnerable endpoints (i.e. outdated OS, vulnerable applications, etc.). RSI treated our implementation as an opportunity to train our entire Technical Assistance Center (TAC) team, creating a squad of experts in the entire Zero Trust Management process and providing them the tools to scale this expertise to our clients. One of the biggest benefits of our Evolving Trust framework is that it requires a LOT less effort for our TAC team to manage access because we have automated many of the previously manual processes.
In summary, Zero Trust is an incredibly useful strategy for companies to keep up with the evolving IT landscape of endless personal devices, SaaS solutions out the wazoo, and cyber-crime galore. In my humble opinion, I don’t see how any company can keep up with this transformation without Zero Trust. However, I’m concerned that many companies are fooled by the current glamour of Zero Trust and their desperation to improve overall cyber hygiene can create more problems than solutions. RSI is working hard to address the Access Management cyber epidemic, and we strongly believe that the Zero Trust model (more specifically, our Evolving Trust framework) is a huge step in the right direction.
If your company is interested in learning more about Zero Trust or RSI’s Evolving Trust solution, don’t hesitate to contact us for a free advisory session.
For more information about RSI's mission, visit our website at www.rsitex.com.