Former Forrester researcher and now Field CTO at Palo Alto Networks, John Kindervag, once said that administrators of computer networks hosting sensitive or critical data should trust no one. That was 10 years ago. His network security model is underpinned by a ‘zero trust’ policy. In essence, this means that management and other employees of an organization should always be under scrutiny when accessing critical data. In short, ‘zero trust’ applies to anybody on the inside of an IT network.
10 YEARS LATER
While people were skeptical of Kindervag’s 2010 report, 10 years down the line everybody is now taking him seriously. In February this year, the NSA (National Security Agency) issued guidance to the owners of networks on national security and critical IT infrastructure. In the wake of 2 large-scale cyberattacks in the United States, the NSA’s advice was ‘to trust no one.’
CASTLE AND MOAT
There is a major problem with most existing computer networks: once someone has logged into the system, they are free to roam from one application to the next without further verifications. They can access financial records, the client database, confidential employee files, other devices – just about anything. This flaw in networks is due to the ‘castle and moat’ approach to cybersecurity. This means that the perimeter of a network, the moat, is securely protected with firewalls and proxy servers while the castle, containing precious data, remains vulnerable to intrusion.
HOW ZERO TRUST WORKS
With zero trust, every network still contains at least one ‘moat.’ However, the model assumes that everyone that logs onto a network is suspicious and prevents them from freely moving through a system. Therefore, a user cannot access files, devices, or other networks without further authentication for each additional connection. Put simply, zero trust reduces or prevents lateral movement and privilege escalation within a network.
WHY ZHERO TRUST NOW?
In 2015, Chinese hackers breached the government Office of Personnel Management in the United States, stealing sensitive security clearance information on millions of American citizens. Last year, Texas-based software firm, SolarWinds, was a victim of severe hacking when malicious code was inserted into updates for its software. The updates were received the 18,000 SolarWinds customers and at least 9 government agencies and 100 companies were further targeted by hackers. So the need for zero trust has become increasingly apparent, although still remains an aspirational goal for many US state department. While the implementation of zero trust may be expensive, time-consuming and convoluted, Kindervag has this to say:
“You don’t secure a road by ripping out a road and putting a new road in. You figure out how to put stoplights in, or you figure out how to change the exit ramps. We need to do the same thing with networks and not do things that will never happen–but do things that we can accomplish using the people and technologies we have today.”