Zero Trust is today’s favorite buzzword, and so of course it is being used liberally, and often imprecisely. Originally conceived when businesses only had a small percentage of remote workers signing in to the corporate network, the common wisdom of the day dictated that you couldn’t implicitly trust the authentication of those remote users any longer because they weren’t on the company network. The original Zero Trust solution focused on proving the identity of the user and the device.
Neil Thacker is CISO EMEA/LATAM at Netskope.
Things have evolved a little over the years, and there are probably now as many different approaches to Zero Trust as there are vendors pushing it, but most cybersecurity professionals would agree that the central tenet of Zero Trust is to shift from ‘trust but verify’ to ‘verify then trust’.
This is nifty phrasing but in practice it’s a problematically finite statement; overly permissive in non-static environments while being simultaneously inflexible . ‘Verify then trust’ assumes that, once verified, you are good to go. And if not verified, permanent blocking is justified. The first option leaves a significant hole in an organization's defenses, and the latter will impinge upon business productivity.
Continuous adaptation of trust
What is actually needed in a cloud-first, perimeter-less environment, is something that is continuously adapted. The unequivocal verbiage of ‘zero’ is ill-suited in such a nuanced environment. Context is key and trust judgements require insight to effectively determine grades of permission.
SASE is a fairly new architectural model for securing a perimeter-less IT real-estate, and it has significant advantages when working on a Zero Trust approach because of the visibility and insights it allows. Zero Trust in a SASE environment is more accurately ‘continuous adaptive trust’ across users, devices, networks, applications and data. The wealth of contextual insight available within a SASE platform removes the requirement to place implicit trust or to base permission decisions on single pieces of information (an IP address for example). Decisions can be based upon a tailored set of constantly reassessed parameters, built using several contextual elements intertwined (e.g. user identity + device identify + time + geolocation + business role + data type). And because with SASE the security policy follows the data, not the user or device, the resource itself is effectively determining the appropriate level of trust, only for a specific interaction, reassessed each time a parameter changes.
Evaluating trust at the start of an interaction alone is insufficient. This trust assessment can and should take place throughout an interaction. During the interaction, context should be continuously evaluated as alterations to the context can result in an adaptation (increase or decrease) in the level of trust that is appropriate, which in turn should alter the type of access granted to the resource.
Managing trust
Of course, it must be acknowledged that zero trust models necessarily add a degree of management overhead. Owners of resources must assume responsibility for carefully assessing and continuously adjusting not just the lists of allowed users for their resources, but also defining the attributes and contextual elements that together determine the level of access allowed to resources. Management of entitlements is often a manual process, but automation is starting to reach the market.
The balance of permission and restriction
The advantages of a continuous adaptive trust approach are manifold, but three stand out as compelling when preparing a business case:
More opportunities to provide some degree of access, to reorient the majority of security decisions away from “no” towards “yes, with conditions…” Inappropriate access is constrained, reducing the blast radius of compromised accounts Visibility into sensitive data types, locations, and movements in improved and constant.
While points two and three are clear risk reduction advantages, the first point is in many ways more crucial when selling the approach internally. Zero Trust appeals to security professionals from the moment you hear the name, specifically because it sounds unequivocally safe and secure. If you don’t trust anyone, you can’t get hurt, so the brokenhearted will tell you. But however much security professionals might joke about how much easier our jobs would be without a user base of employees, we must acknowledge that giving access is as much a part of our job as restriction and blocks. Continuous adaptive trust walks that line, using insight to issue and retract dynamic permissions. With it, organizations can maximize business productivity without any unnecessary exposure.
