Zero Trust Thinking - Transforming Cybersecurity
When you read “Transforming” in the title above your eyes may have raised to heaven thinking it was more irritating marketing hype. However, for me, “transformation” has a specific meaning. It’s the indication of a moment of discovery that inspires and immediately creates a new way of thinking—a new future. My intention is that this article creates such a moment for you. That it’s not just informative and certainly not just more hype. Yes, it’s informative too, but let’s start at the beginning.
Multiple connected clouds, edge compute, the explosion of IoT deployment, supply chains and distributed workforces have created the cybersecurity monster. It’s able to attack a myriad of vulnerabilities. The days of the data center’s single defendable perimeter are long gone. It’s been a couple of years since John Kindervag’s Zero Trust mantras of “Assume Breach” and “Never Trust, Always Verify” became the imperative – the essential and now only viable way of ensuring that the network cloud ecosystem is secure. This article deals with verification.
Zero Trust Principles
By now, you likely know that Zero Trust is never a complete solution but a strategy and a set of principles. Anyone who tries to tell you that they have a complete solution is either clueless or worse. At best it might be the beginnings of a service that implements and enables some of the Zero Trust principles. What’s critical is to enable critical functions and attributes that implement the principles.
To enable Zero Trust principles, all users, software, and devices must be identified, authenticated, and their access limited according to the role assigned to them. Each actor must only be assigned the least privilege required to accomplish a task. I.e., accessing a limited number of functions or data and only during the assigned
These must be enforced, managed and continually monitored to allow, block or quarantine access and generate notification of such This is evolution from the mantra to “Never Trust, Continuously Verify.” I.e., that inter- changes remain verified ensuring trusted actors do not become threat actors or request out-of-policy actions.
The principles must be applied to all exchanges between micro-segmented workloads, between users and providers, at distributed access points, between IT systems and IoT devices. Its purpose is not just defense against inbound attacks but also preventing exfiltration of critical data.
Delegation - Catch 22
If the principle of Zero Trust “Never Trust, Always and Continually Verify” is to be followed, then how do you verify external organizations, their products and services that are not under your control? It’s a Catch-22. The answer is that you can’t verify how their company operates. It’s practically impossible – and leaves you with unknown vulnerabilities for which you remain responsible. If you trust them, particularly those on which you rely then you are effectively abdicating your responsibility.
Applying Zero Trust Transformative Thinking
Zero Trust’s “Never Trust, Always Verify” thinking, should not only be applied to your operational network, but everywhere! You may begin by wondering about the services and software, database systems, applications and network devices. “Why should I trust them now?” What about the companies that create the products? How do I know that I can trust them? Are they using best practices suggested by this year’s White House Security Strategy? How can I trust the code they are using? The answer is you can’t – but you do need to hold them accountable!
This is critically important, as we saw in May’s attack in Dallas, it applies especially to the security software and the supplying companies which the Royal Ransomware attack disabled.
A Blueprint for Risk Reduction
If this sounds hard it isn’t. In fact, here are three sets of best practices—effectively a Blueprint for Risk Reduction to bring order to the complexity of cybersecurity. In order to protect user organizations, implementation of Zero Trust enabled services and products, they must be in compliance with the following protective measures applicable to their organization, product development and operation. Such compliance should be made available transparently to sub- scribers of such products and services.
Taking Actions to Empower Your Organization
The good news is that this thinking enables empowering actions to be performed. The 20 questions in the Figures below are examples from my Holistic Cybersecurity as a Service offering. It’s the three categories that are important. The CISA initiative on “self-attestation” of software companies is a great start, going in to more deails on the Development section below. It will remain to be seen what goes into the final version scheduled in 2024. The CISA coverage does not get into the organizational nor operational aspects of software. This is a serious omission since it leaves three areas of vulnerability. Yes three more because the operational aspect of a software product has two aspects, covering how it operates AND how it’s managed. An example is Firewall implementation whose functions can be disable by a denial of service attack via its management ports while it’s busy filtering packets. The ones about an organization will be similar but will vary by product type. This section updated has been after the article was published.
Organizational Best Practices
| 1. Executive level Security Policy and Strategy. |
| 2. Curated and automatically updated software, device drivers, data, and networking assets. |
| 3. Insider threats and social engineering strategy. |
| 4. An implemented policy for multi-factor authentication, passkeys, trustworthy password managers, least privilege, etc. |
| 5. Proactive phishing attack, lateral movement and elevation of privilege malware, intrusion, threat detection and prevention software etc. |
| 6. Use of “Bring your Own Devices” is disallowed everywhere, including subcontractors. |
| 7. All third party software is similarly screened for vulnerabilities, e.g., CMS, CRM, and databases. |
Development Best Practices
| 1. Development, Security and Operations((DevSecOps) includes automation of monitoring and built in event notification. |
| 2. All software is encoded in memory-safe languages, e.g., Rust or C#. |
| 3. All third party code is verified malware free, especially any open source code. |
| 4. Software/updates are regression-tested for protection to threats in section on the right and all hardware, software, drivers, and firmware updates are automated. |
Product & Service Operations & Managment Best Practices
| 1. Database software/apps only permit bulk encryption, exfiltration of data via authenticated privilege. Each application’s data is organized using microsegementation techniques. |
| 2. All data or software defining the privilege levels of users’ software and devices are protected/ encrypted to protect against elevation of privilege attacks. Privilege includes length or time, amounts of data to be accessed, written or read, including software updates, approved encryption types. |
| 3. Access control and identity management software is similarly verified and protected. |
| 4. All firmware or device updates are only from certified sources. |
| 5. Management software detects and protects unauthorized out-of-policy access, disabling denial of service attacks with service suspension if encountered. |
| 6. Detection, notification, and prevention of any attacks is via automated monitoring. |
| 7. Multi-factor authentication is applied to critical software and databases not just users. |
| 8. All APIs are certified to mTLS, SAML OAuth2.0 specifications. |
| 9. Detection and prevention are implemented for lateral movement attacks, drive-by, man-in-the- middle, side channel, TCP split handshake attacks, etc. |
- Software and service companies that cannot give satisfactory answers to the majority of these questions are essentially “disqualified.” The scary part is that they maybe haven’t thought about them! You should not contract with them and subscribe elsewhere. In any event, your contracts/legal department should have a say. I do believe that by asking these questions you will create an important partnership with your suppliers and help them establish their own best practices to align with the 2023 US Cybersecurity Strategy. This is also exactly aligned to the June 2023 update from the White House on the Secure Software Development Framework initiative, where companies are being required to we said, this shift in thinking is effectively attest to their development practices.
- Conversely, end user organizations who do not ask these questions of their software suppliers, service providers, their security vendors and of their own departments are likely abdicating responsibility and will remain vulnerable or worse.
For me, this is the transformative moment that I referred to in the headline. To truly delegate not abdicate, to take control to be responsible. Now, you’ll no longer be overwhelmed by this topic. As we said, this shift in thinking is effectively a Blueprint for Risk Reduction that empowers your actions and your role!
Zero Day Attacks
A word on Zero Day Attacks: These are attacks that have never been seen before and thus yet to have a defense. Sometimes they get fixed by software vendors such as Microsoft, Apple and Google in regular updates. Others linger for years unnoticed. The scary thing is that it takes on average 66 days for companies to implement these updates! They all start with the penetration of an organization then launch any number of attack types.
However, if you act early and apply Zero Trust strategies and principles, the risk of any attack – including Zero Days – is massively reduced.
Keep Up Your Awareness
There are new threats developing each day. Many are multifaceted, complex, and polymorphic. “Hacking as a Service” toolkit is one ugly example of why you need to keep alert. One of many credible resources is cybyr.com. There, I’ve introduced Security as a Service with software that walks you through the process and measures your progress holistically, over time. Become a passionate student, visit my “CyberPedia” page explaining 200 cybersecurity terms – many used here—and for the latest breaking news on threat detection and prevention.
Final Word
Finally, don’t stress out. Zero Trust is no overnight fix. It’s a journey with the mantra “Never Trust Always and Continuously Verify”. It begins with curation of assets and services to see which, based on the financial impact, to protect first. Remember, each action you take strengthens your weakest links and reduces your risks.