With Insights from Cerberus CTO, Jerald Dawkins, Ph.D.
Trust No One?
As a powerful tool to secure increasingly complex IT environments and reduce attack surfaces, Zero Trust, with its “never trust, always verify” model, has become top-of-mind for savvy organizations across industries. Zero Trust not only helps organizations respond to the changing landscape of cybersecurity culture but also has the foresight to anticipate emerging and previously unknown threats.
Zero Trust aspires to achieve greater segmentation of networks by isolating and verifying access through continuous authorization and authentication. This differs from castle-and-moat network security models, in that any user, whether they are external (outside the castle) or internal (inside the castle), is perceived as a possible threat and is therefore required to verify activity and engagement with workloads. It requires all users to be authenticated, authorized, and continuously validated in advance of access and during engagements with applications and data.
Key to Zero Trust is the Principle of Least Privilege, or “least privilege architecture,” which helps to define an environment where, depending on the user and their needs, access is verified and granted only for necessary and legitimate reasons. In addition to helping reduce risk and preventing the user from running unrecognized executables, this segmenting reduces scope creep, as a user cannot overreach their defined privileges and/or job function.
The Changing Landscape of Cybersecurity
Transitions to remote and hybrid work environments and the rise of Managed Service Providers have created a challenging landscape for information and security professionals. With businesses now using some combination of apps, SaaS, and cloud infrastructure, a new approach to security is needed.
Zero Trust responds to this challenging landscape as a sustainable and directional effort to manage critical and often exponentially increasing security risks and has the potential to:
- Decrease widespread vulnerabilities by reducing attack surfaces
- Provide continuous protection for users, data, and assets
- Proactively manage identities and threats
- Enforce comprehensive security policies
- Detect and respond faster to threats
Why Now? The Tipping Point into Zero Trust
In 2020, the Covid-19 pandemic disrupted the way businesses operated in every sector around the world. As commercial office buildings shuttered and employees logged on to work in remote settings, nearly every business developed a strategy to push through business-as-usual when it was anything but.
Many organizations sent employees home with a laptop and prayer, hoping for the best, while others relied on Virtual Private Networks (VPNs) to help mitigate the uneasy feeling that countless network security administrators felt as their IT environments – and endpoints – suddenly expanded exponentially.
Two years later, many of these employees still work from home. Zero Trust responds to enterprise network trends that account for a remote workforce and serves to accommodate employees who use their own devices. Cloud-based assets that are not local to enterprise-owned devices can be protected through this practice when assets, services, workflows, and network accounts are considered.
The New Reality
Beyond a marketing phrase, Zero Trust understands the true cost of a data breach, and aspires to change outdated security models by allowing IT teams to maintain visibility across all endpoints within their network. Government and institutional support continues to drive interest in Zero Trust as the new standard in cybersecurity, with guidance issued by the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).
(NIST) 800-207 defines Zero Trust as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources,” and CISA identifies the Zero Trust Maturity Model as one of many possible paths to support transitioning to Zero Trust.
In support of the directional move toward Zero Trust, President Biden’s 2021 “Executive Order on Improving the Nation’s Cybersecurity” represents a significant effort “[t]o keep pace with today’s dynamic and increasingly sophisticated cyber threat environment.” Specifically, Biden’s mandate aims to push federal agencies to adopt a zero-trust cybersecurity strategy and calls for them to develop plans to migrate to a zero-trust architecture.
Room for Exemptions?
In Zero Trust, is there room for exemptions? Put simply, no.
For this concept to work, an organization needs full buy-in. Every CISO is tasked with making decisions that ‘feel right’ for their organization – everything from maintaining principles and consistencies across multiple devices or touchpoints to determining the complexity of these endpoints – as well as determining if and when users require two-factor authentication (2FA). They need to decide how to implement Zero Trust approaches related to least privilege, with its corresponding job-specific authentication and verification requirements.
Implementing a Zero Trust security model requires more than just a change in mindset. It requires a clear understanding of job functions within an organization, including a full accounting of currently deployed software, access levels, and devices.
At SC Media’s 2 Day Zero Trust ESummit, Jerald Dawkins, Ph.D., Chief Technology Officer of Cerberus Sentinel, remarked that “finding ways to operationalize Zero Trust represents more of a philosophy than a strategy.” As a result, Dawkins suggested that it’s more important to lean into an integrated approach to cybersecurity solutions. This means efforts that address the core challenges of Zero Trust should include:
- Continuous verification across all resources
- Ability to minimize impact if and when an external or insider breach occurs
- Automation of context collection and response
- Address behavioral data pulled from entire IT stack for a comprehensive picture of activity across an environment
Know Where You’re Going: Understand the Directional Strategy of Zero Trust
This security concept is a company-wide solution requiring everyone from HR to IT to C-suite execs to be involved, as it represents a cultural shift in security best practices that touches every aspect of how a business functions. If you really want to shrink the blast radius and dwell time of a breach, Zero Trust as a concept should be part of your organization’s core standard operation procedures. And because implementation requires all employees to be on the same page, it may require support from HR to provide additional backing for the fundamental partnership with IT.
Modernizing your security posture with this philosophy means creating a hostile environment for attackers by mitigating vulnerabilities in authentication, monitoring network activity to ensure devices are authorized, and ensuring these devices have not been compromised. These efforts help to make it less likely that your organization will experience the devastating effects of malware, a breach, or ransomware.
Although knowing what you are trying to protect is an essential first step when developing a cybersecurity culture, understanding how to protect your assets and workloads requires a nuanced understanding of component relationships, workflow planning, and access policies. Let the experts at Cerberus Sentinel take the guesswork out of cybersecurity to keep your data secure. Reach out to Cerberus Sentinel today to learn more about how Zero Trust can benefit your organization.