The much-publicized Target breach of 2013—where 70 million customers lost their personal data, 40 million credit and debit card details were stolen, more than US$250 million was spent to manage the breach and the chief executive officer (CEO) and chief information officer (CIO) were replaced—does not even place among the top 15 breaches of this century. But that likely is not a surprise. In the world of cybersecurity, this has become normal. But should it be? Can we afford the consequences?
I have the honor of speaking to several security leaders and practitioners on a regular basis, and many of them often express a common set of concerns: the constantly changing threat landscape, not having enough people, getting too many alerts (some have even stopped looking at them), having to adhere to new compliance regulations and having to adapt to changes in business, technology and the market (e. g., a worldwide pandemic). In other words, we are running really hard and yet, breaches still occur. Can we keep up as business dependence on technology continues to accelerate with more remote workers, cloud applications, connected devices and business risk from breaches? Our success depends not just on security efficacy, but also security efficiency and simplicity. A recent study from (ISC)2 indicates that the global skills shortage surpassed 4 million professionals at the end of 2019, increasing more than 1 million since the end of 2018.
A big contributor for security flat-footedness is the traditional “trust but verify” approach, with bolt-on and reactive architectures (and solutions) that make security complex and expensive. Detecting a threat, assessing true vs. false alerts, responding to incidents holistically and doing it all in a timely fashion demands a sizeable security workforce; a strong, well-practiced playbook; and an agile security model. As we have learned over the years, this has been hard to achieve in practice—even harder for small or mid-size organizations and those with smaller budgets. Even though dwell time has reduced in the last few years, attackers routinely spend days, weeks or months in a breached environment before being detected. Regulations like the EU General Data Protection Regulation (GDPR) mandate reporting of notifiable data breaches within 72 hours, even as the median dwell time stands at 56 days, rising to 141 days for breaches not detected internally.
Forrester analyst John Kindervag envisioned a new approach in 2009, called “zero trust.” It was founded on the belief that trust itself represents a vulnerability and security must be designed into business with a “never trust, always verify” model.
When you consider the current end user computing model, there is not a great difference from the doctors of the mid-19th century, who would go from autopsies to deliveries without washing their hands and in the process unknowingly spread bacteria to patients. We access the Internet, filled with potentially harmful elements, and then use the same endpoints to access sensitive assets and information. This unsanitized access is exactly what attackers exploit when they leverage the end user’s trust to infiltrate endpoints, steal credentials, exfiltrate sensitive assets and encrypt data—leveraging operating system, application or policy vulnerabilities as pathways for transmission.
Although most security professionals understand that zero trust is an architecture, not everyone is clear if zero trust can work for them. It is important to consider what adopting zero trust entails and what challenges exist. In addition, with marketing engines now starting to abuse the term, it is hard to know where to start. The simple answer is that the concept of zero trust covers several different technologies, ranging from well-known solutions such as identity and access management (IAM) to newer technologies such as remote browser isolation. Your zero trust journey depends on your risk surface—there is not one specific path and no vendor should tell you otherwise.
We are all running hard, but at times it helps to take a step back and see what we are running toward. Sometimes it is a simple step like “washing your hands” that can save thousands of lives.
Editor’s note: For further insights on this topic, read Rajiv Raghunarayan’s recent Journal article, “Harnessing Zero Trust Security,” ISACA Journal, volume 6, 2020.