New guidance on Zero Trust Architecture (ZTA) is a fitting response to the current cybersecurity landscape. On August 11, 2020, the National Institute of Standards and Technology (NIST) released SP 800-207, Zero Trust Architecture (SP 800-207).
SP 800-207 defines zero trust (ZT) as “the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources”. SP 800-207 explains that ZT “assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).”
ZT is a philosophy or model and does not refer to specific hardware or software. In fact, many enterprises already use some of the technology, policies and procedures which are necessary elements of a ZTA.
ZT is apt in an operating environment (complicated by COVID-19) characterized by increasing reliance on remote work, bring your own device (BYOD), and cloud-based assets located outside the enterprise-owned network boundary.
The current landscape
In a publication on the COVID-19 data breach landscape, Verizon describes work environments grappling with reduced staffing because of illness, layoffs, or remote work limitations. The foregoing has created heavier workloads, and there is a heavier reliance on new and unfamiliar remote working solutions, which IT teams may deploy rapidly. Add to this, the distractions from sheltering in place with pets, kids and others. Increased errors, by both users and IT professionals, is a direct consequence. IT errors may include mis-configurations (for instance, forgetting to add data security controls) and publishing errors (for example, giving access to a larger or different audience than intended).
Verizon’s 2020 Data Breach Investigations Report (DBIR) concluded that brute-forced or stolen credentials accounted for over 80% of data breaches through hacking. Because it is so effective, hackers consistently rely on phishing scams and other social engineering to steal credentials. According to the DBIR, many users are more likely to click on malicious links when using a mobile device compared to a desktop or laptop. The increased use of mobile devices and the reusing of passwords across multiple portals create a perfect storm to expand the reach of a cyber attack to your enterprise.
By way of a simplified illustration, a traditional perimeter-based approach trusts the stolen credentials from the hacker, based on the implicit trust that correctly-entered credentials represent a bona fide access request. A ZT philosophy says there is no implicit trust in the fact that someone provides the correct login credentials. Instead, network monitoring may reveal that the login attempt is suspicious based on the user’s location, the time or date they seek access, deviations from baseline usage patterns, device characteristics (for example the version of software installed) or other factors. Consequently, the access request would be denied or flagged as suspicious.
The tenets of a ZTA
- All data sources and computing services are resources. Networks consist of multiple classes of devices, including personally owned devices (for instance in a BYOD environment), if they can access the enterprise’s resources.
- Secure all communication regardless of network location. Network location alone does not imply trust. Access requests from network assets must meet the same security requirements as access requests and communication from non-enterprise-owned networks. There is no implicit trust in the fact that a device is on the network infrastructure.
- Grant access to individual enterprise resources on a per-session basis. Evaluate trust in the requester before granting access and grant the least privileges necessary for the task.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioural and environmental attributes. In a ZT environment, client identity includes not just the user account, but also the attributes assigned to that account. The requesting asset state can include device characteristics such as software versions installed, network location, time/date of request, previously observed behaviour, and installed credentials. Behavioural attributes include automated subject analytics, device analytics, and measured deviations from observed usage patterns. Environmental attributes may include such factors as requestor network location, time, and reported active attacks. Take a risk-based approach, including an assessment of the sensitivity of the resource or data in question. Apply least privilege principles to restrict both visibility and accessibility.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted. An enterprise implementing a ZTA should establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications and should apply patches/fixes as needed. Assets that are subverted, have known vulnerabilities, or are not managed by the enterprise may be treated differently (including denial of all access) from devices owned by or associated with the enterprise that are deemed to be in their most secure state. As an example, personally owned devices may be allowed to access some resources but not others. A robust monitoring and reporting system is essential to providing real-time actionable data about enterprise resources.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication. An enterprise implementing a ZTA should have Identity, Credential, and Access Management (ICAM) and asset management systems in place. This includes the use of multifactor authentication (MFA) for access to some or all enterprise resources. Continual monitoring with possible reauthentication and reauthorization occurs throughout user transactions, depending on the length of time of access, or inactivity, resources requested, or anomalous activities, for example.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications, for example, data on network traffic and access requests, and analyses it to improve policies, procedures and security.
Meeting your duty of care
Review SP 800-207 and assess whether you can incrementally implement or improve upon the elements of a ZTA in your enterprise, through appropriate ZT principles, processes and technology solutions, to protect data and systems.
To create your policies, utilize the checklists, forms and other tools in Information Technology PolicyPro, all based on best practices including guidance from COBIT 2019 and NIST.
Policies and procedures are essential to cybersecurity and other internal controls, but the work required to create and maintain them can seem daunting. Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada) contains sample policies, procedures and other documents, plus authoritative commentary in the areas of information technology governance and management, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30–day trial of Information Technology PolicyPro here.