Back in the good old days, before the pandemic struck, security and risk professionals loved discussing the relative merits of zero trust methods versus broader Digital Risk Management strategies. But in a world grappling with the increased pace of digital transformation, what began as a philosophical debate has taken on greater urgency and clarity. In a time of rapidly evolving digital projects and initiatives – as well as unprecedented crisis, uncertainty, and acute change – now is the ideal time to adopt a zero trust mindset and adopt many of its key ingredients to advance a broader Digital Risk Management strategy.
How did we get here? Why did zero trust become the new security mantra? And what does it offer security teams? In a recent webinar, "The Rise of Zero Trust in the Digital Era", RSA Chief Digital Officer Dr. Zulfikar Ramzan offered his take on the academic origins, the practical evolution, and the promise of zero trust. I strongly recommend taking twenty minutes to review Dr. Ramzan's take on the zero trust mindset (note it isn't a product, framework, or strategy) and how adopting the key principles and tenets of zero trust can lead to greater trustworthiness in IT systems and the business operations they support.
The short answer to how zero trust became so widely accepted is that COVID-19 forced businesses to adapt their digital transformation agendas.
While many risk and security leaders entered the new decade with detailed execution plans supporting rather sophisticated Digital Risk Management strategies, 2020 had other plans. Suddenly budgets were suspended, projects cancelled. The focus shifted to triaging and mitigating the disruptions that operations, employees, partners, and customers were experiencing. Rapidly accelerating select digital solutions, securely, became the task of 2020. When confronted with the inevitable question "How are we going to secure this?" ... zero trust has emerged as an expedient and seemingly irrefutable answer.
The key principals of zero trust, as defined by Forrester a decade ago, seem simple enough to understand and prescribe when rapidly adding digital inventory:
- All resources are accessed in a secure manner regardless of location (implies strong, multi-factor authentication, encryption)
- Access control is on a need to know basis and is strictly enforced (implies applying least-privilege access principals, identity governance, VLAN's, software-defined infrastructure, micro-segmentation, etc.)
- Inspect and log all traffic (implies SIEMs scrutinizing logs and packets traversing endpoints, IoT, cloud, SaaS, PaaS, etc.)
But when the breadth of the enterprise digital ecosystem is fully considered, the challenges of scaling this approach in totality can become daunting. Is it really possible to "Never Trust" all devices? Is it really possible to "Always Verify" access to the entire infrastructure? In reality, probably not. This was the crux of the Digital Risk Management vs. zero trust argument of years' past.
Let's accept that broad zero trust implementation may take some time. Let's also accept that, now more than ever, security teams will need to prioritize key projects to maintain business continuity and protect their operations. Even an immediate or piecemeal shift to zero trust can have major benefits: Dr. Ramzan argues that the better aim (or possible result) of the zero trust mindset may be a meaningful reduction in "The Trust Surface": that space inside the perimeter, behind the firewall and VPN, that is no longer the impregnable, vestal domain of decades' past.
The first step in adopting zero trust is identifying the foundational elements necessary to make it real. Recently, the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce released SP 800-201: Zero Trust Architecture, which enumerates the logical components of a zero trust architecture. Notably, the requisite capabilities of the central components of NIST's architecture (policy engine, policy administration, and policy enforcement informed by identity management and data access policy) mirror functionality in Identity and Access Management (IAM) suites, such as RSA SecurID Suite. A mature and comprehensive IAM program is compulsory to be successful in the pursuit of zero trust.
NIST also enumerates critical contextual information such as threat intelligence and activity logs. It also prioritizes the collection, detection, and analytics capabilities of Security Information and Event Management (SIEM) systems in platforms, such as RSA NetWitness Platform.
Are IAM and SIEM the only requirements? Of course not. But reliable IAM, supporting both the existing infrastructure and the digital transformation project of the day, is clearly compulsory. So too is a SIEM that can ingest all the contextual information (wherever it may be and whatever form it may take), make sense of it, and facilitate expedient investigation and decision-making.
Deploying the logical componentry for zero trust shouldn't compel a fork-lift upgrade to the enterprise security infrastructure, providing of course that incumbent IAM and SIEM platforms offer the requisite capabilities. Fortunately for RSA's customers pursuing zero trust, RSA SecurID Suite and RSA NetWitness Platform more than measure up to the task.