LEADING INSIGHTS The Fundamental Shift to a Data-centric Security Posture Through Zero Trust Architecture

The Fundamental Shift to a Data-centric Security Posture Through Zero Trust Architecture

By Andrew Stockel, Principal

Up until the 15th century, the construction of castles was deemed to be impenetrable; as a result, the concept of siege warfare, or a war fought through attrition, was introduced. Castles implemented a layered approach to thwart adversaries from attacking, as the time, resources, and cost could be considered too great to an adversary. This was an effective way to defend against adversaries, up until the introduction of the cannon. With the introduction of the cannon, the defense mechanisms, specifically around the perimeter, were ineffective, rendering castle walls useless. Additionally, the implementation of this defensive strategy accounted for the enemy being external, while implicit trust was provided to those behind the castle’s walls (i.e., the Trojan horse).

Today, when implementing a cybersecurity strategy, organizations adopt a similar method. This approach is widely known as a defense-in-depth strategy, which layers specific security tools and solutions to hinder adversaries from gaining access to the network. Using this approach, an organization is reliant on the tools internally implemented to hinder or stop an attack if a proceeding solution fails, while providing implicit trust to those individuals within the network. When implemented correctly, this has been traditionally effective (up until recently, due to advanced sophistication and new attack measures used by malicious actors).

With malicious actors becoming more sophisticated in exploiting various attack avenues, along with organizations adopting new technology to meet business needs, the attack surface has become exponentially larger. This makes it much more difficult to just defend organizational assets through a defense-in-depth approach. Specifically, the SolarWinds Breach, which is suspected to have occurred in April of 2019, resulted in multiple organizations being exploited by an attacker. These attackers compromised the SolarWinds supply chain, rendering any organization that installed the compromised version to being vulnerable as the threat actors had direct access for months prior to being discovered. The traditional mindset of defense-in-depth would not protect against an attack such as this because implicit trust was afforded to the supply chain, allowing the attackers to circumvent any security measures as the user unknowingly gave the actors direct access to the network.

Because of the severity of this attack, President Biden signed EO 14028, Improving the Nation’s Cybersecurity, which requires the federal government to modernize its approach to cybersecurity, adopting a zero-trust approach. The term Zero Trust was first introduced in April 1994 by Stephen Paul Marsh in his doctoral thesis on computer security. In 2010, the term Zero Trust Model was used by analyst John Kindervag to denote stricter cybersecurity programs and access control for organizations. However, it was not until 2018 that Zero Trust security started gaining notoriety as the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-207, Zero Trust Architecture. The Cybersecurity and Infrastructure Security Agency (CISA) describes Zero Trust “as a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per request access decisions in information systems and services in the face of a network viewed as compromised with the goal to prevent unauthorized access to data and services, while making access control enforcement as granular as possible.”

The adoption of this approach requires organizations to rely more on identity and data instead of just a layered approach of multiple security tools. This approach most likely will result in an organization investing in key technology to address missing components that make up a Zero Trust Architecture, while also transitioning the organizational philosophy and culture around security. To enhance and assist the federal government in reaching some of this adoption, the Office of Management and Budget (OMB) has released subsequent memorandums outlining how the federal government is to implement Zero Trust Architecture, with the most important being the release of OMB 21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.

This memorandum identifies key data sources that are to be collected, allowing an organization to have full visibility into network and host activity. Additionally, this memorandum requires organization to invest in automation technology, such as Behavioral Analytics and Security Orchestration and Automation (SOAR) that will enhance an organization’s ability to readily respond to anomalies on the network through automation. When implemented correctly, along with the identified data sources, an organization can identify what is normal behavior on its network and act more readily through automation to effectively reduce threats and risks.

Implementing this approach moves away from the traditional defense-in-depth, which relies on layered security tools, and instead utilizing data and automation to identify anomalies and respond effectively to them.