Although not new, Zero Trust information security model has been gaining popularity lately. Over the years, we have been taught a certain security model that protects our business network. I will refer to it as the Trusted Network model. This model is based on the theory that the external network is not secure, while the internal network within the corporate boundaries is considered secure. However, things have changed in recent years. Businesses are getting hacked at a record pace, vendors are pushing organizations to move to the cloud; hacking, ransomware, and data theft have cost billions of dollars to millions of companies, and the public is becoming used to hacking as a part of life. This means that the Trusted Network security model is not sufficient to protect our critical systems and business assets, at least that’s the conclusion made by Forrester. The proposed model by Forrester is called the Zero Trust Model of information security. It’s based on a philosophy to trust no one. That’s right! You must not trust any traffic, internal or external.
|According to the 2017 Annual Cybercrime Report by Cybersecurity Ventures, “cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.”|
What is Zero Trust Model?
A Zero Trust architecture changes access controls from the corporate network perimeter to individual devices and users, called endpoints. A business can have the best security measures to guard the network against outside intruders, but the attacker can enter the corporate network easily using many different techniques. A Zero Trust model definitely has its appeal because it focuses on protecting the network endpoints, rather than network security boundaries on the perimeter.
My Take on Zero Trust Model
We live in a connected world where we have to collaborate not just with other employees, but also customers, vendors, partners, etc. I think the Zero Trust model makes sense in today’s world, especially because of the large number of major data breaches that bypass the defined corporate perimeter. However, this model may not be practical for every organization. It may require replacing legacy applications, updating custom programs, or updating the network infrastructure, all of which come at a cost. In addition to the cost and complexity issues, monitoring endpoints closely also raises some serious privacy issues.
After a repeal of an existing privacy law, Internet Service Providers (ISPs) are now able to legally sell our personal data without our consent. According to the New York Times, “The change will allow broadband internet service suppliers, such as cable and telecommunications companies, to track and sell a customer’s online information with greater ease.”
Forrester claims that “There is no chance of violating Civil Liberties – Zero Trust focuses on keeping internal data safe and would not result in any foreseeable encroachment on Civil Liberties.” It’s hard to believe that monitoring and logging all network traffic going in and out of the endpoints doesn’t encroach on Civil Liberties.
Change takes time. Trying to convince businesses to move from the traditional “Trust but Verify” security model to the new Zero Trust model that has a philosophy “Verify and Don’t Trust” won’t happen overnight. Everyone knows the advantages of moving from IPv4 to IPv6, but we still haven’t made it a high priority to switch things over completely after all these years. As the cost of network breach continues to increase, corporations will eventually turn around and make Zero Trust a higher priority.
Over time, implementing a Zero Trust model would become more affordable and will hopefully also address the privacy concerns. Privacy and security go hand in hand and you can’t really have one without the other.
A Real World Example
Forrester developed the Zero Trust model in 2010 and envisioned the model to be a vendor-neutral design so it is not tied to a specific technology or vendor.
Google decided to incorporate Forrester’s Zero Trust model into its “BeyondCorp” initiative whose mission is “To have every Google employee work successfully from untrusted networks without use of a VPN.” BeyondCorp is now available as a GCP service called Identity-Aware Proxy (IAP). According to Google:
“BeyondCorp is an enterprise security model that builds upon 6 years of building zero trust networks at Google, combined with best-of-breed ideas and practices from the community. By shifting access controls from the network perimeter to individual devices and users, BeyondCorp allows employees to work more securely from any location without the need for a traditional VPN.”
The critics say that Google’s BeyondCorp initiative forces businesses to become a Google shop. According to CSO Magazine, “If you want to implement Zero Trust today, you can buy and implement Google’s Beyond Corp as a service, but they lock you in to using everything Google (Google Cloud, Google Identity, the entire G Suite, and all users must be on Chromebooks).” This violates one of the fundamental goals of Zero Trust model because Forrester envisioned this security model to be vendor-neutral. By trying to lock businesses into Google’s own proprietary technologies, it seems like what Google has done with BeyondCorp is the exact opposite of what Forrester had in mind. This is a matter of concern and hopefully other companies won’t follow this path.
What Will Not Change with Zero Trust Model
In the current Trusted Network model, the humans are the weakest link in cybersecurity. Cybersecurity awareness training is key to protecting a corporate network, because every single employee, from an intern to the CEO, is at risk of becoming a social engineering victim. When businesses implement a Zero Trust model, the need for cybersecurity awareness training won’t go away. Because the focus would be on endpoints, employees would have to become even more aware of cybersecurity threats because they won’t be inside a secure bubble that’s safe from the external attacks. The mobile device usage is only increasing, causing massive challenges for IT departments. The wireless devices are more prone to cyberattacks and the smartphones and Internet of Things (IoTs) are a good excuse for organizations to implement a Zero Trust model. Therefore, the need for cybersecurity awareness training would only increase in future and Zero Trust model will not eliminate or reduce such training.
As far as cybersecurity strategy is concerned, my recommendation to my clients is to implement Cybersecurity Awareness Training as part of the overall Cybersecurity Awareness & Training Program. Make sure that employees go through this training every year to keep up with the latest cybersecurity threats and changes in the industry. This will create a security culture that will continue to benefit the organization for years down the road.
|Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background.|
Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.