Trust, but verify

Russian’s have a proverb, "Trust, but verify". It came to the world’s attention when President Reagan used it in nuclear disarmament talks with Gorbachev in the 1980s. Reagan learned about the saying from his advisor. The Russian leader laughed when he heard it, recognising not just a popular Russian saying, but an attempt at détente between Cold War adversaries.

It has been embraced in the West since, used widely in leadership and negotiation. The idea being, you trust people to do the right thing, understand something or convey the truth of what they think – it’s just wise to double check the facts, objectively, first.

For many years it was applied in security. When trying to access a network or a system, the assumption was that your intentions were good, but your identity should be checked first before access was granted.

Defences were therefore placed at the perimeter – a firewall on a network, or a log-in screen on a computer. In the case of the computer, the logic went like this: we need to check whether you are a legitimate user? First computers asked for a password; now they’re more likely to want a password and a factor other than something you know. This could be something you have, like a token (a hardware device that generates a PIN), or something you are, like your fingerprint.

But here’s the rub. Trust is a human concept. Computers are binary and act only on inputs. If you inherently trust the intentions of the user, then you are inherently trusting everyone who tries to access a system. You put defences at the perimeter, sure, but if defences are bypassed, and your intentions are less than honourable, once you’re in as a bad actor, you’re in clover.

Every defence is fallible

After decades of throwing good intentions, good practice and money at the problem, the cyber security industry has come to recognise that you simply can’t build a system that is impenetrable. No wall is thick or high enough. No amount of booby traps, weapons and walls, figuratively speaking, will stop a determined attacker ultimately. There is always a way around.

An employee can be duped into giving away their access credentials. A malicious insider is already in. Then there’s the digital equivalent of a trojan horse – as happened with the SolarWinds attack. SolarWinds make network management software, in use across hundreds of thousands of businesses and government departments globally. Russian State-backed hackers known as Cozy Bear managed to infiltrate the development team of the software firm, creating a backdoor into every customer through a code update to a component of the product. The havoc they wreaked has sent reverberations through the industry and caused major US national security issues. SolarWinds executives are currently facing the prospect of serious jail time as a result.

If you accept every system is vulnerable, ultimately, you need to take a different approach. It’s not that you stop deploying defences. It just that you don’t rely upon them; you don’t fully trust they’ll be effective.

When you accept that it’s not for lack of effort, money, or not wanting to do the right thing that even the most secure organisations can get breached, thinking shifts from ‘trust, but verify’, to ‘never trust, always verify.’ In other words, design systems and architectures based on the assumption you have been breached, and you’ll limit the damage.

It’s not really a new concept. As renowned American mathematician Claude Shannon, the ‘Father of Information Theory’, put it during WWII, "assume the enemy knows the system… one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them".

What is Zero Trust

If you assume breach, then you are looking at all the things an adversary needs to have in place to be successful. Look at security from the perspective of an attacker and you make it much harder for them to get to your crown jewels once inside an environment. Do this and your defences become less of a concern.

Think about castle walls. Build them as high or as thick as you like, but if the enemy has planes and their soldiers’ parachutes, castle walls are no use. But, if inside the castle, every area is walled off, and every door requires separate keys, for authorised personnel only, it would be less of an issue. That’s what Zero Trust is doing.

Apply this principle to ransomware. With Zero Trust approaches in place, you might not stop the infection, but you would stop it spreading. That’s a win because the damage is limited. Infections usually happen at a user-device level, and most companies have the good sense not to store their most critical information and systems on a single endpoint.

In a Zero Trust model, trust is never implicitly granted to assets, users, or processes, regardless of their location (inside or outside the network perimeter). Instead, access controls are continuously evaluated and enforced based on various factors such as user identity, device health, location, and other contextual information. Every request to access resources is authenticated, authorised, and encrypted, regardless of the user's location or the network from which the request originates. And it extends well beyond access, to policies, continuous monitoring and threat detection and network designs See our article on detect and response.

Imagine, instead of roads with one-way systems, no-entry signs, weight and height limits, it’s just a vast swath of tarmac and you can go anywhere you like. Chaos would ensue. But for many organisations, that’s what their internal networks look like. If you’re a hacker, you love to see a flat, unsegmented network once you’ve breached the perimeter. Flat networks allow lateral movement – they get in on a low-level machine and move about until they can find and gain access to something more critical, like an administration account.

To prevent this from happening, companies need to deploy micro-segmentation on networks and privileged access management software to their most critical accounts. So, if that’s the case, it begs the question, why aren’t all networks, access systems and permissions tied into a Zero trust arrangement already?

The time is now

The difference with Zero Trust of the past and present day is that the technologies finally exist to make it happen. Combine this with the motivation to do something about it because of the increased level of threat, and ever more damaging consequences of a breach – be it financial and reputational damage or punitive fines – and you have a perfect storm.

What’s more, education and knowledge is slowly catching up. It’s not to say that all executive decision makers understand the principles of Zero Trust, nor do all IT staff, but it’s quickly gathering momentum, even if it’s not always framed as a Zero Trust concept.

Many cyber insurance policies are asking about network segmentation and Privileged Access Management (PAM) – two of the key technologies that enable Zero Trust. For some, the presence of this technology will be a pre-requisite for obtaining cover. Few insurance companies will use the term Zero Trust in their questions, however.

So, it’s another new thing. Now I need to spend more on security?

In short, no. You don’t. Many companies have bought dozens if not hundreds of security tools and services to try and deal with the latest threat. Zero Trust approaches should greatly simplify things. As Deloitte points out, Zero Trust, “reduces security costs by minimizing IT complexity through automating, simplifying and standardising the way we do cyber.” With Zero Trust approaches you can cut down on security application sprawl and the associated management overhead by obsessing less on defence. Instead focus your efforts and spend on locking down internal environments to protect your most critical assets and limit the blast radius of a breach.

What’s more, standardising should simplify the user experience. In a perfect world security just happens and people are not aware of it. We used to have separate sat navs, a phone in a cradle, and cameras stuck to windscreens in cars. In modern vehicles, it’s all integrated, typically through an app on your phone. It happens without you having to understand the tech, and make it work each time you get int the car. Over time this should happen with security, and Zero Trust approaches are a potential stepping stone. Keeping things simple and integrated has the effect of making security less visible. You want it there but impacting people’s working lives to a minimum.

I’m convinced. How do I go about it?

Given it’s the latest thing, there are many vendors touting themselves as a Zero Trust something… It’s true some products will enable aspects of Zero Trust as we have noted, but to make it happen, will still require multiple vendors. There is not ‘One Ring’ to rule them all. Yet.

So, how can you sift through the noise and embrace Zero Trust if it’s not an off-the-shelf solution?

It’s a strategy. It’s a change in approach to looking at security. It will require investments in time, expert guidance, some technology and hopefully some simplification, which will save you money over time.