Demystifying Zero Trust
Table of Contents
When we are little, our parents and grandparents remind us over and over again never to trust strangers. We should never talk to people we don’t know, and certainly, never get into other people’s cars. As we grow up, life teaches us that sometimes we also have to be careful with the people we trust. This vital lesson is transferred to the field of cybersecurity through a concept that has been all the rage in recent months: Zero Trust. But what is zero trust and is it the ultimate solution to all risks and vulnerabilities?
According to the US National Institute of Standards and Technology (NIST), a methodological reference in the field of security, the definition is as follows:
«Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in applying accurate access decisions with least privilege per request, on information systems and services in the face of a network that is considered compromised»
By referring to “a collection of concepts and ideas,” NIST gives a good account of the breadth of notions that go into Zero Trust.
However, more and more products, models, and even software are emerging that claim to implement Zero Trust in their operations. The question, given the above, is obvious: Is this even possible? Can such a general and intangible concept be contained in a technological tool or solution?
In the following, we will unravel the core elements of zero trust and analyze how this concept can serve as inspiration for implementing cybersecurity strategies.
1. «Zero Trust is not a state, it is a philosophy»
José Antonio Lancharro Bervel, director of BlackArrow, the offensive and defensive security division of Tarlogic Security, resituates the framework of debate around Zero Trust. He argues that Zero Trust is not something that can be implemented, but a philosophy that inspires the strategies and actions that an organization puts in place.
1.1. The path of zero trust
As a philosophy, Zero Trust advocates, by way of example, that companies and institutions should be wary of connections coming from the outside, on the assumption that they are all potentially malicious. But also internal connections. In such a way that all of them are managed as if they were possible violations or aggressions.
Thus, we could say that a company cannot contract a Zero Trust package, install it on its systems and be fully confident that it is protected against external and internal malicious attacks. Rather, distrust must be present in the way it acts when faced with requests for access to resources.
On the other hand, it is possible to walk the path of zero trust. This can be done by employing measures that have already been implemented in many companies. Such as requiring double authentication of users, managing identities, segmenting networks, encryption… There is no single solution for moving towards Zero Trust in an organization, but the measures that can be implemented are infinite.
Zero Trust is, therefore, more interesting as a concept that inspires a firm commitment to more secure systems than as a direct solution to security challenges. After all, Zero Trust is a simple concept to understand: the real identity of the user trying to access information must be distrusted. But it is difficult to implement because there are endless possibilities for advancing along the Zero Trust path.
1.2. AI, metaverse and future scenarios
Zero Trust is not the definitive answer to addressing vulnerabilities and risks. As Jessica Cohen Villaverde, Director of Cyber Intelligence at Tarlogic, says, «It has its lights and shadows. It is not a panacea for future security». Since the extension of Artificial Intelligence to many areas of business, especially cybersecurity, but also to the practices of malicious actors, directly impacts Zero Trust security strategies.
The same goes for the leap into the metaverse. Connecting virtual environments, people, devices, and apps securely and in real-time is a huge challenge. Thus, these leading-edge innovations open up new scenarios and, with them, new questions.
As we said before, Zero Trust is not a state that will be altered by these transformations. Rather, its principles, most of which are common sense and have always been applied in the field of cybersecurity, are guidelines for developing, implementing, and analyzing strategies to ensure the security of a company’s systems, software, and hardware. Also (or especially) in a scenario of technological revolution and constant innovation such as the current one.
2. A concept that packages the classical law of least privilege
Jessica Cohen points out that the overwhelming majority of cybersecurity and cyber intelligence techniques are translations to the digital world of strategies that already existed in the physical world. This is logical given the years of evolution that the latter has undergone. Thus, the security ring strategy is a timeless classic that minimizes the possibility and impact of security breaches around critical protection elements.
2.1. Authenticate and authorize
Each user must have permission to perform only the tasks assigned to them and to access only the information they need. Not a single privilege more.
Accumulating privileges blatantly contradicts the law of least privilege. This is a common occurrence. For example, at some point, a user had to use an application but has long since stopped using it and still retains the privileges acquired. This can facilitate the exploitation of vulnerabilities.
To a large extent, Zero Trust is nothing more than an update of the guiding principles of the classic law of least privilege.
What this philosophy tells us is that we should not trust people, internal or external, who want to access our resources. It is therefore essential to authenticate them so that they can enter the system and authorize them, stipulating what privileges they have to access, view, or even modify information.
2.2. Zero Trust principles
These ideas have been implemented in the field of cybersecurity for years. They are not recent innovations. Rather, the emergence of the Zero Trust concept has served to bring them together.
So much so that there has been a clear tendency to package basic security principles in services and models that claim to guarantee the implementation of an unmanageable concept such as zero trust.
This rebranding has sought to capture the attention of companies, during digital transformation have growing needs for cybersecurity services. However, it offers the misleading sensation that, as Lancharro warned, Zero Trust is not an achievable goal, a state, or an end that, when implemented, achieves total security, but is a continuously evolving process.
The following are the most common principles that fall under the Zero Trust umbrella. These principles can be implemented, through strategies and techniques, to a greater or lesser extent, depending on the security needs of organizations and their characteristics, resources, and contexts.
2.2.1. Authenticating the identity of all users
Not only should we systematically distrust external users, but also internal users. To this end, the identity of all users must be authenticated.
In this regard, double authentication or multifactor authentication have made inroads as techniques for verifying that the person seeking access is who he or she claims to be and that his or her password has not been stolen or his or her identity supplanted.
The identity governance and management system is key to the successful implementation of this security principle.
2.2.2. Privilege restriction
This principle is the foundation on which the law of least privilege is based. It is therefore essential for organizations to have a robust security permissions system that meets both the risks faced by the organization and the access needs of professionals.
This can be done by micro-segmenting data and compartmentalizing it according to the characteristics of the company and the way it operates. And then establishing security controls to monitor access to them.
In addition to the compartmentalization of information, it is also essential that the administration of the different roles and permissions be agile and efficient.
2.2.3. Permanent supervision of user behavior
It is not enough to control the authentication and authorization processes; it is also necessary to have tools to automate the verification and evaluation of user actions within the system. How does the user behave? What data does he/she consult? What information does he/she modify? Have there been any alterations? Which ones?
3. Impact and actionability of Zero Trust actions
Beyond these principles, it is important to point out that, in reality, all measures that contribute to increasing the security of a company’s software and hardware are Zero Trust. The catalog of strategies and techniques that can be implemented is endless, so companies must decide which ones fit their needs and resources and which ones do not.
We can see this with a simple example. An E-commerce wants to implement a double authentication factor for users who enter their platform to make a purchase. In this way, they strengthen their security structure and give greater guarantees to their consumers. However, the impact of the measure has been analyzed and it is considered that the two-factor authentication would lead to the loss of many customers who do not want to have to authenticate every time they enter the platform.
The economic impact would be so detrimental that it would not compensate for the security results obtained.
This hypothetical case allows us to continue to discard the idea of Zero Trust as a totalizing concept and a single, global solution. Each company is different and good cybersecurity practices must be reconciled with business strategy and business reality.
3.1. Actionable strategies
Precisely, a fundamental issue when talking about Zero Trust is actionability. If a company tries to implement all Zero Trust principles, strategies, and methodologies at their maximum level of complexity and sophistication, it will find that it is impossible. Strictly speaking, Zero Trust is not actionable. First, the measures to be implemented are infinite. Second, because corporate resources are finite and cybersecurity must be aligned with the other areas of the business.
Therefore, when a company decides to commit to Zero Trust, it must first be aware of what it means for the organization, what results in it expects to obtain and what costs it will have to assume. This is the only way to design and implement a security structure that will help the company to move forward on the road to Zero Trust.
3.2. Risk analysis
First of all, it is necessary to identify the risks and vulnerabilities faced by the business systems.
Once the risks have been identified, it is necessary to determine what measures can be implemented to eliminate them, how much economic, time, and human resources these measures consume, and what mechanisms will be used to verify the level of improvement obtained.
As we have pointed out throughout this article, it is impossible to achieve a perfect level of security. Rather, security structures must limit the risks, taking into account the resources available.
The techniques and strategies implemented to secure systems must be evaluable. It would be hardly justifiable to obtain a significant improvement in security if a large amount of money and time has been consumed to do so.
3.3. Counterproductive measures
At some point in our lives, we have decided with the achievement of a goal in mind, only to have it backfire.
Jessica Cohen warns that, if a company opts for security strategies that are extremely complex and difficult to implement, including too much bureaucracy, users will skip them. This would make them ineffective and ultimately increase security risks.
For this reason, any measure must be analyzed beforehand, to study its feasibility, both economically and in terms of implementation and usability.
There is no point in designing and implementing advanced security measures if their operation hinders the work of professionals.
3.4. How does it affect productivity?
Precisely, it is essential to take into account the people who are going to live with the security structure. The Zero Trust concept and its principles must be combined with the day-to-day reality of organizations.
If a measure put in place, such as the demand for constant authentication of workers, means that they waste many minutes of their working day on purely bureaucratic actions, productivity will suffer.
The same will happen if security clearance limitations are so restrictive that workers are recurrently unable to access areas of information they need and must ask a colleague with a higher clearance level to provide it.
In the context of the digitized and globalized economy, productivity has been positioned as a crucial issue for the success of companies. If companies are not productive, their ability to compete suffers. It is, therefore, not a minor issue.
Hence, the implementation of Zero Trust strategies must be preceded by an analysis of its usability and how it will affect the productivity of professionals.
3.5. Taking care of the user experience
If workers are important, customers are no less important. Every digital business must successfully combine security needs to reduce risks and vulnerabilities with the user experience.
A consumer who feels they have wasted a lot of time making a purchase or checking out a service or product is less likely to trust the business again.
Protection against malicious and fraudulent attacks is an issue of growing concern to companies and citizens alike. However, security measures cannot be a burden on the use of systems. For this reason, opting for the Zero Trust philosophy must be accompanied by a thorough analysis of the consequences of the actions to be taken.
And, if such measures are implemented, mechanisms must be in place to evaluate their success in terms of securitization, but also their impact on the business.
3.6. Decision-making advice
From the issues we have just addressed, it can be inferred that it is essential for companies to have professional advice at all stages of decision-making. From the moment the idea of implementing Zero Trust strategies arises, to the evaluation of the results generated by them.
This is precise because Zero Trust is not a closed solution, consisting of a catalog of actions to be implemented. Rather, its principles, approaches, and points of view can be implemented in multiple ways.
This is where the characteristics and specificities of each company come into play. The optimal security structure for one company may not be optimal for another. Only through an ongoing advisory and a thorough analysis of all assets, resources, and needs, can the Zero Trust path be successfully embarked upon.
4. Tarlogic’s Zero Trust equation
Against the myth of Zero Trust as a service that can be bought and implemented, at Tarlogic we advocate fully customizable solutions that address the fight against risks and vulnerabilities of an organization from three key areas: cybersecurity, offensive security, and cyber intelligence.
4.1. Out of the Box. Taking the Zero Trust philosophy further
Taking the Zero Trust philosophy as one’s own must involve a holistic approach to the security structures of companies. It is not enough to implement actions linked to the classic Zero Trust principles. It is essential to develop disruptive strategies, in which offensive security techniques and cyber intelligence capabilities also come into play.
The fact that the concept of Zero Trust is so broad allows us to take it beyond its classic coordinates: user authentication and authorization. If Zero Trust is assumed as a driving principle, it can manifest itself through all the actions that are put in place to secure an organization.
And since Zero Trust is not a state that can be achieved, it is essential to analyze whether security structures are consistent with its principles. As Alejandro Gonzalez Hernando, Cybersecurity Director at Tarlogic, argues, this analysis may raise a fundamental question: To what extent is the organization taking Zero Trust into account?
4.2. Fully personalized services. From ideal to reality
In an ideal Zero Trust scenario, companies have very advanced cybersecurity services. They test their systems regularly and test their defensive security. In addition, cyber intelligence services are extraordinarily comprehensive and allow the company to anticipate potential risks that could arise.
This would imply having advanced and sophisticated security structures and strategies, which would therefore consume a large number of resources. It is therefore essential to think about Zero Trust strategies based on the characteristics and needs of the business, adapting and customizing services.
4.3. Cybersecurity: review and testing of systems
It is necessary to provide an efficient and agile solution to the needs of organizations. From periodically reviewing the security perimeter to performing advanced intrusion tests to detect threats and correct them before they are exploited.
In addition, security reviews make it possible to detect vulnerabilities and assess the impact on the business. What is the risk of a vulnerability being exploited? What are the consequences of a successful attack?
Zero Trust is not only based on the strong idea of systemic distrust, but also on the need to prioritize risks and to constantly check that measures are successful. There is no point in implementing actions to guarantee the security of enterprise software and hardware if they are not tested to ensure that they continue to function optimally.
4.4. Offensive security: moving from distrust to action
It is not enough to embrace the principle of distrust when building security structures. Rather, it is extremely valuable to opt for proactive solutions.
A strong advanced security team can provide Threat Hunting services based on compromise scenarios to detect unknown threats and attacks.
Similarly, cyber exercises could be conducted to move the Zero Trust philosophy from the realm of defense to attack.
As the famous saying goes: the best defense is a good offense.
The Red Team services play a key role in this process. This team simulates real attack scenarios, pretending to be malicious agents. Through their actions, it is possible to check how the defensive security team responds and to test whether the security structures comply with the Zero Trust principles or, on the other hand, weaknesses are detected.
What if the malicious actor has managed to breach the defensive strategies to compromise the identity of users and is inside the system? With trust on the line, what can be done? With Compromise Assessment services you can study those intruders who have exceeded the measures of untrustworthiness, monitor the actions they take, evaluate the level of compromise achieved, and design a strategy to expel them from the affected organization.
4.5. Cyber intelligence: research to make decisions
Intelligence is as old as civilization itself. Since ancient times, human beings have striven to accumulate knowledge about their enemies to strengthen their strategies and tactics.
Today, more than ever before in history, information is power. That is why it is essential to have cyber intelligence services capable of gathering all the necessary data on attackers and aggressions. Whether analyzing web resources, social networks, wireless signals, or mobile messages.
Cyberintelligence professionals not only collect the information but also use structured methodologies to analyze and objectify it to compose a comprehensive overview of the malicious techniques that can be used against an organization.
When we talk about Zero Trust, we cannot limit ourselves to applying distrust to the systems themselves and attempts to access them, but must extend it to the entire digital ecosystem. In The X-Files, they said that the truth was out there… cyber threats too. But not only.
Within the organization itself, there may also be malicious actors seeking to undermine its functioning, hence cyber intelligence also has among its objectives the detection of internal threats.
As if this were not enough, information is also key when it comes to training and raising awareness among a company’s staff. Especially concerning Zero Trust. If its principles and the need to value security are not assumed by all the teams that make up an organization, the successful implementation of Zero Trust strategies will be impossible.
4.6. Advisory 360: Are we going in the right direction?
If Zero Trust is a path, it is crucial to know whether we are going in the right direction or the opposite direction. Walking for the sake of walking makes no sense. That is why it is so important to have an integral and permanent advisory.
Rationally advancing the Zero Trust philosophy involves accurately detecting needs, matching them with resources, and setting realistic and measurable objectives.
In this sense, all the services mentioned above allow companies not only to implement comprehensive security strategies but also to test them to guarantee their optimal performance and the fulfillment of objectives.
5. Comprehensive solutions that do generate trust
In conclusion, it is important to point out that Zero Trust is not a magic solution that solves all the security problems an organization may have. It is not software that can be installed and at the push of a button implements an insurmountable security structure. The fight against cyber risks involves a great deal of effort, which, moreover, must be carried out on an ongoing basis. Criminals do not rest.
Zero Trust is a philosophy, a set of ideas that have always been present in the field of cybersecurity and that, in essence, are common sense. Zero Trust should, therefore, above all, inspire us when designing and implementing security measures against malicious attackers, both internal and external.
To be successful, these measures should not be limited only to classic Zero Trust aspects such as security permissions management, but it is key to opt for holistic and disruptive approaches. Cybersecurity, offensive security, and cyber intelligence services complement and enrich each other. A comprehensive solution must put the knowledge of these three major areas at the service of the client’s needs.