Zero Trust and why organisations need it
Many often say they have a Zero Trust network. But what does that mean? ‘Oh, we've implemented some of authentication’. That's not what Zero Trust is about. It's about the entire architecture, making sure that every aspect of your network is secure.
– Gary Gardiner, Head of Security Engineering, Check Point Software Technologies
Why do security problems seem to be getting worse despite years of increasing spending on cyber security solutions? Can a Zero Trust approach help organisations deliver better outcomes? While generally well understood by those in cyber security, misconceptions about Zero Trust abound in the broader IT community.
Speaking at a Tech Talk session at GovWare, Gary Gardiner, Head of Security Engineering at Check Point Software Technologies attempted to shed some light on this security concept by casting it in the light of everyone’s favourite topic: travel.
Deciphering Zero Trust
The typical airport is built around the concept of Zero Trust, observes Gardiner. “Anyone can go to the concourse in an airport to meet someone or drop someone off. This is the equivalent of your company website. Everyone can access it.”
“But to get inside, you must have a ticket. And you will have your identity checked against your passport. You check in your luggage, and the next stage is immigration. There, your passport and boarding pass are again checked by an official,” he said.
“Even once you are airside, that doesn't mean you can just hop on any plane. You head to your assigned gate, and there you are checked once more. You walk towards the plane and right at the door, they ask for your boarding pass and passport where they go through the entire process one more time.”
“They check. They ask, and they keep checking,” said Gardiner. And even abroad the plane, he notes that there are parts of the aircraft that passengers are not allowed to access. “Even on the plane, they apply a least privileged model.”
Making it work
In practice, a Zero Trust implementation means that no one is trusted by default either inside or outside the network, and verification is required from everyone requesting a resource. But getting it right requires a redesign of the entire architecture and does not happen simply by deploying a new system or two, says Gardiner.
“When I speak to organizations, many often say they have a Zero Trust network. But what does that mean? ‘Oh, we've implemented some of authentication’. That's not what Zero Trust is about. It's about the entire architecture, making sure that every aspect of your network is secure,” he said.
Organisations want to achieve zero false negatives with their Zero Trust deployment, says Gardiner. But even more important is ensuring that users are not inconvenienced and can access the services they need. He explained: “If the experience is not seamless, users are going to find ways around your technology. Avoid implementing a complex solution, especially around remote access.”
Finally, Zero Trust isn’t meant to work alone. Going back to his travel analogy, Gardiner shared an anecdote: “At a U.S. airport recently, the immigration officer asked to see my Australian passport even though I presented my U.S. passport. Somehow, they knew that I had two passports,” he said. “There's that level of integration that we have in the immigration system. Similarly, we need that visibility across all aspects of what we're doing in cyber security.”
The case for Zero Trust
One may be forgiven at this point to think that Zero Trust might take more work than it’s worth to implement. But Gardiner asserts that achieving a heightened level of cyber security is essential in the face of today’s hybrid work environments and evolving threats.
Tongue-in-cheek, he noted that all of us have “threat actors” in our homes that often cause problems either by running through the room during Zoom calls or by excessively taxing the home network with frivolous downloads. But the repercussions of attackers gaining access to the network through a family member’s compromised device are very real and cannot be ignored.
“There are medical administrators working from home accessing patients’ medical records on their PCs. Their family are not allowed to see that medical data but if they leave the PC and their kid comes in and have a look at it – that is a HIPAA violation right there. So, we need to think deeper about this.”
He pointed to the infamous Target hack of 2013, in which attackers broke into the U.S. retailer’s network using the stolen network credentials of a vendor. A Zero Trust implementation would presumably have kept the attackers out.
“It doesn’t matter where we are, the problems remain the same. We must still secure our networks, we must still secure our users, and we must still do building access security. And we need to make sure that the data, whatever that is, stay confidential.”
Securing a tumultuous world
With 25 years of experience in cyber security and a background in penetration testing, ethical hacking, and digital forensics for law enforcement, Gardiner was a veritable treasure trove of the latest cyber security developments. He pointed to the multiple hacking incidents that followed the Russian invasion of Ukraine and hacktivism in general as reasons to set the security bar higher.
“You have organisations attacking multiple targets based on their political ideologies. Any time a government makes a decision, decides on a foreign policy, or even if someone is annoyed about your company’s policies, you could be subjected to a devastating cyber-attack,” he said.
In a nutshell, Zero Trust, combined with better security intelligence and tools, can help organisations deliver better outcomes for their users. And with the tumultuous world out there, organisations should seriously consider implementing it if they have not already done so.
“Zero Trust is an essential strategy that you must consider; something that your organization should take very seriously. Its implementation should be very practical, and it should be easy for your users to use,” Gardiner summed up.