CISO Forum Summary – Implementing Zero Trust

Since the SolarWinds breach was discovered in December 2020, the security industry has been hyper-focused on how much exposure an organization may have – even when there is perceived to have a trusted and secure relationship.  

“Are we trusting our vendors too much?”

The question being asked is, “Are we trusting our vendors too much?”  One CISO said, “Vendors want us to accept them as blind trust.“  If SolarWinds was using a Zero Trust model with Multi-Factor Authentication (MFA) or another authentication method, they would not have likely been breached.

In our CISO Forum, we discussed how security programs need to thoroughly evaluate their 3rd party vendors through better assessments and more robust contracts. One recommendation was to ensure the vendor agreements have policies that bind them with indemnification clauses and hold them accountable to protect your data. If there are financial consequences, they will be more motivated to provide you with a secure environment.

So who can you trust?  The answer is quickly moving toward – No one.  No 3rd party, no person, no machine, no connection, and no application.  Hence, the reason Zero Trust is now the newest security buzzword.

In February 2021, the NSA published a succinct paper called Embracing A Zero Trust Model which defines Zero Trust as: 

Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries. 

It is a data-centric security model that allows the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.

Zero trust is a state of mind.”

  • Zero Trust is not just another security technique or tool.  “Zero trust is a state of mind.”
  • You have to completely change the way you think about access. 
  • Another leader said it is more about, “Who you are and how you are, not what you do.”  There will be plenty to do after everyone is on-board with this new mindset. 
  • “Don’t trust anybody, treat everybody as the enemy.” another leader described it.  
  • “Trust nothing – everything is hostile.  Treat everything as if you are on a Starbucks network.”

Traditionally, data centers were protected, walled off mainframes, and those accessing the data were within the walls of the same building or at least on a dedicated secure connection to the mainframe. 

Now, we are moving critical and confidential data out of those buildings as fast as we can to the cloud which is owned by someone else.  However, many businesses still have the old mindset that their traditional identity and role-based access management should still be adequate. 

“We have always done it that way” is no longer a valid argument when you move to the cloud and now you are exposing your source code, build pipeline, critical customer data, and much more.  Development teams who have worked behind the firewall and have always assumed they were protected will now have their code exposed to the best hackers in the world.  

Zero Trust must be designed into everything …

Zero Trust must be designed into everything and may not even be achievable for many firms. It really needs to be designed holistically to evaluate the entire enterprise application architecture, the identity access systems, and all the assets.  

A risk framework should be used to understand where the highest risks are and where the initial focus and investment should take place. For most organizations, this is a true paradigm shift that impacts their entire approach if it is done correctly.  

In planning for Zero Trust, leaders need to project three years out to predict where Zero Trust needs to be then.  It is a long initiative, that frankly, many CISOs won’t be around to see the full lifecycle of the implementation.

The NSA recommends a Zero Trust Mindset should take into consideration:

  1. Coordinated and aggressive system monitoring, system management, and defensive operations capabilities.  
  2. Assuming all requests for critical resources and all network traffic may be malicious.  
  3. Assuming all devices and infrastructure may be compromised.  
  4. Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.

Several leaders described executive resistance to supporting another large security initiative. However, leaders said developing organizational awareness and educating executives was critical to gaining support. The NSA Zero Trust Model may help evangelize this as they strongly recommend Zero Trust be considered for all critical networks.

5 Step Model for how to get to Zero Trust:

  1. Establish trust in user identities and permissions and reconcile those
  2. Evaluate the trustworthiness of the device
  3. Enforce access policies on devices
  4. Enable secure connections (MFA) to applications
  5. Once the above are in place, look for anomalies

In the design phase, it was recommended to use a tool like Ardoq (a Visio alternative) for Enterprise Architecture (EA) to map all asset inventory, communication ports, and access points to thoroughly understand those interrelationships.

With an EA map, the security team can begin working with the business teams to understand and define:

  • How much can be restricted? 
  • What is the least amount of access required?
  • What will be the process for temporarily expanding access?
  • What criteria will be used to validate access?  

Design Advice from leaders: 

  • Must prioritize and get small wins to show progress to maintain executive support.  
  • Find ways to make it easier on the user.  A suggestion offered was to go back to Certification-based authentication where you identify and match both the machine certification and the user.
  • Risk Tier all applications.  You have to know what you need to trust. Move toward software-defined perimeter.  Can’t access servers unless every connection & MAC address is validated. 
  • Eliminate VPNs and use MFA. 
  • Containerize applications, Use Software Defined Networks, & Device Trust. 
  • Move away from Passwords as they are flawed. 
  • Validate credentials by using a jump server with MFA then, track IP, ISP, and MAC addresses to ensure all are recognized. If not, all exception messages are sent to a 24-hour monitored SOC and must be approved if location, device or user is not recognized. 
  • Build in Adaptive MFA, Factor Resequencing, Impossible Travel & Unknown location, and use SOAR to reset accounts when an anomaly comes up.  
  • One firm built its own SOAR platform to save costs and has a goal of achieving 80% automation.

Advice on Vendor Selection:

Achieving a robust Zero Trust program will require the use of multiple technologies.  Here are some words of advice from leaders when evaluating and selecting Zero Trust vendors.

  • Zero Trust enabling cloud tools are coming online rapidly, therefore, it may not be best to sign long-term contracts even if they offer deep discounts. Technology is changing too rapidly.
  • It is better to go with a single 80% solution, than trying to boil the ocean with many different tools to get to a 100% solution.  Also, don’t be afraid to throw solutions out of the boat if they are no longer delivering value.
  • Develop a formal RFP process for adding tools.  Define the necessary functionality then bring in all the stakeholders into the buying process. This will slow the propagation of tools and provide a better ROI for evaluation later.  

What tools are advancing Zero Trust? 

Here are solutions that were mentioned in our CISO Forum as ones to consider when planning and evaluating Zero Trust technologies.

Conclusion:

Deploying a Zero Trust framework is not easy.  While it may not seem as difficult to achieve with new cloud-based applications, it can be a huge challenge when you consider the entire enterprise including all data, legacy applications, vendors, users, and devices.  

Focusing on education, using a risk-based methodical approach, and showing wins along the way will increase the level of support and success for achieving Zero-Trust within your organization.

One leader proclaimed, “This just shows we will never be done with security.”

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to improve your security program.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST based security assessments

In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect:  www.linkedin.com/in/timhoward