Nothing personal: Zero Trust meant to stop cyber breaches before they start

Zero Trust can put a bad taste in people’s mouths if they think the cybersecurity framework pushes the notion of guilty until proven innocent. But the firm that helped coin the phrase said it’s far less accusatory.

According to Chase Cunningham, principal analyst at Forrester Research, which coined the now-popular term, Zero Trust means a combination of concept, theory and technology to “achieve an outcome.” He said it refers to removing the inherent trust built into networks which causes cybersecurity problems.

“It’s really a given that organizations are going to get breached or are already breached, and when we talk about Zero Trust we talk about making sure that people understand you fight from the inside and you control what you can control,” he said on Federal Monthly Insights — Zero Trust. “And you remove all those default configurations and excessive trust relationships that go on in networks. So that isn’t the problem in the future.”

This means removing the potential for someone to be the person who causes a cybersecurity failure. Mandating two-factor password authentication, or making sure mobile apps do not improperly interact are examples. But Cunningham said this is easier said than done because it’s difficult to force a person to separate their device between personal and business.

“If your device is going to access my corporate network, when you reach out to touch my network I’m going to mandate that that device is checked for its patch level. And I’m going to mandate that that device is pushed through a multi-factor authentication protocol. And lastly, I’m going to make sure that when that device gets into my network that it’s living and existing within a segment of a network that I have really good visibility on and really good response capabilities on,” he said on Federal Drive with Tom Temin. “I’m not going to let that device just sort of jump onto the network and do whatever it needs to do and then roll out — that’s not the way that this should work.”

Zero Trust can also hamper phishing attacks, Cunningham said. Implementing role-based access rather than giving people unneeded credentials can “carve up” a network so that the affected party can only accomplish tasks they need to do. This can seem abnormal for organizations trying to consolidate their employee sign-on capabilities, but Cunningham said he ultimately wants to make security as easy as possible.

“If I can enable something like single sign-on that only allows access to applications that that user should have access to, and I mandate things like good application security, good patching, multifactor, etc., my single sign-on actually becomes a benefit to Zero Trust,” he said.

A whole new set of challenges come with cloud technology, as with great capability comes great vulnerability. In this sphere, Cunningham said it’s important to leverage virtualization for its intended purpose. Merely forcing old practices into a new virtual architecture is not the answer, he said. Rather, virtualization is useful for rolling back to an uncorrupted version if something is compromised down the road.

“You’re supposed to be able to carve stuff up, move it around, manipulate, reconfigure, redeploy, test, train, whatever, and do it that way,” he said. “You don’t take something that was flawed for 20 years, think that it’s going to be virtualized and safe and move to the cloud and call it a day.”

Cunningham said good cybersecurity is not as elusive as it seems. The Department of Homeland Security’s continuous diagnostics and mitigation program for all federal agencies can also monitor flaws in Zero Trust. He said good cybersecurity is not as elusive as it may seem; it mostly comes down to “good blocking and tackling.”

“If you look at the history of where problems have actually occurred in cyberspace, almost entirely, never do you find some crazy [National Security Agency] logic bomb-thing that just, you know, activated by itself and AI its way out of a network and blah, blah, blah,” he said. “It’s always bad practices, bad management, patching, and usernames and passwords that cause compromise. So if you solve those really simple things, and especially in something like CDM, and you can measure it and make sure you know what’s going on, you dramatically improve your overall posture.”