Zero trust relies on ‘monumental shift’ of securing user, not network
June 13, 20229:45 am
4 min read
This content is sponsored by Zscaler.
There’s a reason why data flowing through a network is called “traffic.” Networks are the highways that connect computers to one another. And like the highways, they weren’t built to optimize the user’s benefit. Highways were built to facilitate the movement of missiles and other military materiel, not individual commutes. Likewise, networks were built to facilitate the bulk movement of data, not the individual habits of a user. Networks,...
There’s a reason why data flowing through a network is called “traffic.” Networks are the highways that connect computers to one another. And like the highways, they weren’t built to optimize the user’s benefit. Highways were built to facilitate the movement of missiles and other military materiel, not individual commutes. Likewise, networks were built to facilitate the bulk movement of data, not the individual habits of a user. Networks, like highways, are built for the benefit of the infrastructure itself.
And because traffic is confined to these digital highways, security followed the pattern of toll booths: Set up at strategic areas, and check everyone going through. And much like toll booths, security checkpoints became chokepoints.
“When you have a limited subset of security appliances and choke points — security stacks, as they’re usually called — what ends up happening is traffic builds up. This is what happens with all traffic,” said Hansang Bae, public sector chief technologist at Zscaler. “And so people started to hate security because they knew that it would slow them down. Then when the traffic built up too much, you buy more appliances, you buy faster appliances. And this is being played out today, where human tollbooth operators are being replaced by EZ Pass. So at least you can remove some of that choke point, the processing time. That’s equivalent to buying faster processing proxies, or faster firewalls.”
So what happens when suddenly all your employees are working from home, and the network surface area becomes much bigger? Suddenly all of your traffic is off the highways, and on secondary, tertiary or even dirt roads. The tollbooths aren’t chokepoints anymore; they’re barely relevant at all, due to the tectonic shift in traffic pattern. So how does the model shift?
Zero trust says to stop worrying about the network. The infrastructure is solid; it moves data from point A to point B incredibly fast. In fact, now that the tollbooths aren’t accomplishing their jobs anymore, tear them down and stop impeding that traffic. Instead, it’s time to shift focus to the driver.
“What I care is are you the authorized user, and we’re not going to depend on the road — the network — to make that determination. So zero trust starts by saying, let’s separate the transport from security. And that’s easy to say, but it’s a monumental shift in both technology and our way of thinking about security,” Bae said.
Even the computer itself is not important, Bae stressed.
“As long as I can keep tabs on the driver and the passenger, I don’t care if you’re driving a jeep, or Mercedes or Ferrari or Lamborghini or Tesla, or whatever. I don’t care; it’s just a buggy at this point. In other words, they’re just packets, they’re just shuttling things back and forth,” he said.
So then the question becomes who authorizes all of these drivers to be on the road, ensures they are who they say they are, and connects them with their destinations? That central authority has to be cloud based; it’s the only way to scale to meet the demands of the zero trust model. That’s why the first thing agencies need to consider as they modernize to the cloud and adopt zero trust is who their users are.
“Know your enemy. Who’s using what application?” Bae said. “And this will be an eye opening exercise, because before you can say ‘this user can use that app and create those policies’ you need to know who it is because otherwise, you’re going to have outage after outage. There’s precedent for this.”
For example, there used to be something called Network Access Control, which required passwords for people to get on the network. But between its draconian nature, the prevalence of bugs, and the lack of standardization or compatibility, it became too burdensome for users and helpdesks, so it became an impediment to work.
But now, with zero trust, the network itself can actually tell you, via IP addresses, how many users you have and what applications they’re using. That information can be collected passively, and it’s where agencies need to start to best secure their networks, because insider threat should be their primary concern. Keep in mind that this is the data gathering portion. Using the IP addresses and port numbers is a fast and easy way to gather the baseline information.
“The biggest threat is on the inside; it’s no longer on the internet,” Bae said. “Because the usual suspects of malware can be stopped. There are companies that do this, can stop that malware. And with proper Zero Trust solution, even the entry points from the Internet can be hidden to the world. What the existing security stack can’t stop is an authorized user with evil intentions. This is what separates zero trust concept from all previous incarnations of security practice.”