Did Zero Trust Kill Defense in Depth or Has Defense in Depth Improved Zero Trust?

Did Zero Trust Kill Defense in Depth or Has Defense in Depth Improved Zero Trust?

Dec 27, 2022 / Kron

Zero Trust (ZT) continues to make waves, as US federal agencies are now publishing guidance, such as the OMB’s M-22-09 or DoD’s ZT strategy for effective implementations (no pun intended). While still jammed in myths, which could indeed be sorted out with some effort, it enables the state to be considered a source of trust in cybersecurity.

At this point, I would like to address a confusion, which is whether ZT has replaced Defense in Depth (DiD) and other acknowledged cybersecurity principles or not. If ZT has not replaced these principles, how do they relate to ZT? What about the others, such as the principle of least privilege or segregation of duties? Well, ZT has not replaced these principles at all. Now let's try to understand how they continue their relation with ZT as security specialists ensure their reliability while using these principles in an effective and efficient manner.

 

Zero Trust is Based on Settled Security Principles...

Like in any house construction, everything starts with a safe and sound foundation to prevent certain things to collapse or fall on your neighbor's property. This foundation involves common industry practices for ZT. At this point, I would like to highlight three basic principles that are mostly ranked important for ZT, yet mostly misaligned.

  1. Least Privilege
  2. Segregation of Duties
  3. Defense in Depth – DiD

As you apply these principles, you will see that you and your organization are on the right path when it is time to assess your ZT maturity.

... Yet, You Should Use These Right in Order to Successfully Implement Zero Trust.

Do you realize how convenient life has become? We have manuals and guides for almost anything to show us how to do things. These will guide you in understanding how to do something right. Unfortunately, you will skip the guide and trust on the rule of thumb to assemble the bike for your vacation or use the wrong tool to tighten a screw. It may not cause a big trouble to assemble a bike wrong, yet faults in cybersecurity may cause much costly and big-scaled troubles when it comes to the implementation of security principles. Focusing on these three highlights will help you to grasp the following:

  1. The principle of least privilege may be rather impractical when used alone.

    We all know that agencies intend to improve their security position by using this principle and ensuring that work force has access that will be just enough to perform duties. While these may all be great, it may be troublesome if the task is too big. When someone's role covers too many things, your security team will need to spend extra time to create lots of permits for a single role. With so many duties, it is highly probable that the relevant person might give a bad decision that will have an adverse effect on the security of your enterprise.
  2. Segregation of duties helps realizing the principle of least privilege, yet it doesn't cover prevention of access.

    Fortunately, segregation of duties supports implementation of the principle of least privilege. According to this principle, an individual should not have the right to broad access. For instance, this means that the sales representative of an agency cannot change the price of a product or a solution; instead, price change is done by an approving authority such as the director. While these two primarily focus on permissions, they do not handle prevention of access. Introduction to Defense in Depth
  3. Defense in Depth (DiD) settles the issue.

     With DiD, organizations focus on controls preventing unauthorized access to systems. These are administrative, technical and physical controls. It's a pity that DiD has fallen a victim to misuse, leading to "expense in depth", after which troubles were attempted to be resolved by spending more to technologies and security control with the hope to prevent security threats without trying to grasp the issue. Zero trust has brought DiD concepts back to the agenda, this time with a strategic focus to help security specialists to perform the following duties:
    • Blending different audits by making use of the technological advancements that unite individual security functions on a single platform to reduce complexity of distribution.
    • Reducing cost of management by centralizing security tool management through reduction of the number and types of audits with overlapping abilities.
    • Preventing unauthorized access by taking advantage of strategic access control that could logically and physically applied closest to high value assets and reducing potential internal threats while discouraging potential threateners' intention for unauthorized access.

 

Time to Think in Depth

Zero Trust has made a long way as an information security model. In the meantime, it has often become a matter of debate and doubt. But there is one thing certain: If we focus on what ZT has been built on, we can see that it provides a common target for most (if not all) of these basic principles to be effective in practice.

Reference: Forrester

Other Blogs