Zero Trust (ZT) continues to make waves, as US federal agencies are now publishing guidance, such as the OMB’s M-22-09 or DoD’s ZT strategy for effective implementations. While still jammed in myths, which could only be sorted out with some effort, it enables the goverment to be considered a source of trust in cybersecurity.
At this point, I would like to address a confusion, which is whether ZT has replaced Defense in Depth (DiD) and other acknowledged cybersecurity principles or not. If ZT has not replaced these principles, how do they relate to ZT? What about the others, such as the principle of least privilege or segregation of duties? Well, ZT has not replaced these principles at all. Now let's try to understand how they continue their relation with ZT as security specialists ensure their reliability while using these principles in an effective and efficient manner.
Zero Trust is Based on Settled Security Principles...
Like in any house construction, everything starts with a safe and sound foundation to prevent certain things to collapse or fall on your neighbor's property. This foundation involves common industry practices for ZT. We can highlight three basic principles that are ranked high important for ZT, yet are mostly misaligned.
Segregation of Duties
Defense in Depth – DiD
As you apply these principles, you will see that you and your organization are on the right path when it is time to assess your ZT maturity.
... Yet, You Should Use These Accurately in Order to Successfully Implement Zero Trust.
Do you realize how convenient life has become? We have manuals and guides for almost anything to show us how to do things. These will guide you in understanding how to do something accurately. Unfortunately, you tend to skip the guide and just proceed to assemble the bike for your vacation or use the wrong tool to tighten a screw. It may not be a big issue to assemble the bike incorrectly, yet faults in cybersecurity may cause highlyh costly and largeg-scaled issues when it comes to the implementation of security principles. Focusing on these three highlights will help you to comprehend the following:
The principle of least privilege may be rather impractical when used alone.
We all know that agencies intend to improve their security position by using this principle and ensure that work force has the kind of access that will be just enough to perform their duties. While these may all be great, it may be troublesome if the task is too big. When someone's role covers too many things, your security team will need to extra time to create a large number of permissions for a single role. With so many duties, it is highly probable that the relevant person might make an inadeguate decision that will have an adverse effect on the security of your enterprise.
Segregation of duties helps implement the principle of least privilege, yet it does not consider prevention of access.
Fortunately, segregation of duties supports the implementation of the principle of least privilege. According to this principle, an individual should not have broad access. For instance, this means that the sales representative of an agency cannot change the price of a product or a solution; instead, the price change is done by an approving authority such as the director. While these two primarily focus on permissions, they do not handle prevention of access. This is where Defense in Depth plays an importnat part.
Defense in Depth (DiD) settles the issue.
With DiD, organizations focus on controls preventing unauthorized access to systems. These are administrative, technical and physical controls. It's unfortunate that DiD has fallen victim to misuse, leading to "expense in depth", causing issues to be resolved by spending more on technologies and security control hoping prevent security threats in their aftermath without trying to prevent them. Zero trust has brought DiD concepts back on the agenda, this time with a strategic focus to help security specialists to better perform in the following areas:
Blending different audits by making use of the technological advancements that unite individual security functions on a single platform to reduce complexity of distribution.
Reducing cost of management by centralizing security tool management through reduction of the number and types of audits with overlapping abilities.
Preventing unauthorized access by taking advantage of strategic access control that could logically and physically be applied closest to high value assets, reducing potential internal threats while discouraging the potential threateners' intention for unauthorized access.
Time to Think in Depth
Zero Trust has come a long way as an information security model. While often becoming a matter of debate and doubt. But there is one thing that is certain: If we focus on what ZT has been built on, we can see that it provides a common target for most (if not all) of these basic principles to be effective when implemented.