Zero Trust is the most recent super cool buzzword on the market, sadly. In reality however Zero Trust has been around in its concept and development since 2004. What Zero Trust really is about is requiring strict verification for every person, device, and ultimately packet that is trying to access any resources on a network, at all times, continuously. Zero Trust is not a single technology that you can “buy” but to enable Zero Trust requires the use of well vectored technologies implemented in the correct manner to enable this very strategy. To be blunt no single specific technology is associated solely with any zero trust architecture; it is a holistic approach to network security that incorporates several different principles and technologies.
The old IT security strategy is based on the castle-and-moat concept, much like the walls for the City of Troy. The goal of that old model was to keep the adversary out and take a position that they, the bad guys, “won’t get it” if the walls are high enough. It didn’t work out well for the Trojans (ever hear of the Trojan horse) and it doesn’t work in today’s business operating model. In that old model everyone and “everything” inside the network is granted access and is trusted almost by default. That approach means that once an attacker or bad packet or piece of ransomware gains access to the network, they have the ability to see and “touch” everything inside. This is why ransomware keeps winning when it is successfully activated. It is operating on a relatively flat surface and is literally being enabled by the lack of segmentation and controls that should be present on a well structured, segmented enterprise.
That old archaic approach to network control and isolation is also no longer viable as no enterprise has their data in just one place, which also helps ransomware succeed as it has a broader avenue of attack than if the data were truly isolated. It essentially guarantees that any ransomware infection will eventually find some data to lock down and cause disruption for the victim. Today, thanks to the cloud and the remote workforce revolution that COVID-19 launched, information and data are often spread across cloud vendors, mobile devices, and a variety of other locations, which makes it very difficult to have a single security control for an entire network. The more movement and more time ransomware has to “poke” around and find a data store in a connected segment the more likely it is that the attack will be successful. It’s honestly just a matter of time once the electrons start moving.
Zero trust security means that nothing is trusted by default from inside or outside the network, and verification is required from anything trying to gain access to any resources on the network.
This means that any Zero trust network must be correctly segmented down to a granular level. Often this is known as microsegmentation. To reduce the threat that a laterally moving threat, such as a ransomware infection presents means that an organization must be able to carve their infrastructure into small zones. Each with its own ability to maintain its own integrity and separate from that segment having access to other parts of the network, and this must be done at scale. Which can be difficult obviously, without solid technology to enable this approach.
As an example, a network with data living in a single data center that utilizes micro-segmentation should contain dozens, or more, separate, secure segmented zones. And each of those zones should function independently and operationally as it’s own enclave within that infrastructure. Think of that infrastructure like a submarine. If that submarine only has 3 big doors internal to its hull then if a weld were to fail or a torpedo succeeded in an attack, the entire ship would flood and sink. Conversely if the submarine is constructed to be water tight with many isolation points and a constant vigilance on closing each bulkhead as it is transited then when something goes wrong, not if, the ship will suffer but it will stay afloat. Which is obviously critical in submarine terms and is equally applicable in the digital space.
A Zero Trust architecture requires organizations to continuously monitor and validate each and every transaction and interaction within those segments. It also requires that the organization have a capability to “slam the doors shut” on those infrastructure components when a compromise or lateral movement action is noted. If this is done correctly ransomware remains a threat, just as a faulty weld or torpedo would, but it is not the single factor that brings down the entire vessel with all aboard.