Zero Trust Networking (ZTN) is more of a concept of security, an approach, an ideology if you will, than a detailed specification. There are many ways of implementing ZTN, but the common thread is that everything must prove that it is a legitimate user. No “well, you’re here in a secure area so something must have approved you” thinking. As a Unix admin would say, no trusted host anymore.
Historically, though, ZTN has proven difficult in many enterprises because security didn’t get along well with networking. (Ok, yes, Security often doesn’t get along with anybody, but I digress.) Networking saw itself as the master of productivity whereas Security focused only on security. Networking owned the data center and there was a massive list of Security todos that needed to access and manage the data center.
Security believed that the networking teams didn’t implement good security. In the old days, the security team depended on the networking team to put an appliance in their rack and get it deployed.
Security would want to add a firewall and the networking team had to deploy it in the datacenter and they kept getting in each other’s way. Hence, rock against rock.
But the cloud has slowly changed all of that. Security found itself no longer so dependent on networking. As enterprises have sharply accelerated moving almost everything—including, for some, much of what had been on-prem—to the cloud, Security had direct access to more of what they needed. This opens the door for a ZTN approach.
The philosophical problem with properly implementing ZTN is that many enterprises have gotten themselves into very bad habits. The industry has agreed for a decade that passwords/PINs need to be replaced with much more secure means. But even when some enterprises try and do that, they find the least secure way to do it, which pretty much misses the point.
Consider multi-factor authentication (MFA) aka 2FA. MFA can meaningfully add true security to an authentication effort through an encrypted authentication application. And yet so many still use SMS unencrypted text verification, which is highly susceptible to man-in-the-middle attacks. CISOs shouldn’t ever say that MFA is good, but need to say that robust MFA (which excludes SMS) is good.
Or think about access management. Enterprises have gotten much better at deleting credentials of employees/contractors who have left the company. Not perfect but they are getting much better. But when an employee gets promoted and no longer needs access to XYZ systems, enterprises often don’t delete the access, creating dangerous orphan access. IT has internalized the threat that a fired employee poses, but they tend to not see the danger of someone promoted—or even given a lateral shift.
ZTN requires a complete shift in Security and IT attitude. By the way, this goes beyond the convenience versus security argument. Some approaches, such as continuous authentication leveraging behavioral analytics and machine learning, can deliver excellent security and can do it entirely in the background. In short, as long as that user isn’t flagged for pattern deviation, that user will never notice the security.
Any user, any device, application that wants to connect to or perform an activity needs to be validated and verified. This means a lot of user training and/or handholding. In the initial stage, testing can be done solely using Security or IT staff so that they are the ones who will be inundated with false negatives.
Eventually, though, the verification must be unleashed into the wild and employees will initially see added friction or, at the very least, what those users will perceive as added friction. They must be trained to expect it and to know that it will soon decrease as the system starts to understand the population.
IT and Security need to have no fiefdoms. This has to be enterprise-wide.
Behavior analytics married to machine learning is bad at first and then it learns and gets better. Behavior that’s fine for one group isn’t for another. For example, an IT staffer downloading penetration testing software is fine, but it’s bad if you see someone else doing it.
A device that may have been approved to be on the network may not have got the latest patches and could now be a vulnerable device, which means running an awful lot of vulnerability scans.
Not dissimilar from launching any new enterprise application, ZTN is difficult in the beginning. Users–and that absolutely includes line-of-business (LOB) chiefs–must understand that the process not only gets a lot easier over time, but the benefits to the enterprise are massive.
Any network behavior anomaly detection (NBAD) approach has this perception problem. It’s also critical to internalize that all germane applications need to work together using open APIs (application interfaces). All of these applications needs to be fully integrated and workflows need to share data and implement security at every stage. Letting various apps run independently is just asking for conflicts and lack-of-internal communication. Rather than making the enterprise more secure, it just creates more holes for attackers to leverage.