Everybody’s talking about Zero Trust these days. In particular, Microsoft recently announced that it is adopting a Zero Trust model, and the NSA has issued guidance to help other organizations implement it, too.
But exactly what is it? Should your organization be considering it? Are there are any downsides to keep in mind? What are the steps for getting started? Today, I’ll answer all of those questions.
What is Zero Trust?
Let’s start with what Zero Trust is not. It’s not a whiz-bang new technology or a set of technologies. It’s definitely not a magic-bullet product that you can purchase from Microsoft or some other vendor. It’s not a defined checklist of actions to take, or a specific procedure you can copy from a website and follow step by step.
Rather, Zero Trust is a security model for IT environments. What does that mean? Well, let’s step back and consider the makeup and purpose of an IT ecosystem in the first place. An IT environment has many different components: user workstations, servers, applications, databases, network devices and more. Did you notice the most important component I left out? Users. All that technology and data is no good to anyone if it’s completely walled off from the people who need it. So, one of the central challenges facing any IT team is ensuring that each person can see and use the data, applications and other resources that they require to do their job, without allowing anyone more access than they need and without making it too onerous to actually get work done.
That’s the purpose of a good security model — it lays out a set of system design principles, controls and processes for ensuring the so-called CIA Triad, which means the confidentiality, integrity and availability of your IT assets. With a security model in place, you can design an IT architecture that delivers on your security goals while maintaining user productivity.
Why do organizations need a new security model?
Zero Trust isn’t the first or only security model; it builds upon a long history of IT security models. So, why are security expert recommending that organizations adopt it?
Simply put, securing an IT environment has gotten harder and harder over the years. Once upon a time, “workstation” meant a corporate-owned PC with a specific set of applications installed, and connecting to the corporate network required getting through not just the front door of the business but then the door to an office with a suitable PC and a physical connection to the network. Therefore, security models were built around fortifying the perimeter to keep attackers out.
The advent of laptops and then full-on BYOD and the explosion of remote work has changed everything. Now, users routinely connect to corporate networks remotely using devices that IT has little control over — increasing the chances that attackers will be able to get into the network. Moreover, perimeter-based security ignores the reality of malicious insiders eager to access data, applications and other resources they shouldn’t, as well as poorly trained or fat-fingered admins, who can cause just as much damage.
Examples are all too easy to come by. For instance, in September 2020, Yevgeniy Nikulin was sentenced to 88 months in prison for hacking into LinkedIn and other companies. From his location in Moscow, Nikulin hacked into a computer belonging to a LinkedIn employee in the Bay Area and installed software that enabled him to control the machine remotely and use the employee’s credentials to access LinkedIn’s corporate VPN. Once inside the network, he was able to steal a database containing the credentials of nearly 170 million LinkedIn users — at least 6.5 million of which were published on an underground password forum. The breach was costly for LinkedIn: In addition to the bill for the services of some 100 engineers who worked for at least six weeks to remedy the problem, it suffered damage to its reputation for failing to even salt users’ passwords, and is facing ongoing legal expenses to get the password dump taken down.
What about Red Forest?
As incidents like the LinkedIn attack multiplied, organizations were forced to expand their security focus to include the threat of compromised credentials. After all, once an attacker steals a user’s credentials, through phishing or other techniques, they have access to the user’s workstation and often run software that captures the credentials of other accounts. Especially valuable credentials are those of service and administrator accounts, which enable the attacker to traverse the infrastructure horizontally and vertically and access sensitive data and applications.
To help thwart these types of attacks, Microsoft introduced a reference architecture and best practices called the Enhanced Security Admin Environment (ESAE) — better known by its nickname, Red Forest. An ESAE architecture reduces the risk of highly privileged accounts being compromised by separating accounts into three tiers, each with appropriate levels of security protocols. Tier 0 includes all accounts that have direct or indirect administrative control over the Active Directory forest, domains or domain controllers and the assets therein. Those accounts are protected by multifactor authentication, as well as best practices like training admins to use privileged accounts only for tasks that require them (and not for things like checking social media or even Microsoft TechNet).
Adopting ESAE does helps organizations reduce risk — but this architecture can be very complex and costly to implement. Moreover, it is not a security model; it is just an architecture for protecting on-prem Windows Server Active Directory administrative accounts.
With organizations around the world eagerly embracing the cloud and moving to hybrid IT infrastructures, Microsoft now recommends Red Forest for a limited set of scenarios, such as offline research labs, industrial control systems, and other situations where the need for strong security outweighs the increased complexity and operational cost of the ESAE solution. For everyone else, Microsoft recommends a modern privileged access strategy as part of a broader Zero Trust approach.
What are the benefits of the Zero Trust model?
It takes only a glance at the headlines on just about any day to realize it’s not wise to assume that anyone who has gotten past your gates is trustworthy and allow them wander through your IT ecosystem as they please. In a Zero Trust network, no user, service or other element gets a free pass. Instead, continuous verification is required: Real-time information from multiple sources is used to make access decisions and other system responses.
The model does not deny the importance of a strong perimeter. However, it assumes that breaches are inevitable and malicious forces might well be inside your network already. No user or service should be trusted implicitly, and you should be actively looking for anomalous or malicious activity. Implementing a Zero Trust model can be the difference between suffering a limited hack with insignificant damage — or a major incident in which you lose terabytes of critical and regulated data.
One way to see whether this model will add value for your organization is to conduct a thorough audit of your identities, permissions, networks, devices and applications. Make a list of all the vulnerabilities you find, including overprivileged users, zombie accounts, unpatched devices and instances of shadow IT. Adopting a Zero Trust mindset can help you develop a comprehensive plan for closing those security gaps and build a solid security strategy for the future.
How can I implement the Zero Trust model?
It’s essential to understand that Zero Trust, like any security model, isn’t something you implement and check off your list, like painting your kitchen. It’s more like maintaining and improving your home — an ongoing process that involves a wide range of processes and technologies.
That being said, there are proven frameworks that will help you on your journey. In particular, Microsoft’s rapid modernization plan (RAMP) is designed to help you quickly adopt its recommended privileged access strategy. The goal is to apply the principle of least-privilege to every access decision, allowing or denying access to resources based on the combination of multiple contextual factors, and not just a single earlier authentication. To provide maximum benefit, Zero Trust principles must permeate most aspects of the IT ecosystem.
Implementing a Zero Trust model is not an iron-clad guarantee that you’ll never suffer a serious security incident. Plus, the process involves not just effort and expense but risk, since it puts guardrails and speed bumps in place that could slow down business processes and otherwise cut into user productivity.
However, the increased security is, as they say, priceless. While continuing with your existing security measures is the easiest path, it’s not the wise option. You don’t have to plan and budget for an entire home renovation in order to fix that leaky faucet or put a better lock on the front door. Similarly, every step you take in your Zero Trust journey reduces your risk of downtime, data breaches and compliance failures, so get started with whatever pieces you can, as soon as you can.