Gary McAlum says a fundamental problem when it comes to understanding the true concepts of Zero Trust is the fact there are a plethora of different explanations relating to this cybersecurity strategy.
Speaking at a webinar last week organized by IGI CyberLabs, the creator of Nodeware, a SaaS platform that scans networks to identify critical vulnerabilities, he said an example is that many security companies will talk about it, but only from the perspective of a product or an offering they have.
“It’s not incorrect,” said McAlum, a board member of The National Cybersecurity Center, an organization that serves both public and private organizations and individuals through training, education and research. “It’s just not complete.”
“Depending on the type of company that you are – big, small, large – whether you are in a regulated industry vertical or not – you’re going to have a different view of it.”
The title of the thought leadership webinar was Zero Trust: The Cybersecurity Mindset All Organizations Need to Adopt, also the title of a white paper released by the NCC in March.
The white paper defines Zero Trust as a security model based on the assumption that a breach is inevitable or has even already occurred in any given network. Zero Trust verifies and validates every single user attempting access to resources on a network, limits access only to specific resources to which each user has valid access, and looks for anomalous or malicious activity in real time.
“At the highest level, a Zero Trust network performs three key functions: Logs and inspects all corporate network traffic, limits and controls access to the network, and verifies and secures network resources,” the paper says.
It notes that while a “Zero Trust model is largely preventative in nature, it also incorporates real-time monitoring capabilities to shorten the gap between when an intruder compromises the first resource and when they can move laterally to other resources on the network.
“Clearly, the extent of deploying Zero Trust is dependent on the digital assets being protected, the degree of critical dependence on their availability and quality of their functioning and content. Hence each digital asset should be evaluated from the perspective of the probability of being penetrated and the impact on the dependent people and organizations.”
McAlum, the former chief security officer of the United Services Automobile Association (USSA), a financial services firm that serves past and current members of the U.S. military, noted that when it comes to Zero Trust, nobody disagrees with it: “The majority of the time that I hear conversations, discussions or marketing pitches, they are really talking about the philosophy behind it, which nobody can argue with.”
That philosophy, he said, revolves around the following: Be skeptical about who is on the network, do not trust, always verify, continuously monitor, which is fine, but there is far more involved.
“There are many technologies involved in implementing a Zero Trust environment and that is going to impact business processes as well as operational processes,” he observed. “Zero Trust is a lot more than a philosophy. It’s a security model based on architecture, technologies, policies, operational and business processes and governance.”
Describing the implementation phase as a “huge lift,” he said it is important not to view it as a destination, but as a journey.
Meanwhile, Stuart Cohen, president of IGI Cyberlabs and Nodeware, wrote in an invitation to the webinar that as technology “plays an increasingly large role in our lives, almost everyone is an Internet user in some form, and enterprise networks are becoming more complex. Traditional methods of securing networks and assets, such as one password protection, present a weakness in that, once authenticated, users typically have access to everything.
“Imagine a scenario where a malicious actor gains access to your network: What is preventing them from moving laterally and accessing whatever is in your network? Enter Zero Trust, a strategic approach to cybersecurity that is increasingly taking the spotlight.”
Authors of the NCC white paper contend that the “good aspect of Zero Trust is that a malicious hack of a network doesn’t give a bad actor access to anything. If the bad actor does penetrate a resource in that network, it doesn’t automatically give access to the other resources on the network, which reduces what the bad actor gets and slows down a broad-scale attack.”