The Business Benefits of Zero Trust
There is a lot of talk about Zero Trust and how the approach adds to the security of the organisation. But what about the business? Can a Zero Trust methodology be good for business? Senior Information Security Consultant, Debra Buchanan, takes a closer look.
Let us pick up from my last article where I mentioned implementing Zero Trust (ZT) within your digital environment.
You are probably thinking I am going to write about it because it is the “buzz” word de jour. It is a “buzz” word today because IT and Security professionals have been talking about the business and technical benefits of adopting this methodology for almost 3 decades.
Yes, almost 30 years ago Zero Trust (ZT) was created to alter the logic used to design and configure digital environments to more efficiently protect the information stored, processed, and transmitted by them. ZT logic assumes that your digital environment has been compromised.
By following this assumption, controls are designed to keep the compromise from spreading throughout your environment and to keep the exportation of information from your digital environment.
The Business Benefits of Zero Trust
The change in logic, to Zero Trust, adjusts the focus to what is important to the organization:
- Successful completion of business processes,
- Effective use of the organization’s resources,
- Assurance for products and services,
- Customer satisfaction,
- Profits, and
- Compliance costs,
- Disruption costs,
- Contract damages, and
The push and pull for Zero Trust
Security incidents (a.k.a. data breaches) are occurring at an alarming rate, costing an average of 45.2MNOK per breach. Therefore, it is not surprising that there has been an increase in the implementation of ZT since 2018. And more organizations are starting the journey.
This global view may still not persuade management in the Nordic region, however, these changes in legislation and regulations may:
- General Data Protection Regulation
- Radio Equipment Directive
- Digital Operational Resilience Act
- Network and Information System (NIS) Directive
- Nasjonal sikkerhetsmyndighet (NSM) ICT Security
Your organization probably consumes cloud-based services from Amazon, Google, and/or Microsoft. As they already have implemented ZT, your organization’s implementation will mesh well with theirs to make a stronger environment.
Also, with regards to supply chain risks, do you really want to be the “weakest link” in the chain? For example, Latitude Financial Services’ recent data breach put millions of individuals at risk through the theft of drivers´ licenses, passports, financial statements, photos, and other personal data. Allegedly, it occurred through a service provider, who is denying that there was a breach of their systems. Additionally, the compromise pivoted to two other organizations in the supply chain to steal even more data. According to the article, they are the organizations that do credit checks.
According to Latitude Financial Services’ webpage, that is Experian, Equifax or Illion, and none of them have posted being compromised. Latitude Financial Services is part of Latitude Group Holdings whose stock price has continued to fall since the breach. However, the real benefit in getting rid of legacy systems is the reduction of technical debt and the big cost.
Understanding Zero Trust
To understand how ZT methodology works, we will use TechTarget’s description and Forrester’s illustration, to explain the key components of ZT implements the organization’s business rules for:
- (1) Authorizing access to information and digital resources based on job description, roles, and delegations for individuals,
- (2) Authorizing devices’ access to information and digital resources,
- (3) Controlling processes, applications, and resources,
- (4) Implementing microsegmentation within the environment,
- (5) Grouping information into protection profiles based on its value to the delivery of the organization’s outcomes or its classification, and placing them in different segments from #4 so the right controls can be applied,
- (6) Recording of, and reporting on, all digital activity, analyzing it against #1 and #2, and alerting on suspicious behavior to trigger incident management processes, and
- (7) Reducing costs, time, and error rates by moving manual processes to automated ones.
As stated above, ZT is tailored using business rules which are the decisions made by management about what is and is not authorized behavior. These decisions are documented in policies, procedures, and instructions to not only ensure that processes complete successfully, but to ensure that the organization complies with applicable legislation, regulations, as well as the organization’s policies.
The end goal is to reduce risks to people, processes, information, and technology.
The application of these decisions to the ZT methodology ensures it is customized to meet the risk profile and tolerances of the organization. Thus, ensuring the organization can accomplish business processes while efficiently protecting information required to accomplish those processes.
Such tailoring ensures that information and information systems receive protection based on their importance to the completion of processes. This includes separating critical processing from other, less risky, processing and triggering incident management activities when suspicious behavior is identified. It is an efficient application of the Defense in Depth methodology, to protect what is most important to the organization - employees, customers, partners, and suppliers.
Applying security measures to mitigate risk
Management today should be concerned about critical information systems and/or information (i.e., business strategies, research, development, financial, and/or sensitive personal data), as the risk of unauthorized access, modification, deletion, or disclosure will incur extreme impacts.
Therefore, it is recommended that e.g. remote connections are only allowed under the following conditions:
- At certain times of the day, and/or
- From certain locations, and/or
- From certain devices, and/or
- By a very small set of job descriptions with relevant roles.
All of the above should also use a combination of authentication methods (Multi-factor Authentication (MFA)):
- 16+ character password/passphrase,
- Authenticator applications,
- FIDO2 security key,
- OATH tokens (hardware or software),
- SMS codes,
- Digital certificate, or
- Voice verification,
- Fingerprint verification.
The selection of MFA solutions may be based on:
- Strength - The amount of effort a malicious actor will have to apply to break the authentication mechanism,
- Useability – The amount of training required to use the authentication mechanism,
- Buy-in – The amount of effort required to get people to use it,
- Manageability – Availability and competencies of resources (inhouse or outsourced) to manage it over time, and
- Life Cycle Cost – One-off and annual costs to manage it until it is retired.
With the addition of other controls, the risks to the information systems and information from remote locations are reduced to acceptable levels.
- High availability (dual sited, clustered, or follow-the-sun),
- Logging, monitoring, alerting, and
- Incident management
Implementing Zero Trust in legacy systems
If your environment has legacy systems (End of Life and End of Support hardware and/or software), then there will be challenges implementing ZT, as older technology does not have configuration choices that are required to implement ZT. However, that does not mean ZT is not achievable.
There are still the options of placing legacy systems in a microsegment, upgrading to a new version, or ceasing to use that system in lieu of a more modern solution. The decision should be based on what is available, time to implement, costs, etc. Each legacy system should be analyzed, and the decision prioritized to ensure your project managers know what to do and when.
Zero Trust as catalyst for certifications
Documenting compliance and secure processes is important, and “trust” adds value to the overall business of any organization. With Zero Trust, certifications and reports (i.e., ISO, SOC, CSA STAR, etc.) will be easier to achieve and maintain. This is true as many documents required for passing audit criterion will be created as part of the ZT implementation. Reusing these documents will reduce the cost of certification. Also, changing the logic of what and how controls are applied increases the assurance of the overall environment and the supply chain.
If you are thinking about implementing Zero Trust but are not sure where to start or if your organization has begun its journey to implement ZT but has lost its way or hit a roadblock, we can help.
Watchcom professionals understand ZT and can assess your organization’s current state and help plan and prioritize your next steps. We can also provide advice on each component of ZT to ensure it is correctly implemented. Lastly, we can assess your implementation of ZT and provide you a letter of assurance.
Contact us today to begin the conversation on how we can help.