What is (and isn't) zero trust? IBM Security Evangelist Westley McDuffie explores common myths and how to implement this security strategy.
By Neil Tardy
Westley McDuffie believes that zero trust, in both concept and practice, is often made out to be more complicated than it actually is. “You can make it hard or complex,” he says. “But it doesn't have to be.”
As an IBM security evangelist responsible for educating IBM clients in the federal government, including the U.S. Department of Defense and intelligence communities McDuffie understands that zero trust is, to put it mildly, a trendy topic. He sees the millions of Google hits and understands how all this noise can muddy the waters.
“It's everywhere. There are hundreds of articles, and hundreds of companies that are begging to do zero trust with anybody they can get their hands on. They're saying, ‘Hey, if you need to start somewhere, start here,’” he says. “There are organizations out there that actually say that this is complex, and you can't do it without us. That is absolutely wrong, and anybody who pushes that is a charlatan. They don't do security.”
Implementing a zero trust strategy, and ultimately making your enterprise as secure as it can be, starts with an understanding of your IT environment and networks. It requires an understanding of what zero trust involves, and what it does not. This article focuses on those things that zero trust is not. So, let's examine, and break down, those misconceptions.
That's merely a quick history of zero trust, the term. Even at that point, the elements or individual components of zero trust had been in place for some time. Multifactor authentication (MFA), RSA tokens and biometrics, for instance, don't assure zero trust by themselves, but these and other commonly deployed security measures provide pieces of that puzzle.
McDuffie likes to cite using a banking app as an everyday example. If you open your app to access your account, but then don't touch your screen for a period of time—2, 3, maybe 5 minutes—you're automatically logged out due to inactivity. Likewise, that's not zero trust, but it's part of it.
“Zero trust is part of everyday practices. If we're talking about the way security should have been done in the beginning, it's always been here," McDuffie says. "The difference with what we're seeing with zero trust now is we're talking about enforcing those policies.”
Zero trust is part of everyday practices. If we're talking about the way security should have been done in the beginning, it's always been here. The difference with what we're seeing with zero trust now is we're talking about enforcing those policies.
Put simply, zero trust is a strategy, not a tactic. The strategy is the action plan; tactics are the individual steps that help you carry out the plan. There is no single action that can assure zero trust.
McDuffie devotes ample time to speaking at conferences and explaining to individual clients how to implement a zero trust strategy. In his view, it starts with the network.
“You need to know your network, because if you don't, it doesn't matter what model you choose,” he says. “You may have Linux appliances, but if you're not doing any kind of logging because you don't know they're there, you can't protect your network. And yes, that does happen. So, you need to know what's on your network, what is allowed and what is not to be allowed. You need to know your network inside and out.”
From there, it's critical to enable MFA. This protects end users as well as the network itself. Strategies must also be put in place to encrypt/decrypt data, whether at rest or in transit. Establishing and maintaining sound coding practices is also important.
Finally, there's logging. Logs themselves present snapshots in time, but as McDuffie explains, the most critical logging information is found elsewhere.
“Nobody really overlooks logging, but most companies fail to watch the flows,” he says. “You should collect and inspect those snippets. The difference between taking an event and taking the flow is that, as an intruder, I can manipulate the logging of an event. Flows don’t lie. I cannot do that in a flow—at least nobody's been able to do it yet.”
McDuffie also likes to say that while there is no single, right way to achieve zero trust, there are many, many wrong ways to go about it. With this in mind, McDuffie offers additional advice. First, understand that while there are products that help in your efforts, there is no one thing you can buy, no solution that will do the job start to finish. Also recognize that zero trust is attainable for enterprises and organizations of any size and structure.
McDuffie’s other recommendations include:
Tap to reveal…
Assume the worst
→
Enforce least privilege
→
Asset management
→
Multifactor authentication
→
Data encryption
→
McDuffie chuckles at the irony, but his final piece of advice about zero trust amounts to: have a little faith.
"It sounds so counterintuitive, but call someone you can trust," he says. "Reach out to an engineer of one of your product vendors. If there's a company that treats you well, ask them about zero trust. If that company has a partner, ask them. Because zero trust isn't free. It doesn't have to be expensive, but it isn’t zero cost. So having somebody where you have a relationship is important if you have nowhere else to turn."
That's merely a quick history of zero trust, the term. Even at that point, the elements or individual components of zero trust had been in place for some time. Multifactor authentication (MFA), RSA tokens and biometrics, for instance, don't assure zero trust by themselves, but these and other commonly deployed security measures provide pieces of that puzzle.
McDuffie likes to cite using a banking app as an everyday example. If you open your app to access your account, but then don't touch your screen for a period of time—2, 3, maybe 5 minutes—you're automatically logged out due to inactivity. Likewise, that's not zero trust, but it's part of it.
“Zero trust is part of everyday practices. If we're talking about the way security should have been done in the beginning, it's always been here," McDuffie says. "The difference with what we're seeing with zero trust now is we're talking about enforcing those policies.”
Zero trust is part of everyday practices. If we're talking about the way security should have been done in the beginning, it's always been here. The difference with what we're seeing with zero trust now is we're talking about enforcing those policies.
Put simply, zero trust is a strategy, not a tactic. The strategy is the action plan; tactics are the individual steps that help you carry out the plan. There is no single action that can assure zero trust.
McDuffie devotes ample time to speaking at conferences and explaining to individual clients how to implement a zero trust strategy. In his view, it starts with the network.
“You need to know your network, because if you don't, it doesn't matter what model you choose,” he says. “You may have Linux appliances, but if you're not doing any kind of logging because you don't know they're there, you can't protect your network. And yes, that does happen. So, you need to know what's on your network, what is allowed and what is not to be allowed. You need to know your network inside and out.”
From there, it's critical to enable MFA. This protects end users as well as the network itself. Strategies must also be put in place to encrypt/decrypt data, whether at rest or in transit. Establishing and maintaining sound coding practices is also important.
Finally, there's logging. Logs themselves present snapshots in time, but as McDuffie explains, the most critical logging information is found elsewhere.
“Nobody really overlooks logging, but most companies fail to watch the flows,” he says. “You should collect and inspect those snippets. The difference between taking an event and taking the flow is that, as an intruder, I can manipulate the logging of an event. Flows don’t lie. I cannot do that in a flow—at least nobody's been able to do it yet.”
McDuffie also likes to say that while there is no single, right way to achieve zero trust, there are many, many wrong ways to go about it. With this in mind, McDuffie offers additional advice. First, understand that while there are products that help in your efforts, there is no one thing you can buy, no solution that will do the job start to finish. Also recognize that zero trust is attainable for enterprises and organizations of any size and structure.
McDuffie’s other recommendations include:
Tap to reveal…
Assume the worst
→
Enforce least privilege
→
Asset management
→
Multifactor authentication
→
Data encryption
→
McDuffie chuckles at the irony, but his final piece of advice about zero trust amounts to: have a little faith.
"It sounds so counterintuitive, but call someone you can trust," he says. "Reach out to an engineer of one of your product vendors. If there's a company that treats you well, ask them about zero trust. If that company has a partner, ask them. Because zero trust isn't free. It doesn't have to be expensive, but it isn’t zero cost. So having somebody where you have a relationship is important if you have nowhere else to turn."
1 / 3
2 / 3
3 / 3
INCORRECT