There was a time when security was defined by enterprises as the perimeter. At the time it was believed that adopting a defence-in-depth was sufficient to protect the enterprise. For a moment, all was good.
Then the internet came along, followed quickly by the bring-your-own phenomenon, mobility, and more recently, the work-from-anywhere culture.
Looking back, John Kindervag, Illumio's chief evangelist and credited with coining the term ‘zero trust’, said what existed then was a broken trust model – where internal networks were trusted while external networks were not. “If you were moving packets from a trusted network to an untrusted network, you didn't need to have a policy in place,” he recalled. “You didn't need outbound policy.”
He laments that to this day, trust remains broken. “Trust doesn't exist in digital systems, and we should have the same trust level for all interfaces, and that trust level should be zero.”
This is where the “zero trust” security model came from. “It's about how you apply security policy to packets and has nothing to do with human beings,” said Kindervag.
Today, a security stack comprises tools, technologies and procedures to safeguard systems, networks and data against potential threats. It is a complex twine of multiple defence layers meant to safeguard against attacks, weaknesses and vulnerabilities. It is this complexity that has made defending against threats – both internal and external – a full-time preoccupation for CISOs and security professionals.
Challenges to implementing zero trust
The definition of zero trust, that no one is to be trusted, belies the enormity of the challenge facing any organisation looking to keep its security posture up to date against the latest threats. For Kindervag, however, the biggest challenge is not technology but getting people to be willing to change.
“If they’ve never been hacked, they think they never will be – but that’s not true. Many businesses who claim they’ve never been hacked don't know because they don't have enough visibility to make that statement.
“Often attackers go to great efforts to ensure that they don't do anything to disrupt traffic. Attackers have even gone in and reconfigured networks to make it function better, so their attack was easier. We can't just assume that because the network is working, it is secure - that is a false premise.”
John Kindervag
Kindervag outlines five steps to building a Zero Trust environment. “If you follow this, you will always be successful. If you don't follow that model, your success is not guaranteed,” he said matter of fact.
- Define the Protect Surface, or what we need to protect. This is inverting the problem of the too-wide ‘Attack Surface’ and shrinking it down.
- Map the transaction flows across the system, to apply the correct architecture.
- Segment the system, and all of its components away from everything else.
- Apply a policy, and make sure that only approved traffic has access to the PLC (programmable logic controller).
- Monitor and maintain, constantly making it better over time.
The budget conundrum
FutureCIO and FutureCISO discussions with both IT and security leaders tend to skirt around the issue of budgets – largely because it is a recurring pain point for those charged with securing an organisation’s infrastructure. One can argue that the approved security budget is never enough and that when asked how much budget is needed to secure an organisation, one response is “How long is a string?”
In the 2023 Gartner survey of 303 security leaders, 78% of organisations implementing zero trust reported the investment to account for under 25% of the overall cybersecurity budget.
Kindervag argues that any discussion around zero trust spending must weigh the investment against the effects of a data breach or downtime that could happen because of a cyberattack. “Companies can spend a lot of money on things that don't matter, and not enough on the things that do matter,” he opined.
Gartner VP analyst for infrastructure protection, John Watts, cautions that “for most organisations, a zero-trust strategy typically addresses half or less of an organisation’s environment and mitigates one-quarter or less of overall enterprise risk.”
Zero trust segmentation
Organisations are motivated to adopt zero trust primarily to improve overall security, enhance user experience, and foster cooperation among security teams.
Zero trust segmentation emerges as a viable option for enhancing cybersecurity postures, as it addresses the challenges posed by dissolving network perimeters and the increasing complexity of IT environments.
“In the case of zero trust, the size of the segment and the amount of segmentation must be based upon the thing you're protecting, began Kindervag.
By implementing granular access controls and isolating network segments, organisations can better protect critical assets, improve threat detection and mitigation, and contain potential breaches more effectively.
“That's why we always start with the Protect Surface. If you do that, you're not going to over-segment. I have seen companies who just chopped the network up into little pieces, and they didn't know why they were doing it.”
John Kindervag
“If you just buy a technology that's designed to segment but you don't know why you're doing it, the outcome is unknown. You must have a mindset where you always start with, ‘What do I need to protect?’, and then deconstruct the process,” he elaborated.
Integrating ZT into the bigger picture
Kindervag says zero trust segmentation (ZTS) is key to many cybersecurity frameworks including the NIST CSF. “Each stage ZTS has a vital part to play. For example, in the identify stage being able to map how each system connects and communicates with every other system helps determine risk.
“In the protection stage, high-value assets can be ring-fenced and secured. This is true for each stage and all the frameworks around the world that are based on the CSF,” he explained.
Where we are today
In a Forrester 2024 Priorities Survey of 2694 business and technology professionals across Asia-Pacific, 71% say that implementing zero trust in the next 12 months is a high or critical priority.
Jinan Budge, VP and principal analyst at Forrester says zero trust is no longer just a concept – it is a reality for many APAC firms. “ZT is the de facto security model for a growing number of organsations both in APAC and globally,” she declared.
She cites the launch of Singapore’s Government Zero Trust Architecture in 2021 and the 2023–2030 Australian Cyber Security Strategy (released in November 2023) in which the Australian government announced it will develop a whole-of-government Zero Trust culture.
Click on the PodChat player and listen to Kindervag elaborate on zero trust and zero trust segmentation.
- You are credited with creating the concept of “zero trust”. What was the inspiration for this?
- 14 years on, where do you think organisations, regulators and security vendors are as it relates to zero trust?
- Let’s go into zero-trust segmentation. What is zero trust segmentation?
- How does zero trust segmentation differ from traditional network segmentation?
- What are the key challenges CISOs and CIOs face when implementing zero-trust segmentation?
- How can zero trust segmentation enhance the security of OT/IT environments?
- What are the potential downsides of over-segmenting a network?
- How can zero trust segmentation be integrated with existing cybersecurity frameworks?
- Are all segmentation network technologies equal and what questions should CISOs/CIOs/network security teams be looking at to ensure that whatever solution they take is right for their environment?
- What is your advice for CISOs/CIOs about zero trust and network segmentation?