ISJ Exclusive: Zero trust – Fruit of the poisonous tree

Security and legal professionals are well versed in “Fruit of the Poisonous Tree” doctrine. The doctrine is a legal metaphor used to describe evidence that has been tainted due to a human decision and the subsequent action rendering it unusable at trial. This is our analogy applied to the zero trust model. The logic is that if the source of the evidence is illegal, so is the evidence that came from the source. Following, if any part of the network access chain is compromised, all other points of the chain are compromised.  

Under the umbrella of Cybersecurity ERM aligning with zero trust, how do you get buy in from the business areas?  

• Speak to the business objective via a pragmatic visual approach that clearly denotes your understanding of their business objectives.
• Demonstrate how the business processes aligned with the asset always have a potential to create risk. Next align security with protecting brand and potential monetary impact.
• Work with the business subject matter experts walking through risk scenarios that incorporate threat intelligence to depict relevant real-world threats and vulnerabilities.
• Finally, include the subjective aspects of the organisation aligning the culture and skill sets to discern the degree of effort required to reap the expected benefits.

While the strategic objectives in the field of Cybersecurity Enterprise Risk Management (ERM) are more likely to be publicised, the tactical and operational objectives provide the measurement for success or failure. Once these objectives gain acceptance from the business areas, Cybersecurity and IT are better positioned to gain long term support for zero trust as the overall strategy.

People, process, technology (PPT) & business intelligence

The business goal remains the constant. Real time systems and critical data are protected without diminishing the consumer experience. A key success point is to engage experts who can bridge cyber, business and the technology.

Historically how has this been accomplished?

• Experts who understand the nuances of people, processes and technology
  • Sees the world through scenarios – understands the likelihood of an adverse event
  • Understand the business and technology context e.g., proper blend of forest and trees
  • Understand the impact when things go wrong
  • Assume that internal threats have equal potential negative impact as external threats
  • Experts part of decision-making process from design through execution
  • Checklists are a component of risk reduction, but not the driver
  • Engage continuous monitoring against Key Risk Indicators as well as Performance Risk Indicators

In 2019 Gartner projected zero trust network access (ZTNA) would provide precision access control due to the precept that the core of ZTNA is identity. 

Infrastructure high-level overview

Challenge: In a mature albeit zero trust model emulating a user centric position what is the best use of technology and resources to address users that are cloud based, mobile, global and dynamic? 

The call is to adopt optimal technologies to achieve zero trust to the state of intention. Zero trust Principles focus on preventative techniques including least- privileged access with continuous network and internal monitoring, or in the ZTNA model vocabulary, “trust verification and security inspection,” to protect all users, devices, apps and data everywhere all the time. Common elements of zero trust are the software-based security solutions, Secure Access Service Edge or (SASE) that monitors activity between users and applications governed by strict access control policies.

In a hybrid environment the addition of a software defined wide-area network or (SD-WAN) is implemented to manage, control and monitor connectivity between data centres, branches and edges. These technologies promise to align with the cloud community (SaaS, IaaS providers, IAM providers.) So how do we as a security community make that go faster without sacrificing visibility, maintaining control and blowing the budget? The foundation of the business case is the improved visibility and control by acquiring data on who, what, where, when and how people, data and devices are interacting.

When all is said and done this zero trust model promotes the stack beginning with the people (entities) at the top. As a concept it is practical, as applying technology that lends itself to a far greater challenge. The top of the stack should manage email protection, security awareness training and remediation. The bottom of the stack should address secure email gateway, targeted threat protection and data loss prevention.

The solution must:

• Align with the Cybersecurity Risk Management and Governance program. 
  Limit access across the network based on policy performance points.

This resolves to Identity Based Perimeter, limited access to specific resources controlled by IAM and RBAC supported by continuous monitoring and authentication.

• People are everywhere and always clicking – Web traffic and Office 365 protection through context and content aware defenses, coupled with integrated Cloud Access Security Broker (CASB) functionality.  
• Integrate threat intelligenceinto security solutions to improve defensive and reactive capabilities rather than passive solutions.
• Maintain clear communication channels.
• Acknowledging the reality of legacy applications as regards the cloud. “You cannot take the legacy boxes and stick them in a cloud and say it’s cloud security,” an expert chided. “That would be like taking DVD players and putting them in a Data Centre and calling it a Netflix service.”

Conclusion

While the innovative technology within a zero trust model reflects modernisation of the Information Technology world, the foundational mantra people, processes and technology has not changed. A contributing factor to any conversation around zero trust acknowledges the need for continuous identity management, risk identification and monitoring supported by the ideal mix of technology to protect against zero-day attack, malware or ransomware campaigns, phishing, smishing and the extensive range of attacks we face to curtail Fruit of the Poisonous Tree.

By Kathy Braun, MBA, CCE