Larry Slusser, the Senior Director of Cybersecurity Operations at SecurityScorecard, says the nice thing about Zero Trust is there is no grey area

How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
Since analyst John Kindervag first implemented the term Zero Trust the evolution hasn’t come in the model itself as much as the technology that goes into implementing it. The model is clear and has been since the beginning. Having a broker or system in place to determine the least level of access needed to an application, service, or device. Then implementing that at every tier of access along the way of said applications, services, and devices in the infrastructure that a user or application would need to interact with.

The evolution of Zero Trust really comes in the form of the level of granularity that the model has achieved. Zero Trust has made it from perimeter-less networking for Google all the way down to kernel-level separation to isolate certain applications that only have pre-approved information flow to other kernel partitions in embedded systems. Zero Trust has made its way into every aspect of the computing world and will continue to follow as technology advances.

Do you believe that technologies that support zero trust are moving into the mainstream?
Zero Trust is already mainstream. We see it in every level of access modeling. Most major companies are offering Zero Trust applications as a part of their services such as Microsoft’s Zero Trust Business Plan, Google’s BeyondCorp, AWS ZCenter and within the integration to Fortinet firewalls. There are standalone Access Management brokers that provide Zero Trust model applications like Okta, Ping Identity, Symantec, and RSA. We also see file and service level management applications on both Active Directory and Linux LDAP environments embracing and following the Zero Trust model.

Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
For sure, data supporting the thinking that the original castle and moat system is highly vulnerable to privilege escalation and lateral movement attacks is prolific. IT departments should have full visibility to the privilege level of certain services within the kernel and all the way up to how users access their everyday apps, including on which devices and in what regions users are operating.

How can companies get started with zero trust?
Obviously, new businesses have a significant advantage in this regard. It’s much easier to build an environment from scratch which incorporates the Zero Trust model. Especially now that most companies have a Zero Trust service offered on their platforms. Established businesses migrating to a Zero Trust model have a more challenging process ahead of them due to the migration of legacy services and applications. But for each, the logical process is the same.

First, the business will have to inventory every service, application, and device in their environment which is required for ongoing operations. This might require them to use external tools to determine their cyber rating, threat intelligence, and third-party supplier risks. Then they have to determine which Zero Trust platforms are available and fit their business model. Then the implementation and/or migration phase begins.

The nice thing about Zero Trust is there is no grey area. You are either on a Zero Trust model or not. The migration pain from an established business can be somewhat mitigated if these phases can be done in parallel. For example, re-creating the company’s network and required services in a cloud platform. In this way, they are essentially starting from scratch. Then they can migrate operations from the legacy environment to the cloud platform once sufficient compatibility and operational testing have been completed.

Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
With any new implementation of a security best practice, there will always be those that are going to devise methods to exploit weaknesses. The key to countering this is by actively monitoring each level. Early detection is essential in the prevention of critical data loss and service interruption.

That is where solutions such as cybersecurity monitoring and rating tools need to come in. Applications like SecurityScorecard analyze data from Identity and Access Management (IAM), End Point Detection and Response (EDR) applications, network devices, services, and file permissions on servers and devices in the network. There are services out there for each tier depending on your environment.

This along with implementing other security best practices such as strict password policies, MFA, geo-blocking, etc will go a long way to making things difficult for Threat Actors. Ultimately, the biggest security risk is human nature and with it the threat of social engineering by threat actors. Only continuous and consistent training can aid in mitigating this risk but, unfortunately, it will always be there.

What according to you are the limitations of zero trust?
The largest limitation, from a business perspective, is the impact zero trust can have on workflow. Users can get frustrated and become complacent because of this. It requires a complete mindset change at every level within the organization and total support from the highest management levels.

If your business offers any sort of application to provide services to your clients or customers, it can easily inadvertently introduce more complexity and consequently slower application speeds. With the ever-growing threat landscape, it is a delicate balancing act to justify these limitations or inconveniences against the security of businesses, employees, and customers.