The day offices went remote in the U.S. effectively became a monument to zero trust.
Though around for at least two decades, the pandemic paved the way for mass zero trust adoption in the last eight months — especially in unforeseen places.
Prior to remote work, State Department employees believed "you'll never access that thing off-prem," Gerald Caron, director of Enterprise Network Management within the State Department, during FedScoop's Security Transformation Summit Thursday. "We have a risk tolerance now."
"We're getting away from that culture of, what I like to call, the peanut butter spread approach where we protect everything equally," said Caron. This year emphasized what needs protection now and what can wait.
The Department of State gained a deeper understanding of its risk appetite throughout the pandemic. "We learn what our risk tolerance really is, by allowing for these things to happen," said Caron.
When Delaware state employees were sent home, "our network was obstructed, there was no internal network. So now you can deliver your system securely to your users without having to give them that entire network," said Solomon Adote, CSO of the State of Delaware, on the panel.
As remote work is extended, zero trust is a longer-term solution than security Band-Aids implemented in March. As implementation grows, organizations are realizing that implementing zero trust can be done systematically.
One of the first challenges of remote work was becoming untethered to on-premise, something VPNs didn't mess with. It's "getting away from that boomerang effect of relying on an on-premises network, just the boomerang back out to the cloud," said Caron.
With remote workers using VPNs to connect to an organization's main network, the need for split tunneling arises. Split tunneling is the "the process of allowing a remote VPN user to access a public network, most commonly the internet, at the same time that the user is allowed to access resources on the VPN," according to NIST.
Typically, systems and computers within a headquarters are protected by firewalls or cloud access security broker (CASB) capabilities. With an inundation of remote workers, "it doesn't make a whole lot of sense for the remote workforce to overwhelm all the bandwidth and consume that entire security stack in a perimeter," said David Holmes, senior analyst at Forrester, while speaking at a virtual Forrester event in October. The perimeter security stack is likely in another location, and users would access it just to connect to internet-based SaaS applications.
Split tunneling could reduce latency and bandwidth, but it lacks the safety zero trust strategies provide. Furthermore, NIST says split tunneling also "creates a potential security vulnerability." A malware-infected computer, through split tunneling would still have a gateway to the enterprise.
Use it or lose it
The zero trust edge, often referred to as a secure access service edge (SASE), authenticates users, has inspection zones, replaces VPNs and firewalls entirely by filtering traffic, and connects users to their applications, according to Forrester.
"Before I go in and out of the internet. If I need to connect to a resource that's inside the perimeter, I connect to the edge, it recognizes me as David Holmes at Forrester. And then it points me directly at the resource that I need to get to," said Holmes.
The zero trust edge increases connectivity, reduces latency and proximity to threats. Network attacks "simply just fall away because nobody from the outside can access that particular location," said Holmes.
But there are challenges. "This is a new way of connecting to the internet. And I have not seen anything as transformative in my career in probably 10 years, since maybe cloud," said Holmes.
Mass remote work challenged the concept of trust and enacting zero trust concepts without infringing on how users access the applications they need to do their work.
Prior to the pandemic, "we felt that everything had to talk to [Azure] Active Directory all the time," he said. Now those remote employees access AD in conjunction with identity management.
NIST describes zero trust as a method for verifying computing resources, or data, as opposed to user identities. This is important to remember because "I will guarantee you, your users will find a way around you. If they can't access their data to remote access, they will put it on a USB stick. They will find really ways that will complicate your life," said Adote. Zero trust plays into the user experience as much as it does into security.
But many of the components that factor into a zero trust architecture might already be within an organization.
"Know where you are, know what you've got, know what you're doing, so that you know that you're doing the right things, and you're not going to wind up double, and in some cases, triple or quadruple dipping on solutions," said Chase Cunningham, principal analyst at Forrester, during the panel.
Progress already made in zero trust could be upcycled into different zero trust projects. "I kind of segmented into little boxes data categorization, that's something that has to be done," said Caron.
Caron does the inside-out concept, moving from the data back to the user, because "at the end of the day, that's what I'm trying to protect."
Adote first recommends getting visibility before implementing new controls or technologies. Visibility includes understanding how applications work. "You might think that legacy application cannot be segmented, but you realize that it actually can be segmented," he said.
AD isn't an identity management solution, according to Adote. Organizations need a solution underlined with "conditional access" to create trust, he said. Authorization to an application doesn't automatically mean a user can use it. Before zero trust can build to authenticating even a singular task ensure the basics, including multifactor authentication or firewalls, are sufficient.
"There are certain things that are table stakes for even talking about doing this," said Jim Richberg, field CISO at Fortinet, on the panel. Organizations have to know if they already segment networks or if they assign privileged access.
If they are, the organizations "are doing a static type of zero trust operation already," said Richberg.