Controls without enforcement: Is Zero Trust possible?
Written by: Black Kite
On January 26, 2022, the White House issued a memorandum titled M-22-09, an effort to move the United State Government towards a full Zero Trust architecture strategy. Three pages of the document focus on multi-factor authentication, which is just a refresh on methods used in the past, that surprisingly many companies have yet to implement. Of course, at face value, Zero Trust is a great concept to enact.
According to the Department of Defense Zero Trust Architecture, “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
However, without proper enforcement, standards held this high are very rarely completed perfectly. In fact, until something drastic happens, often companies can look at themselves, or their vendors, and say “seems good enough.” Hear from Tom Garrubba and Bob Maley as they dive into their thoughts on a Zero Trust approach, and if it’s worth it.
Doing enough just to get by
“Seems good enough” is the phrase that might get us all into trouble. Let’s think about the Colonial Pipeline incident. There was an audit two years prior to the incident that indicated that the controls set in place were not up to the standards needed to be secure. In fact, it was even brought all the way to the board. The board, when presented with the findings, made no action to change or mend the outdated controls.
This brings us to the idea of critical infrastructure. If those in charge of a critical infrastructure company or organization fail to take action or educate themselves— catastrophic community risk becomes a side effect.
Any member of critical infrastructure should be informed enough to understand the implications of moving forward without the proper cyber security standards in place — and take immediate action.
What is considered critical infrastructure?
The board of the Colonial Pipeline is, for one. Even CVS, a local pharmacy brand, is considered critical infrastructure. Which is striking— because it’s everything that brings the country together: pipelines, gas, energy, telecom, but you have to consider a company that does prescriptions. 25% of the US population in some way shape or form relies on someone like CVS to provide a healthcare service that, without them, would be in a very tough place.
So if you look at Colonial Pipeline, the board had the opportunity to get on the front edge of this, and failed to do so by inaction. In fact, at the time they did not even have a CISO in place designated to be focusing on these issues.
Part of building and implementing a Zero Trust network is TRUSTING people to do what they need to do, and taking the proper action. What controls are going to be followed? In order for proper action, standards must be implemented across the board. Therefore, the first problem that should be tackled instead is the lack of standards. What standards are going to be followed? How are they going to be enforced?
If you take a look at the standards Black Kite uses right now, there is NIST 800-53 — a polarizing standard that Black Kite follows but other organizations won’t touch. Standards should not be pick and choose — that negates the definition of a standard itself. If everyone plays by their own rules, Zero Trust is unattainable; maybe even impossible.
Therefore, what standard should we follow? If we don’t have collective standards – we must find something. Every organization must do this.
Black Kite maps to 14 well-known industry standards, including NIST 800-53, NIST CSF and ISO 27001, each with their own controls. Each one addresses gaps that the others have.
Strategic vs. Tactical Problem
The frameworks themselves include tactical things that you should do. But without strategic action on the framework, points of failure become more obvious. The people, the strategy of implementation, the actionable steps all make a big difference in the success of the standards in place.
More often than not, if a company has to make cuts in departments or budget, it falls on IT. This is a strategy failure in the sense of a security shortage in the company, saving money in the moment but losing much more in the instance of an attack.
Controls don’t individually tell the full story
Often, adding controls and updating them in an organization can cost a lot of money — and how do we even know if it is improving the risk posture? I heard an analogy from Jack Jones of FAIR Institute that stuck with me. Individual controls can’t tell the full story — and here’s why.
Imagine you have a daughter with a new bicycle, and you want her to be safe riding it. You buy her a helmet that is guaranteed to be 100% effective. This is the first control. The second control is: she has to put the helmet on. But here is the catch – the helmet is ugly. So she never wears it.
However, if you combine two controls: a helmet that she really loves and that she always wears, even if that helmet isn’t 100% effective, the combination becomes stronger than a single perfect control could ever be on its own. And then consider a bike: we know there are many more controls working together to consider (tires, balance, chain, brakes.) Keeping these controls up to speed means constant maintenance and monitoring of the condition (very similar to risk.)
Security controls must work together
Therefore, many strong, even imperfect, connecting controls working together successfully reduce risk. This is why the memorandum and Zero Trust security is a bit frightening. The lists of controls go on and on, and without perfect implementation, you don’t get the check mark of compliance. The fear is that many organizations will see the list, think “well I could never get all of them”, and then proceed not to implement any. “Let them find me and then I will deal with it.”
The better methodology would be to let companies build up to the state of full compliance. Moving from one level to the next, gaining more controls and building stronger infrastructure along the way. Consider what it takes to run a marathon or complete a triathlon: running a little bit each day, growing stronger as the time moves on, to eventually reach full ability. It is never something you go straight into without long-term training.
What will it take for security implementation to be taken seriously?
There is a chance that a very serious catastrophe will be required to launch organizations into finally taking this seriously. Otherwise, it is simple for companies to see smaller events happening yet assume that those events don’t affect them, and it could never happen to them.
Security professionals are quickly seeing how big the risk posed by ransomware is on the world at large, and “not trusting anyone” sounds like a great place to live. The problem is that unless there is full control over the third parties, professionals cannot see transparently into the complete inner workings of their third parties. Someone in a process is going to do something and not tell you – then suddenly it will be too late.
Strong controls are usually difficult to keep up by employees from a usability standpoint — and loopholes made for higher-ups end up opening loopholes to the adversaries.
5 next steps to get started on implementing strong controls
- Implement MFA
- Use Password Vaults (and don’t reuse your passwords!)
- Ditch Outdated Equipment and Software
- Apply all rules to the admin level, not just the user level.
- Prioritize third-party risk management
Is your team curious for more? Join the upcoming webinar to go deeper on Zero Trust.