Simple Points on Zero Trust and ZTNA Versus the VPN.

As I read the cyber news and the Zero Trust market analysis that is published everywhere, I note that there seem to be some misconceptions about the value proposition of a strategy like Zero Trust. I see many posts and analyses talking almost exclusively about the specific technical benefits of a Zero Trust strategic approach. Sure, that makes sense. Technology helps us achieve the end state we are working to reach, but technology is the "how"; it is not the "why" for ZT. The "why" for a Zero Trust approach and deciding on the technology that an organization might choose to use is ultimately about business outcomes. Yup, this is a business decision as much or more than a security technology selection decision. At least it should be in my opinion.

Let's discuss this. What are the real benefits of changing your security strategy, and why would a business benefit from such an undertaking? Isn't the way that we have been doing security "good enough"? And are technical pieces of the Zero Trust approach requirements for the move to a better strategic position?

According to the IBM report on the 2021 analysis for the estimated cost of a data breach, a business can expect roughly a 4 million dollar hit when a breach occurs; and data indicates that the cost of the response and fallout of a breach is up by about 10% year over year. But there is another not so well noted "cost" of a breach that seems to slide by most market posts, that is, the cost of that response, and the after-action gets passed on to the breached companies' consumers. To the tune of about a 60% increase in the prices of goods and services because of that compromise. Why does that matter? Well, think about it. If your business is breached, you will have the immediate issues and costs of a breach to deal with; additionally, you will pass the costs of that response onward to your customers. Customers don't like to know that they are the ones who are paying for a company's failure to secure their systems.

Research shows that up to 30% of customers in the retail, finance and healthcare industries will stop doing business with companies that have been breached. And similar research shows that 85% of customers will tell others about their experience, damaging the brand value and positioning of a breached organization. Lastly, roughly 34% of customers will vent their feelings about their experience on social media. The Ponemon Institute's Cost of a Data Breach Report states that lost business was the greatest expense associated with a data breach. This accounts for nearly 40% of the cost of a data breach attributed directly to customer attrition and the added cost of acquiring new customers due to diminished reputation are the reasons for increased customer turnover. To be blunt, the business suffers in all aspects after a security failure. Still, most notable though is the often forgotten costs of returning to business and re-engaging and acquiring customers that will now have a sour taste and a lack of faith in the business.

Now for the question, isn't what we have been doing "good enough". The answer to that is a resounding "NO". Think about it this way. In any other market, would you still engage in that same failed practice if you had thousands of evidentiary-based proofs of a method that has categorically failed? To be honest about it, we have known since 1260 B.C. that a perimeter-based model of security was destined to fail. That was when the city of Troy fell. What happened there? Well, there was a big high perimeter (a wall) that surrounded the most valuable assets (the city and its people). Then something interesting was seen "outside of the wall," and the trusted interior operators (the soldiers) went out and quickly inspected that item and brought it past the wall. Then the malicious internal threats dropped from the belly of the beast and moved laterally and burned the city to the ground, ultimately taking the city. Seriously, that was the first instance of this failed model. Then we collectively took that failure, digitized it, sped it up, and dispersed it with billions of unknown assets in a threatening battle space (cyberspace) and expected that system to work. It sounds dumb when you think about it that way.

Most of us work in some form of sales-related work, we sell things. What would any organization do if they looked across the market in which they sell to and sell from and saw that the dominant approach to sales therein was failing writ large? They would change their approach, or the business would fail just like the others. Security is no different from any other market. If we ignore the realities of space and think that we are somehow different even if we are doing the same thing that others who failed did, then aren't we delusional? This is pretty simple, choose to take a different approach or expect the same outcome.

Now for that last question. Are there technologies that can help us get to the desired end state faster? Sure. Absolutely. Just as with any other market space some technologies can help us reach an end state if we use them intelligently and in line with our overarching strategic goals. Much like accounting software has revolutionized small business operations, or Salesforce has changed the game globally by streamlining the sales process, a few key technologies are critical to a Zero Trust approach.  

The zero trust approach requires an organization to continuously verify an entity's identity and treat all access requests as if they originate from a compromised, unprotected network. To do this a few things must technically happen. The technologies employed must be able to do the following at a minimum (you can always add in other capabilities but this is what makes sense to me at the baseline level, don't send me hate mail about "what I missed". This is a super short listing folks.):

• Continuously validate access and requests to resources: there must be an ability to process authorization dynamically rather than access being solely based on a singular input from a policy engine. Those requests must be reliant on a time horizon. In other words, there is no unfettered access, and there is no access without a dynamic set of criteria being met before any asset is made available. 
• Least-privileged access: access is restricted based on identity and a variety of telemetry that powers contextual decision-making for the policy engine. The technology does not take any single input and then allows access. Multiple steps are necessary for access to be granted and intelligent telemetry is leveraged across requests in real time.
• Network level vs Application level access: VPNs use network level access and have a blanket approach that network. Once authenticated, fraudulent or not, that access is provided to "all" resources that might be available to that user. Additionally the privilege level of many VPN's is excessively powerful and introduces risk for an infrastructure. ZTNA, on the other hand, adopt the opposite approach, providing no access unless an asset – an application, data, or service – is expressly permitted for that user. Anything not specific to the policy is invalid and outside of the bounds of acceptable use.
• Device Assessment: Employees in today's workforce regularly utilize personal laptops and other devices to work, it's a BYOD world y'all. Therefore, ZTNA's device verification checking capability is crucial for a cybersecurity strategy to be optimal. A business should be able to verify that a device has the correct protections in place and that the device's patch level is up to date before access is granted. This helps manage BYOD and often can help secure a users home or personal device.  

Benefits of ZTNA

• Enables micro-segmentation: ZTNA enables companies to build a fully micro-segmented infrastructure while using virtualization optimally. This helps to limit attackers from moving laterally and decreasing the attack surface in the event of a breach. Compromise is going to happen, deal with it but limit the spread of the infection. You can manage one tree burning in the forest, but not a forest fire.
• Protects against malicious insiders: Zero Trust-driven security approach powered in part by ZTNA limits the damage of malicious employees thanks to the least privilege concept and the enhanced visibility of users and their actions. This capability makes it easier to find indications of malicious employees, or infected machines that are potentially seeking accesses and assets that they should not be able to access.
• Makes applications and assets "hidden": ZTNA helps an organization to deploy "dark" assets. Essentially this means that app discovery is not possible for non-authenticated users and machines. And this helps to limit an adversaries ability to discover additional targets when a breach does occur.
• Helps increase hiring possibilities: Hybrid working is the best way to work today. At least that seems to be the honest assessment of this model. Any business that is still relying on old business models that are reliant on infrastructures that do not support mobile working are and will find it difficult to reach the broader talent pool, and will essentially ignore the coming generation of workers who have overwhelmingly have no desire to be forced to come into the physical office. Nobody wants to "have" to go back to the office, I know I don't.
• Enabling compliance requirements: Thanks ZTNA capabilities there is a valid improvement in corporate compliance as applications and data that employees can use are authorized and verified by the company. Logging and the "need" for access is also enhanced and can help vector compliance operations. In other words, you are only compliant for what you must be compliant for. Not compliant for "everything.

I will add more to this series of Zero Trust related points, but I think that the benefits are pretty clear. Yes, there is a lot of marketing in the space. That's how markets grow, it happens. Yes, there are many vendors claiming ZT. Many of them aren't "wrong" as you could build a ZT system with nearly any variety of technologies. But, it's critical that we share the basics and understand which capabilities are simple and directly beneficial and which one's are a bit "further right". I hope those who read this find it useful, and honest.