Has Zero Trust Killed Defense in Depth? Or “DiD” It Refine It?
Zero Trust (ZT) continues to make waves (no pun intended), with US federal agencies now publishing guidance, such as the OMB’s M-22-09 or the DoD’s ZT strategy, for effective implementations, allowing for the government to be viewed as a source of trust in cybersecurity — although ZT is still mired in myths, and these can do with a bit of sorting out.
There is one such confusion that I want to address, and that is the confusion about whether or not ZT has replaced Defense in Depth (DiD) and other accepted security principles. If ZT didn’t replace them, how do these principles relate to ZT? And what about other accepted principles such as least privilege and separation of duties? The short answer is that ZT does not replace those principles. Let’s quickly understand how they remain relevant within ZT, however, while keeping security pros honest in applying them effectively and efficiently.
Zero Trust Is Built On An Established Foundation Of Security Principles …
As with any home construction, everything starts with a good solid foundation, something strong and stable enough to prevent whatever it will be supporting from crashing down or falling into your neighbor’s property. For ZT, this foundation includes common industry practices, and I want to highlight three relevant core principles, as they are important to ZT but often holistically misaligned:
- Least privilege
- Separation of duties
- Defense in Depth (DiD)
By applying these principles, you’ll find that you and your organization are already on the right path when it’s time to assess your ZT maturity.
… But You Must Use Them Correctly To Achieve ZT
You know how convenient life has become? We have how-tos and manuals for almost everything. They literally walk you through how to do something correctly. Unfortunately, much like that bicycle you’ll assemble for the holidays, you’ll skip past the manual and eyeball it or use the wrong tool to tighten a loose screw. You might be OK making a mistake with the bicycle, but mistakes in cybersecurity can be more costly and far-reaching when it comes to implementing security principles. Focusing on the three we highlighted ensures that you understand the following:
- Least privilege can get too cumbersome if used on its own. We all know that by applying this principle, an organization seeks to improve its security posture by ensuring that its workforce only has “just enough access” needed to do their jobs. While that’s all great, it can become troublesome if that job is too big. If someone’s role encompasses too much, then you’ll find that your security team is back to creating too many permissions for a single role. With too many duties, that individual is more likely to make a poor decision that will negatively impact your enterprise’s security.
- Separation of duties helps make least privilege a reality but doesn’t address access prevention. Luckily, the principle of separation of duties helps least privilege. Through this principle, an individual should not have excessive privileges. This means, for example, that an organization’s sales rep will not have the ability to alter or change pricing of a product or solution; instead, that price change is done by an approving authority such as a manager. These two principles are focused mainly on permissions but don’t address access prevention. Enter Defense In Depth.
- Defense in Depth seals the deal. Through DiD, organizations focus on the controls that prevent unauthorized access to systems. These include administrative, technical, and physical controls. Unfortunately, DiD has fallen victim to the errors of an organization’s misuse of it, which resulted in what has come to be known as “Expense in Depth” — problems were addressed by throwing more money to layer on more technology and security controls in the hopes of blindly preventing a threat after the fact. ZT brings back the concepts of DiD but refocuses them in a more strategic manner so that security pros can:
- Consolidate disparate controls by taking advantage of those technological advancements that bring singular security functions together into a single platform for reduced deployment complexity.
- Reduce cost of management by centralizing the security tool management through reduction of number and types of controls with overlapping capabilities.
- Deter unauthorized access by capitalizing on strategic access control that can be logically and physically placed closest to high-valued assets and make intrusion daunting for would-be threat actors while simultaneously mitigating insider threat.
A Moment Of Reflection
Zero Trust as an information security model has come a long way. It has also faced much contention and doubt. One thing is certain, though: If we focus on what ZT is built upon, we find that it provides a common goal for most (if not all) of these foundational principles to be effective in their application.
Fortunately, Forrester has a team that has ZT as a focus — my colleagues David Holmes, Heath Mullins, and I dig deeper and provide insights for Zero Trust, its benefits, and how its concepts should be applied.
Forrester clients seeking guidance on their Zero Trust strategy and technology choices: Reach out with your inquiries, or schedule a guidance session with one of us.