Zero Trust: Moving beyond the chewy centre of cybersecurity

By Justin Giardina, CTO at 11:11 Systems 

As modern technology becomes increasingly complex, so does the task of securing it. Adding to the complexity is the proliferation of decentralised technology such as cloud adoption and IoT (Internet of Things), and the move to remote working which have changed how cybersecurity experts craft the defences for their systems.  

Chewy centres of cybersecurity 

In simpler days, IT systems were comparatively easy to ring-fence, as there was a solidly defined corporate security perimeter, or “trust boundary.” This formed the basis of the classic, trust-based security strategy, where any user inside the boundary was implicitly trusted by default, and anyone outside the boundary was denied access. Being connected to the private network was the only verifiable credential needed to access the system and all its data. 

Fast forward to what has been dubbed the “chewy centre” of cybersecurity, as it was first described by an engineer in 1994 who used the analogy of a Cadbury Creme Egg to relate to this firewall perimeter defence model, describing it as a hard shell around a soft centre. Once past that shell, there is nothing preventing access to everything on the inside. 

What makes Zero Trust, zero trust? 

The mantra of Zero Trust is “never trust, always verify.” As such access is based on credentials that are constantly and consistently re-verified.  

Fundamentally, three core principles make up Zero Trust: 

First, always assume the system has been breached. Threat actors do not always immediately act upon breaking into a secure system, a lot of the time they lay dormant, observing and slowly spreading throughout the whole network until they have infiltrated it completely. This is easy with an old trust-based security model, as once they are a trusted user, they have access to everything. With Zero Trust, assuming that the system is always breached minimises the risk. 

By implementing techniques such as end-to-end encryption, so that only end users can read sensitive information, or segmentation, which means that not all users can access everything, reduces the impact of that “chewy centre” problem. Another effective approach is to log all activity, so that there is a record of what each user is doing, and suspicious activity is easier to spot as it arises. 

The second core principle of Zero Trust is the idea of “least privilege”. This means that users are only given the absolute bare minimum permissions needed to perform their function, and if any additional permissions are needed, they are given for the shortest amount of time possible. This ensures that permissions are not handed out frivolously, and their use is properly verified. 

The third core principle is that of explicit verification. Authorisation should be undertaken with the most amount of data points possible. True to the name, there should be no granting of permissions based on trust in a “Zero Trust” system. When granting permissions, authorisation should be granted based on things such as device identity, device health, data sensitivity, and location. The system should also pay attention to any anomalies with the user when deciding to verify.  

While it can seem daunting to switch to a Zero Trust model, it is much simpler when broken down into the three core elements of assume breach, least privilege, and explicit verification. Additionally, it does not have to be all-or-nothing and can be rolled out in stages to address individual use cases or goals.  

Why zero trust? 

So, why should organisations go through the trouble of investing in a zero trust security strategy? In a broad sense, cyber criminals are, by their very nature, one step ahead of advances in cyber security. No matter how new or strong a firewall is, someone is already trying to find the best way to break it. 

A Zero Trust framework makes it so that even when a system is breached, the damage is minimised as much as possible, cutting the time it takes to respond and recover. Zero Trust operates on the assumption that threats can lurk anywhere, even within an organisation. Therefore, every user, device and network flow is treated as potentially compromised and must be verified and vetted before granting access. 

For example, by only providing users and devices with the minimum permissions needed to perform their tasks, organisations can drastically reduce the attack surface. Segmenting internal networks and limiting access to assets makes it more difficult for threat actors to move through the entirety of an organisation’s network, and continuous monitoring provides increased visibility into all traffic, enhancing an organisation’s ability to detect and respond to anomalous and malicious activity. 

The benefits of Zero Trust cannot be understated, but implementing it is a journey that can be taken step by step. The best place to start is to identify a use case and implement it, and then build it out from there.