Zero trust makes business secure by default
In a rush to digitally transform, enterprises are embracing mobile, smart devices, machine learning, and new, more agile methods of application development, deployment, and management. Never have companies faced so much technological change.
The transformation isn't just about new mobile apps and intelligent new features, however. The changes run deep into the enterprise's core with emerging cloud platforms and microservice architectures working with more static legacy systems. "This creates a lot of challenges when it comes to managing systems across the enterprise, especially when it comes to security and access management," says Scott Crawford, information security research head at 451 Research, a part of S&P Global Market Intelligence. How can organizations make certain that systems and people can only access the right systems and data?
There's no easy answer. With the increased interconnectivity and dynamic nature of computing across disparate cloud platforms, and cloud services, microservices, and software components, how enterprises decide whether they can trust users or systems to connect to any given resource at any given time has grown markedly complex. How can a user be trusted when attempting to perform an action? And with increased automation, how can a server, workload, or software component be trusted to connect between cloud systems and legacy on-premises systems?
More enterprises are turning to zero trust. Zero trust is a philosophical approach to identity and access management, establishing that no user or software action is trusted by default. In other words, authenticate everything. Zero trust demands that all users, devices, and application instances must prove they are who or what they purport to be and that they are authorized to access the resources they seek.
Enterprises are investing in the tools and services that enable zero trust. According to MarketsandMarkets, the zero-trust market will reach nearly $39 billion by 2024, up from roughly $16 billion in 2019—an annual growth rate of 20%.
Traditional identity management falls short
In modern multicloud and microservice environments, traditional means of authenticating once and trusting indefinitely don't hold up. At any moment, new workloads and software services can call upon any resource to perform some task. "In non-zero-trust environments, once a user or device was inside, connectivity between resources was trusted," says Colin I'Anson, a Hewlett Packard Enterprise fellow. "Now, with zero trust, we're not willing to do that. We want to authenticate in real time and to a much more granular level, and to access, any workload or functionality entities have to prove who they are."
How is zero trust achieved? Enterprises must authenticate users, workloads, and data and continuously monitor that access for anomalies.
That's easier written than done in modern enterprises with dynamic and hybrid architectures. A critical step in achieving zero trust among users and systems is to standardize and automate the zero-trust authentication processes whenever possible. This is something that is especially suited for cloud-native environments.
Consider HPE's recent acquisition of zero-trust firm Scytale. Scytale initiated a set of efforts to unify access control for complex hybrid environments. The first initiative, SPIFFE (Secure Production Identity Framework For Everyone), defines a set of specifications that, among other things, defines an API to easily establish trust among workloads and system actions. Because it's API-based, unlike manual key generation and distribution processes, SPIFFE attestation and authentication can be fully automated. "SPIFFE puts in place the underpinnings for enterprises to utilize existing on-premises service authentication protocols [such as Kerberos and OAuth] with workloads running upon increasingly dynamic computing platforms, including cloud and containers," says Sunil James, former Scytale CEO and currently senior director at HPE.
The second Scytale effort is SPIRE, the first software implementation of SPIFFE. SPIRE's components can be integrated with call providers, middleware layers, and hardware trust mechanisms such as trusted platform modules and hardware security modules. SPIRE can be used by workloads in any environment, such as within Azure, Kubernetes, or an application running in the datacenter. "This enables a finer level of authentication, right down to the specific action of a user or workload that is requested," says I'Anson.
Zero trust solves real-world business problems
The purported benefits of zero trust would matter little if they didn't solve real and pressing business challenges. Not only does zero trust help improve security, proponents say, but more important, zero trust enhances security cost effectively and can make security as agile and elastic as the technical environment demands.
Because zero trust is a security system that attempts to understand what users are trying to do as they're doing it and introduce the appropriate security policies based on the context of an action, it can also improve user experience. "Zero-trust frameworks help enterprises get their security hands around an increasingly dynamic enterprise IT environment while simultaneously improving the user experience of their infrastructure, security, networking, and software engineers," says James.
When zero-trust attributes can be codified and automated, zero trust will readily scale with modern cloud and microservice architectures. And while it would be much more straightforward to deploy a zero-trust architecture in a new, all-cloud environment, it's not strictly necessary. Zero-trust success in established environments is still attainable.
Successful zero trust implementations
"There are many discussions among our customers about what zero trust means to them and how to best implement it," says Simon Leech, senior adviser for the worldwide security and risk management practice at HPE Pointnext Services. "But you want this discussion to be business led more than technology led. Zero trust is not about implementing one or another security or networking technology. It's a completely new approach to the way you do security architecture," he says.
"Taking a new approach to security architecture is going to require a very good understanding of your current state of operations and what your future state of operations will be, and build a business plan or business case from there," Leech advises.
James says the first step is to assess where the organization currently stands. "You need to first baseline your current state of operations, and you need to understand where you want to go," he says. "Then you need to build your business case to be able to get yourself there."
While thinking of identity in terms of granular user access and dynamic workloads may appear to complicate identity management, Crawford says it's worth the effort for the long term. "How broad do you want this access to be? How narrowly defined does it have to be for a given target? What do you have to consider for things like regulatory requirements as far as who has access to what types of assets? Bringing identity and access management to this level will help to improve security and provide a better experience for everyone," explains Crawford.
"It does take some upfront work to get the most out of zero trust," adds I'Anson. The good news is that existing identity management investments and maturity levels will help with the transformation. "The more mature the existing identity management program, the easier the move to zero trust will be," explains I'Anson. "You can use existing LDAP implementations as a starting point because they already establish a good initial foundation of roles and identities."
The next step is to identify those business cases with winnable implementations. "One of the key things about zero trust is that it's not attained by flipping a switch suddenly. You can come to zero trust by taking it step by step," says I'Anson. "You build a business case, which could be a business unit or certain domain, and introduce zero trust that way."
James agrees. "Spot potential quick wins and their associated use cases when implementing zero trust. Design and build a flexible architecture that can deliver value across those use cases," he says. "Doing so delivers a stronger foundation that you can build upon rather than simply piecing together ad hoc components and technologies."
That's why it's important to standardize on an approach to zero trust. "If you standardize, in two years, you won't have five different approaches to zero trust spread throughout your organization, much of which probably won't work together and won't provide value," James says.
Finally, when it comes to initial authentication, Crawford advises organizations to take advantage of the authentication methods available. "We're seeing increased availability of what not that long ago would have been very sophisticated techniques for access control, including biometric authentication that comes packaged with a lot of commodity consumer endpoint technology. Take advantage of these authentication methods," says Crawford.
As enterprises race forward in their digital transformations, they're embracing many different technologies to succeed: cloud computing, machine learning, containers and microservices, mobility, and more. If they're going to win this race, they'll need an approach to identity management and authentication that is just as agile, elastic, and smart as the computing environments they're building. Zero trust can be that approach.
Zero trust: Lessons for leaders
- A commitment to zero trust requires a commitment to implement and maintain identity and access management at a fine-grained level.
- Security decisions are too important to make without judging the identity and access rights of the requestor.
- Before implementing the technology of zero trust, an organization must make the business case for it and get buy-in across business units.
Zero trust is not about implementing one or another security or networking technology. It's a completely new approach to the way you do security architecture.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.