This article is part of a VB special issue. Read the full series here: Zero trust: The new security paradigm.
The term “zero trust” has been around for more than a decade — but it’s a misnomer, many security experts say.
“It implies that an organization does not trust their people,” said Heath Mullins, Forrester senior analyst. “It’s far from the case, it’s not the case at all. It’s about securing against malicious actors, period.”
Rather, experts say, it should be referred to as “trust enough,” “trusting the right amount,” or “least privilege” — particularly when it comes to thwarting malicious insiders.
“It’s giving people the right amount of trust and no more,” said Charlie Winckless, senior director analyst for Gartner — who goes so far as to call “zero trust” a “terrible name”.
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
Ultimately, “it’s important that organizations look at the capability and not the buzzword that’s wrapped around it,” said Winckless.
The increasing malicious insider threat
There’s no question that insider threats are increasing: According to the Ponemon Institute, incidents have risen 44% over the past two years, with costs per incident up more than a third to $15.4 million. Furthermore, the time to contain an insider threat incident increased from 77 days to 85 days, leading organizations to spend the most on containment.
Still, the term “malicious insider” — not unlike “zero trust” — is very often misunderstood.
As Winckless explained, a malicious insider is anyone inside an organization who has access — or can easily get access — to information and then improperly use it. In the case of insider threats, this could be unintentional, he pointed out.
In the first scenario, a user has access to an enormous amount of data simply because they need it to do their job.
“They have the potential to abuse that for many reasons,” said Winckless. “That’s the hard case for a malicious insider.”
The ability to get access, meanwhile, means that that access has been given even though a user doesn’t need it. Because, Winckless noted, from an organization perspective, it’s just easier to give access than to figure out what access a particular user needs.
There are an enormous number of instances of “semi-malicious insiders,” said Winckless — that is, an employee taking proprietary data or other information with them when they leave, then using it for something else.
Mullins agreed that “’malicious’ implies that it’s done on purpose,” whereas sometimes it can be more “benign.” Taking sales contacts or records, for instance because the user cultivated them and built up those relationships.
“It’s not just what the threat is, but the motivation behind it,” said Mullins.
A delicate balance of privilege and restriction
Combating malicious insiders is more a matter of strategy than technology, said Winckless: Providing the right trust to an individual based on identity and context.
Zero trust, or least privilege, is best for those getting access to things they don’t need to get access to, he said. They can’t use a new password or force their way onto a system; they only see the things they need to do the job.
The case of users having access to information they need to do their jobs is a little more complicated, he said. Thwarting them involves monitoring and looking for anomalies. For instance, all of a sudden, a user begins behaving differently: downloading things they normally don’t, looking at things they otherwise don’t, or storing certain data or large amounts of it.
“It’s a reason to say ‘Hey, what’s going on?’ and start to do further investigation into what could be happening,” said Winckless.
Doing this right means balancing complexity with security, he said. There’s a fine line to be walked when it comes to culture.
“You’ve got to be granular enough to give people the right access without making it so that it’s unmanageably complicated,” he said.
Organizations should implement controls that limit users to applications, and ensure that those controls are consistent and easy to implement wherever a user sits (whether in an office, at home or while in limbo at the airport). Network access control, he pointed out, while useful, only works in the office.
When looking at tools, Winckless advised, organizations should ask questions such as: Does it help provide the right trust? Open up more trust? Have nothing to do with trust? Does it just have a zero-trust name on it?
Mullins also underscored the importance of finding platform-agnostic third parties. The zero-trust phrasing has been “hijacked by vendors,” he said, so don’t just blindly implement a tool from vendor X. There are a lot of vendors out there, a lot of competition, and some will have most of what an organization needs, or “be adjacent with a slight overlap.”
Also, don’t base least privilege on vendor definition: Create your own definition and identify what the most important aspects are for your organization, said Mullins.
Implement tools and best practices — don’t throw up roadblocks
In crafting and implementing a strategy and associated tools, the very first thing should be to “perform by assessment,” said Mullins.
The lowest-hanging fruit is often privileged access management (PAM). This restricts what users can do because they have to go through a single port, “basically a man in the middle.”
This is particularly critical with the C-suite, as they are a top target, he said. Also, organizations shouldn’t overlook their HR heads or local admins.
“They’re running the business, they’re not always worried about security on their endpoint,” said Mullins.
Another important tool is just-in-time access, which limits users’ access to predetermined periods of time, on an as-needed basis, he said. Also, session tracing and time-outs, or step-up authentication, which requires additional levels of authentication.
Still, the no. 1 rule is transparency. “You’re not trying to create a roadblock,” said Mullins.
When users have to do things too many times, it becomes a burden. They may create IT help desk tickets that backlog the department, or “they start to take shortcuts, find other ways to get around those verification prompts, or stay logged on for longer,” said Mullins.
Are they who they say they are?
An increasing conundrum with malicious insiders is today’s work-from-home landscape. Organizations are often hiring people that they’ve never met in person, Mullins pointed out, or that they’ve only corresponded with on Zoom calls.
That person, or entity, could simply be onboarding to get a nation-state or a collective the information that they are paid to acquire, he said. It’s critical to vet and verify.
Look for unique identifiers, he said. For instance, if someone is doing an interview and you’re hearing very scripted responses, ask off questions as simple as, “do you have pets?” or “what do you do for fun?”
“If it doesn’t feel right, it’s probably not right,” Mullins said.
He also pointed to the practice of requiring users to log in, have their faces scanned, then, with subsequent logins, applying artificial intelligence (AI) to compare features.
Also, in the U.S., employees have Social Security cards or passports, but that could be entirely different if they’re from a different country.
It’s a gray area, said Mullins, and the question that organizations should ask is: “What constitutes enough of a verification?”
Culture: The best way to thwart malicious insiders
Organizations have given a lot of privileges to a lot of users, whether they need them or not, said Winckless. “Taking away something that a user already had is always painful,” he said.
Addressing that culture and avoiding the “zero trust” phrase can be a less threatening and more friendly approach. Because, frankly, people want to avoid working at a place where they don’t feel trusted, he said.
Mullins agreed that it all comes down to the culture piece. Simply put, “If you treat people well, you’re less likely to have a malicious insider.”
Organizations should reinforce to employees that it’s not about them not being trusted, but rather, “this is my stuff, you can’t touch my stuff unless you are vetted and verified.”
And, it’s important to get the message out that it’s not just about protecting their own assets.
“The organization that you work for has all kinds of info on you,” said Mullins. “Wouldn’t you want to protect that? I would.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.