Table of Contents
The Cloud Security Alliance is trying to cut through the myriad zero-trust approaches and solutions out there and attempt to offer some practical info for corporate network admins.
Zero-trust security continues to be one of the hottest marketing phrases in an industry that loves its buzzwords. But despite so many so-called zero trust products from virtually every vendor, there’s still a lot of confusion about what a zero-trust architecture looks like and how to deploy its key elements across an organization.
A new Cloud Security Alliance project called the Zero Trust Advancement Center aims to cut through the clutter. Launched this week with vendors CrowdStrike, Okta, and Zscaler, the initiative aims to advance standards, certifications, and best practices to help folks build zero-trust environments.
“The internet is becoming the new network,” said Kavitha Mariappan, EVP of customer experience and transformation at Zscaler. “Applications are moving to the cloud. Cloud is becoming the new data center. So why is anyone focusing on securing the physical network? This legacy network security model needs to be turned on its head.”
Over the next 18 months, the group will roll out educational courses covering zero-trust architecture and strategy, a webinar series, research papers, practitioner and executive zero-trust certification programs, and it will host a zero-trust summit slated for the fourth quarter of 2022.
Additionally, it will conduct a survey on CISO perspectives about deploying zero trust and release the results at the CxO Trust Summit held during the RSA Conference in June.
Trust no one
A zero-trust security framework essentially boils down to trusting no one on the network, let alone anyone connecting in from the outside, and assuming there has been a security breach. Instead of trusting employees or other users, devices, and networks by default, zero trust relies on identity and behavior to verify users and machines in real time, and restricts data and access on a least-privilege basis.
This approach becomes increasingly important as miscreants use stolen credentials and identities to bypass security, and access corporate systems. Once they are in, they can typically freely move laterally through the network, steal files, and cause other mayhem.
“There’s a misperception that stopping malware means stopping the breach,” CrowdStrike co-founder and CEO George Kurtz said in a memo about the Zero Trust Advancement Center.
“It’s important but not enough, because adversaries are increasingly launching attacks that are malware-free,” he continued, citing the CrowdStrike 2022 Global Threat Report. It found 62 percent of all attacks are malware-free and use hands-on-keyboard activity.
“In the modern enterprise, our user identities and credentials are intertwined with the devices we use, the cloud services we access and the data that flows across all of them,” Kurtz said.
“This intersection is where enterprise risk is coalescing. Zero-trust security strategies hold tremendous promise for securing infrastructure and data in today’s modern enterprise, but this will require the industry to make significant strides toward realizing its promise.”
‘No zero-trust box’
This is where the non-profit industry body Cloud Security Alliance fits in, according to Mariappan. While it was important to bring together leaders in three core tenets of zero-trust security — Okta with its identity and access management, CrowdStrike for its endpoint and device security, and Zscaler with its policy enforcement and management — it was even more important to house the center in a vendor-neutral organization, she said.
“This is what CSA stands for,” Mariappan said. “Their foundational mission is vendor neutral awareness and education. They are best-of-breed in doing that, and they have the credibility and the reputation of having done this for over a decade.”
Despite claims to the contrary from some vendors and products, “there’s no such thing as a zero-trust box,” she added. “It’s an ecosystem of solutions that are integrated to enable those key elements” including identity, device posture, and policy enforcement.
The Zero Trust Advancement Center will build on existing CSA projects, including the Software-Defined Perimeter research series, Cloud Controls Matrix, Enterprise Architecture, and other virtualized security models.
And one of its first action items will be to produce “the seminal white paper” that defines a zero-trust architecture, Mariappan said. “So we all have a rubric as an industry to evaluate anyone or anything that says that it is zero trust,” she explained.
This should also help address security practitioners’ biggest challenges as their business shifts to the cloud, mobile users and devices proliferate, organizations’ attack surface expands, and attackers become more active and sophisticated.
“The challenges that they’re facing is how do we continue to deliver on the organization’s business mandate,” Mariappan said. “We have organizational goals to drive profitability, keep the crown jewels, intellectual property safe, keep our employees safe, and at the same time, continue to innovate and protect the reputation of the company.”
It’s a daunting task, especially when security teams are tasked with supporting 300,000 employees spread across several countries with varying local regulations and levels of training, she added.
“This is a big problem to solve, and the last thing they want to deal with is different vendors pitching their wares,” Mariappan said. “They want they want to be educated, they want to hear from their peers, how others have solved these problems, the best practices, the blueprints, use cases and stories from the trenches. And they want to keep the organization safe.” ®