“There is no such thing as a Zero-Trust product”

One of the most provocative statements at GovWare 2024 may have been when BeyondTrust’s Chief Security Advisor, Morey J. Haber, declared to a room full of attendees: “There is no such thing as a zero-trust product. If a vendor says I am doing zero-trust, that’s just marketing.”

A bold claim at an event playing host to vendors selling a range of zero-trust solutions.

Instead, he made the case that zero-trust is a collection of tenets and best practices that have less to do with individual products in the market, but more with an organisation’s overall cybersecurity posture.

“There is a difference between a solution and a product,” Haber said.

Zero-trust is a cybersecurity model with the principle of “never trust, always verify” at its core – critical at a time when artificial intelligence (AI) is accelerating the onslaught of cyber threats.

For organisations looking to embrace zero-trust, he recommended they look to the NIST SP 800-207, a set of guidelines around implementing a zero-trust architecture released by the US National Institute of Standards and Technology (NIST).

Learn how you can map BeyondTrust capabilities to NIST Zero Tryst (SP 800 – 207)

The document provides key zero-trust strategies, from continuous verification to ensuring users only have access to what they require – in other words, the principle of least privilege.

But how can organisations get started on their zero-trust journey, and what should they focus on?

Solve for workflows

Haber advised organisations to address their specific cybersecurity challenges by applying zero-trust principles to their unique IT environment and identifying clear problems to solve.

For example, companies which have a high number of remote working staff may choose to implement policies and tools to ensure secure authentication and access for such staff following the tenets of Zero Trust.

"What is the workflow that you want enabled by zero-trust? You can't do the whole company all at once. For example, the technology that you install to meet the zero-trust goals for remote works becomes the zero-trust architecture for the solution deployment,” he said.

He further explained that it is tricky to apply zero-trust concepts across an entire organisation, short of rebuilding the IT environment from scratch.

Governments, which usually have air-gapped networks that are disconnected from the Internet, need to know that zero-trust principles do not only apply to cloud environments.

Zero-trust principles can also be applied in other unique environments, such as hybrid or on-premises, he said, using zero-trust architecture enclave models.

In addition to using NIST-based reference architectures within an environment, no one product sold today can meet the all the tenets of zero-trust and be applied across a hybrid environment, he said.

When it came to securing BeyondTrust’s own environment, Haber focused on securing remote access first, given the company’s high number of remote employees. To do so, he mapped BeyondTrust’s cyber controls against the zero-trust framework employed by the United States Department of Defence to identify gaps, he shared.

Then, he identified which controls were insufficient and applied other technology, processes, and procedures to put in place other controls without affecting the business.

To subscribe to the GovInsider bulletin click here. 

Verify identity at every stage

Haber emphasised the importance of organisations being able to verify the identity of their employees at every stage from authentication to audit is crucial to success.

This is increasingly critical as identity-based attacks, such as deepfakes and insider threats, are on the rise, posing significant risks to organizational security.

Watch: Defending Your Paths to Privilege: Breaking the Identity Attack Chain

One way to authenticate employee access is through multi-factor authentication, a process where users verify they are who they say they are by providing two or more pieces of evidence – such as a biometrics or a FIDO 2 compliant solution. Older MFA solutions like SMS and email codes should be avoided in zero-trust architectures due to their own insecurities.

Then, there should be continuous monitoring of their activity to detect unusual behaviour. If a user is making unexpected changes to the system, zero-trust systems should ensure that they are contained promptly so any malicious behavior can be contained.

Haber warned that any user can be compromised and open a path to gaining more privileges. Understanding these paths to privileges will be the next big challenge for cybersecurity leaders.

Haber stated, “The goal of zero-trust is not necessarily to protect the organisation. It's designed to contain different types of attacks. It was originally written that if a company is attacked, the malicious behavior should be contained as fast as possible, so there is no lateral movement, no additional infections, no active threats, and minimal data loss.”

To subscribe to the GovInsider bulletin click here.

BeyondTrust’s partner approach

Instead of recommending products, vendors like BeyondTrust encourage partnerships with organisations to identify key recommendations for improving their zero-trust posture, he said.

“When organisations market zero-trust, they’re selling a product for money – not necessarily partnering with the organisation for their best interest,” he said.

Haber noted that BeyondTrust conducts a strategic review of workflows before providing recommendations – and solutions at the end to aid in an organizations journey.

While these solutions can support organisations in raising their overall zero-trust posture, they are not the be-all end-all for creating a robust zero-trust architecture.

In fact, zero-trust architectures will differ for different organisations, depending on their unique workflows and business processes.

“Instead of trying to say, ‘I have a product to help you’, let me understand the problem, understand your workflows, and then see if I can help you. That partnership is key to BeyondTrust’s success.”

Watch: Implementing Zero Trust Practically & Effectively Requires PAM