We sat down with Justin Wilkins, director of engineering for U.S. Public Sector at Varonis, to discuss the importance of a zero trust security architecture, why the concept is taking off, and more importantly – how to read through all the buzz and start taking actionable steps today.
MeriTalk: Let’s set the stage with a quick primer on zero trust…
Justin Wilkins: The core principles can really be distilled into two key elements, the first being that agencies need to build security controls around the concept that malicious actors and advanced persistent threats (APTs) are already inside of their networks. The goal is to make it more difficult for adversaries to affect data and systems, reducing time to detection, and ultimately limiting the amount of damage.
The second element relates to how agencies understand the perimeter. Zero trust requires that agencies effectively shrink the perimeter from the traditional network boundary down to the data, users, and devices. This means all devices should be protected, data access should be restricted only to those individuals requiring access for their role, and user activity should be monitored to identify potential indicators of compromise.
These two elements form the foundation for zero trust.
MT: Why has zero trust become buzzword Number One in cyber?
Wilkins: We’re seeing more traction because organizations are realizing that the traditional security approach is no longer working. Breaches are still occurring at an accelerated rate, attackers are getting smarter, more sophisticated, and better funded. We’re seeing a lot of state-sponsored groups become very successful at compromising organizations, most recently with the SolarWinds SUNBURST supply chain attack.
We’ve also seen a rapid move to Office 365, along with the acceleration of remote work during COVID-19. Users are accessing data from devices at home and on unsecure networks, so the traditional idea of the perimeter is gone.
A zero trust solution is so effective because it assumes breaches, and implements the required segmentation and controls inside of the firewall.
MT: What would be the impact of government adopting zero trust enterprise-wide?
Wilkins: I think it’s very simple. First, there would be a significant decrease in the mean-time to detection and mean-time to remediation. Breaches would be detected far earlier in the kill chain. Adversaries would have access to far less data and far fewer devices. Sensitive data would be better monitored, tracked, and protected – limiting the amount of damage.
The additional monitoring and visibility required in a zero trust architecture will provide security analysts and SOC teams with a lot more detail and context into user activity, ultimately making them better at threat hunting and identifying malicious actors. Overall, it’s going to make agencies a lot more efficient and a lot more secure.
MT: So, break it down for us. If zero trust is a defense strategy, what are the layers to that defense, and how do you prioritize resources to support those different layers?
Wilkins: There are really four focus areas related to zero trust. Think of these as four different pillars:
- Zero Trust Data. Data needs to be prioritized. We need to shrink the perimeter on the data itself. Organizations must understand where the data lives, who can access it, whether it’s sensitive or stale, and monitor all access to identify a potential breach.
- Zero Trust Networks. We want to make it more difficult for attackers or insiders to access new systems and devices on the network. We need to implement better segmentation, leveraging technologies like next-gen firewalls, to isolate the connections between devices and make it difficult for hackers to move laterally and access more resources.
- Zero Trust Users. We must identify any privileged accounts on the network and then closely monitor their activity. Ultimately we need to protect users from themselves and ensure that compromised credentials or successful phishing attacks are quickly identified and remediated.
- Zero Trust Workloads. Finally, we want to implement zero trust controls across the entire development stack for critical applications and workloads. Vulnerabilities must be quickly remediated, and workloads must be closely monitored both on-premises and in the cloud. These controls must be implemented across the entire development stack – from front-end web servers to backend database storage.
Analytics and automation connect all of these pillars together to reinforce zero trust principles. All activity on users, devices, and data is closely monitored. Analytics are put in place to identify privilege abuse or other types of suspicious behaviors.
MT: How can agencies begin the process of implementation?
Wilkins: The NSA released guidance in February that outlined four key stages for agencies transitioning to zero trust: preparation, basic, intermediate, and advanced. The preparation stage can be thought of as an initial discovery. This is where agencies will identify all the devices that are sitting on the network, all the endpoints, data, users, and privileged accounts.
Agencies then need to begin moving beyond the perimeter and implementing segmentation on data and devices. This ensures that data is accessible only to the users who require access in order to do their job.
And this ensures that sensitive data and assets are protected and ultimately reduces the agency attack surface. The less data that’s exposed to a user, the less data is going to be affected when that user is compromised or decides to behave maliciously.
MT: What are some of the largest institutional hurdles you’re seeing for Federal agencies looking to get started in zero trust?
Wilkins: Agencies must really understand zero trust principles and commit to the process with no exceptions. Zero trust completely changes the cybersecurity paradigm. A lot of investments were historically made in firewalls and other perimeter-based network defenses. That left all this data sitting inside of the network, completely vulnerable and relatively unprotected.
At Varonis, we refer to this as the candy bar approach: you have a hardened perimeter with a very soft and vulnerable inside. And it’s very clear that this model no longer works. Modern APTs have become more sophisticated. Insiders are, by definition, already inside of the network.
The challenge is that pivoting to an inside-out security approach means completely rethinking tool investment strategies and the overall security stack. This is especially true for large organizations.
Varonis releases an annual data risk report that analyzes information from hundreds of data risk assessments. The latest report found that the average organization has 20% of their data open to everyone on the network. 53% of all organizations had over 1,000 sensitive files globally exposed. These are very difficult problems to solve at scale. With the current threat landscape, zero trust principles are an absolute requirement for protecting data.
MT: Can you talk about some of the things you’re doing now to help pave the way for this new architecture?
Wilkins: Varonis has always taken a data-centric approach to security. We started out by giving organizations visibility into access rights and activity on critical data stores. We’ve since evolved into a security platform that employs automation to protect sensitive data, identify threats, and streamline privacy and compliance. Varonis has a proven process to implement a zero trust, least privilege model on the data without affecting the mission.
Sensitive data like PII, PHI, Secret, and Confidential are automatically identified so that organizations can begin securing and monitoring their most high value assets. Varonis then scans permissions and folder structures to help organizations achieve least privilege access, establish data owners, and implement a workflow to empower data owners to manage access to sensitive data.
Permission issues like broken access control lists and globally exposed data are automatically remediated to shrink the timeline to zero trust from years to weeks.
All user activity is continuously monitored across file systems, cloud data repositories, Active Directory, VPN, Proxy, DNS, and email to create baseline profiles for each user on the network. Advanced analytics identify abnormal behavior and provide alerts with actionable intelligence to respond to discovered threats.
The outcome is that our most sensitive data is locked down, excessive permissions are eliminated, threats are automatically identified, and data owners can sustain a zero trust security model through delegation and automation. Varonis is unique in our ability to really understand and solve this problem at scale.
MT: If this is speaking to some of our audience, how can they follow up?
Every year, Varonis performs thousands of data risk assessments for organizations that want to understand where sensitive data resides, learn how much of it is overexposed and vulnerable, and receive recommendations to reduce risk and implement a zero trust architecture. This process is available at no cost and provides a great starting point towards implementing a zero trust framework. We’ll provide a risk assessment deliverable along with a game plan for remediation and help you take the next step towards implementing a zero trust architecture.
We’re also happy to provide more education on zero trust, discuss how it fits into an agency’s overall security strategy, and develop a roadmap to accomplishing and funding zero trust. If you’re interested in learning more, you can reach out to me directly at firstname.lastname@example.org.