Is Trust Dead in Enterprise Security?

A report by Forrester Research is pushing the concept of the zero-trust security model, where packets are not trusted and the emphasis is on traffic inspection and access controls.

Between insider threats and malware attacks, the idea of trust-but-verify is dead as a security model, according to a new report by Forrester Research.

In its place, Forrester analyst John Kindervag contends enterprises should embrace the concept of zero trust, a model where insiders and outsiders are equally untrustworthy, and security administrators stop trusting packets as if they are people. The change, he said, is necessary due in part to the "innumerable instances" of trusted users going rogue on enterprise networks.

To highlight the point, the report spotlights the case of Philip Cummings, who worked on the help desk for a company called Teledata Communications (TCI) in 1999 and 2000 and sold credit reports to a Nigerian organized crime ring.

"Security professionals misunderstood the joke inherent in the term 'trust but verify,'" Kindervag said. "People don't do it because trusting is easy and verification is hard. If you trust someone, why would you need to verify them? But networks are about packets and not people. If the machine is infected by some type of malware and sends out spam or is controlled by a botnet, those packets are coming from a user's machine without the user's knowledge. Should we trust those packets just because they come from the user's machine?"

For businesses, taking a zero-trust approach means all traffic is a threat until it's been verified that the traffic is authorized, inspected and secured, the report states. It requires the use of encrypted tunnels for accessing data on internal and external networks, an emphasis on inspecting and logging data, and the deployment of strong access controls designed with an eye toward least privilege.

In some ways, zero trust is not a completely new model, argued Dean Turner, director of Symantec's Global Intelligence Network.

"Many Unix-based systems have utilized the 'denied unless explicitly permitted' approach to ports, services, etc., for many years," he said. "Security professionals have also always recommended only allowing known, trusted applications and services onto networks. In this past, there has generally been a higher level of trust when it comes to traffic from one's own internal network, but with the explosion in malware over the past seven years, network and security professionals have been looking at their internal networks much in the same way they look at their external networks, since threats can originate from even the safest of networks."

However, eEye Digital Security CTO Marc Maiffret contended there will always be a level of trust implicit in any network because it would be "operationally unmanageable to have an IT organization act at some cold-war style level of paranoia."

"Trust models quickly turn into a conversation about white and black listing in terms of either implicitly denying with exception or allowing with explicit blocking," he said. "I am less concerned about which way an organization approaches trust within their environment, as both have good and bad associated with them. The thing that concerns me more is what technology is used to enforce any model of trust. If it is simply more IPS [intrusion prevention systems] and antivirus but working from a different trust model, then nothing has really changed."

Underpinning zero-trust is deep analysis of network traffic, noted NetWitness Chief Security Officer Eddie Schwartz, which means organizations need to focus their efforts on getting visibility over the entire network.

"Layer 7 is particularly important, since most emerging, sophisticated threats are coming through at the application layer, which is the layer most organizations have the least amount of visibility into. ... By knowing everything, security teams can confidently verify any device, request or user," he said.

There are ways to capture packets and other critical network data, but they need to be designed into the network, Kindervag said.

"The new space we are working to define, NAV [network analysis and visibility], is designed to analyze packets more effectively," he said. "This may be a challenge, but it is imperative that people begin to do this, as lack of visibility and inspection on trusted traffic is a significant risk and has resulted in numerous data breaches in enterprise networks."

In many ways, zero trust is antithetical to the idea of defense-in-depth, he added.

"Defense-in-depth [DiD] is key to vendor success because in a security model based upon DiD you always need to buy something new and always need to add another control," Kindervag said. "Zero trust is a data-centric view of security and has a different objective and design methodology."