Implementing a comprehensive security framework requires a strategy that brings security to the front of every stage of the development process — and zero trust is the answer. Here’s how it’s done
The Ponemon Institute recently collaborated with IBM in their report “ The Cost of a Data Breach Report 2021,” and found that of the companies interviewed, the total cost of an average data breach was 4.24 million dollars. That number rose by 10% from 2020, and exceeded 9.2 million for companies operating on US soil.
This cost is forcing companies to put security at the forefront of their software development process. Trust-but-verify solutions that grant access to users as soon as credentials are accepted have been replaced by zero-trust systems that keep permissions to a minimum and demand verification at every level of clearance. The result is a more circumspect approach to security, but it need not lengthen design times, or create an inferior final product.
In this article, we’ll look at how companies can create a cybersecurity framework that encompasses each phase of the design journey, how zero trust fits into that framework, and where we’re seeing it used already. At we’ll see, zero-trust measures are an important part of any fully integrated security approach, and enable users to embed security into the software development process without damaging performance, usability, or the development cycle.
Cybersecurity threats are becoming more sophisticated and costly, and they’re happening more often. Over 300,000 pieces of malware are created every day. Of these, 63% are intended to financially exploit their victims, and the estimated cost in IBM’s report was the highest in the survey’s lifetime. Combine that with the growing complexity of some cybersecurity threats, and the message sent to businesses everywhere is clear: security frameworks that give the benefit of the doubt are no longer enough.
But the severity of the threat isn’t the only thing compelling businesses to transition to a pervasive security approach; the way business is done is also shifting the landscape. A few factors contributing to this security shift are:
• A remote workforce. The pandemic and the demands of the modern employee have made remote work commonplace in many companies, and this affects IT’s ability to keep their assets safe. Password hygiene and prying eyes are just a few factors that make remote cybersecurity difficult, to the extent that nearly two-thirds of respondents polled at the Ponemon Institute said they felt guarding their data was easier inside the office.
• Edge computing. Between easier physical access and a greater number of access points, edge computing can leave organizations vulnerable if security solutions aren’t implemented across every layer. The only way to safeguard edge computing infrastructures is by adopting a pervasive security approach.
• IoT (internet of things) integration. From robotics to smart cars, IoT sensors will only become more common, and each one is an entry point for an intruder. IoT sensors are rarely updated and not designed with security in mind, so without a pervasive security approach, a vulnerability can become exposed.
Taken together, a more dangerous threat landscape combined with a decentralized infrastructure (physically and digitally) has created a need for a strategy that accounts for security every step of the way. By taking every step possible to identify threats, maximize security, and minimize vulnerability through all phases of the software development journey, zero trust seeks to do exactly that.
Two groups have contributed the most to creating a standard for what does and doesn’t constitute zero trust: The Open Group and the National Institute of Standards and Technology, or NIST. The former has focused on laying process foundations for organizations to follow, and the latter has focused on the tech-side, giving IT teams implementation requirements to follow. Both are shaping how we view zero trust.
The Open Group has defined zero trust practices on the operational side by outlining its scope as well as some key best practices and violations. In “ Zero Trust Core Principles,” they lay a foundation by defining zero trust simply as “an information security approach that focuses on data/information security, including lifecycle, on any platform or network.” Within this framework, zero trust capabilities should enable organizations to secure their digital assets on across any network, be it public, internal, or the cloud.
Building on that foundation, their report, ” Zero Trust Commandments,” shows organizations what strategies should top their list if they seek to adapt a comprehensive security approach. They are:
The Open Group is currently working to create a full technical standard for zero trust practices based on these commandments, giving organizations a clear set of parameters to follow as they work towards zero trust implementation.
While the Open Group has focused on defining best practices, NIST has focused its attention on the technical specifications to which IT teams and cybersecurity specialists must refer if they wish to integrate a pervasive zero trust strategy across their stack. NIST’s Computer Security Resource Center (CSRC) has produced an abundance of guidelines, projects, and publications to assist organizations in creating a pervasive security approach, but one especially helpful resource is SP 800 207: Zero Trust Architecture, where the fundamentals of a zero trust framework are outlined and applied. Some elements discussed include:
• A working definition of zero trust and a zero trust architecture (ZT and ZTA, respectively), as well as assumptions and tenets undergirding ZTA design.
• ZT and ZTA logical components, or building blocks, and unique implementation methods based on varying use cases and application.
• Possible use cases where ZTA can enhance security and minimize vulnerability, especially with respect to remote employees, cloud services, and guest networks.
• Threats to ZTA, their similarities to other architected networks, and how they may require unique mitigation techniques.
• ZTA tenets as they relate to existing federal regulatory guidelines ( NIST Privacy Framework, NIST Risk Management Framework, National Cybersecurity Protection System, etc.)
• How enterprises may begin working toward a ZTA, including general steps for planning deployment, and infrastructure as shaped by ZT tenets.
Combined with the work done in other agencies, NIST’s frameworks and protocols help IT, OT, and DevSecOps teams create an end-to-end pervasive security approach using ZT tenets to guide them.
Many organizations see the need for shifting security to the forefront of each stage within their software development process, but they may be unsure how to do it. ZT offers specificity on implementation practices that can improve their current security across an entire software supply chain. As a holistic security model, ZT has many moving parts, but some primary defense areas include:
• Identity and access management (IAM). ZT tenets demand that every identity is authenticated and authorized before access is ever granted to a single resource — every time. This entails the use of least privilege access and just-in-time and just-enough access, to ensure that users are given only the permission they require for their work.
• Endpoints. Remote work and bring your own device (BYOD) have increased the number of devices accessing a network, making the need for visibility over each endpoint greater than ever. Compliance must be established and each device must meet health status standards using security controls to keep your network safe.
• Apps. Devices aren’t the only component moving away from a centralized structure; apps are also accessed in private environments, increasing a network’s threat vulnerability. ZT implementation should seek to ensure appropriate apps permission, monitor and limit user actions to a bare minimum of what is needed, and employ real-time analytics to filter unnecessary app access.
• Data. Current data security models are rooted in perimeter-based protection, but the shifting threat landscape requires that organizations move to a data-driven approach. That means classifying data so that it can be better sorted according to least privilege access, employing data encryption, and restricting access based on an organization’s data governance policies.
• Infrastructure. Adopting a pervasive security approach means watching over every layer of an organization’s digital ecosystem. That requires the use of telemetry to identify anomalies and attacks, flagging inappropriate or risky behavior, and shutting down access routes before an intrusion occurs.
• Network. Trust-but-verify practices gave users on internal networks the benefit of the doubt, but those days are long gone. ZT creates a pervasive security approach by encrypting internal communications, employing real-time threat detection software and using microsegmentation to ensure that only those who need to know are in the know.
Whether it’s adopting best data and code security practices, minimizing permissions levels, or using telemetry and analytics to identify vulnerabilities, implementing a pervasive security approach takes security into consideration at every level of operation. ZT achieves this, and experts like Kiuwan can help organizations make the transition without compromising the quality of their processes or product — and even improving them.
Creating a pervasive security infrastructure requires that organizations leave no stone unturned. Zero trust creates a framework for moving towards this environment, and multiple thought leaders have collaborated to form a standard detailing what such an ecosystem should look like, and what practices they should implement to get there.
At Kiuwan, we provide a code security solution for both mobile and web application development. We help organizations improve their security infrastructure throughout their software development process with our code security (SAST) and software composition analysis (SCA) solutions, enabling you to prevent vulnerabilities before your code deploys. Contact us today, and see how we can help.