The ongoing SolarWinds incident illustrates that the much-lauded Zero Trust security paradigm is, in fact, based on trust. Zero Trust is about authenticating and authorizing every action within a computing environment. It is putting the principle of least privilege into action. In an ideal implementation of Zero Trust, users authenticate with the proper identity and authentication assurance levels to get access to local devices, on-premises applications and data, and cloud-hosted resources. Access requests are evaluated against access control policies at runtime.
In order for Zero Trust to work though, there are elements that are trusted that are used to evaluate other entities for trustworthiness:
- IT products – operating systems, Line of Business applications, office automation products, IaaS environments, mobile devices, IoT devices, etc.
- IT services – SaaS apps, IDaaS, managed hosting, Managed Detection & Response (MDR), full scale Managed Security Service Providers (MSSPs), etc.
- Processes – auto-updates of software, communication between vendor products and their cloud services, identity vetting, federation, authentication, and authorization
- Suppliers – IT vendors, IT service providers, IT security vendors, identity providers, and members of product and service supply chains
A breakdown in any of these foundational components can become an attack vector and can put organizations at increased risks. As 2020 draws to a close, cybersecurity teams are searching for signs that their organizations have been affected by the Sunburst/SuperNova/Solorigate malware and are beginning to remediate. New information about this set of events is arriving daily, and the big picture will likely take some time to materialize.
As we deal with this on the tactical level, we can also think about how this should impact longer-term security strategies. Zero Trust is a good strategy, but we must consider, expose, and evaluate the processes, products, services, and suppliers that make up Zero Trust infrastructure. Zero Trust cannot be effective if on so many levels it’s still based on blind trust. As users and implementers of technology, we will always be dependent to a degree on those technology vendors to demonstrate that their products and services are indeed trustworthy. However, we must also consider how each organization can increase the level of its own monitoring, detection, and response capabilities to guard against similar attacks in the future.
Supply chain security and risk management, particularly in the IT product and service arenas, will likely be top concerns for organizations of all sizes and types for 2021. KuppingerCole will continue to research, discuss, and publish on the products and services that constitute Zero Trust architectures.