As the cybersecurity industry begins to implement zero trust, there has been a concerning industry-wide trend to focus on only zero trust networking, which is only a single aspect of zero trust. Additionally, zero trust is an evolving concept with no fixed or standardized implementation. Publication SP 800-207 from the National Institute of Standards and Technology (NIST) provides general guidance for zero trust to help the industry communicate about this topic using a common set of terminology.
Currently, much of the literature, conversation and products around zero trust architecture focus on the user and restricting one’s access to the network. This concept is called zero trust networking. However, in practice, implementing a true zero trust architecture that is resilient to both malicious users and rapidly evolving security threats will require that additional key zero trust concepts and strategies are implemented.
Figure 1: Core zero trust logical components
Source: NIST SP 800-207, https://doi.org/10.6028/NIST.SP.800-207, Page 9
Simply protecting network segments is not enough. In today’s hybrid environments with pervasive VPN access and multi-cloud architectures, traditional network segment protection products are no longer effective because a user’s access may cross so many logical boundaries. Zero trust networking provides a strong platform for restricting user access based on their role, regardless of network or network segment. Implementing zero trust networking is a crucial first step because it has become increasingly difficult to control all the endpoints that individuals use to perform their work.
However, not enough attention is being placed on another key aspect of zero trust: system integrity assurance. The zero trust philosophy, in its purest, vendor-agnostic form, strives to protect all resources that comprise the IT architecture. For example, consider the scenario that a server for a credit card payment processing system has been compromised. Simply leveraging zero trust networking to ensure that only the correct users have access to that compromised payment system will be of limited value. A true zero trust implementation would involve putting controls in place on that critical system to ensure that only proper applications, configurations and logic are running on that server.
System integrity assurance tools are a powerful method to extend the zero trust philosophy across your servers, network devices, database schemas and other critical assets. These tools establish a trusted and authoritative baseline of the software, configuration files and critical settings for servers, cloud assets and network devices. Any deviations from this authoritative baseline can either be rejected or reported immediately. A true system integrity assurance tool makes this process easy, providing administrators with a simple way to establish the authoritative baseline, update the baseline, prevent change, align with existing ITSM processes, and perform a rollback and remediation-related actions — when and if necessary.
Figure 2: Cimcor zero trust system integrity assurance model
Zero trust networking alone will not be effective in the event of a new zero-day attack, or in the scenario in which a user with legitimate access to a system performs unauthorized modifications to a system. However, zero trust system integrity assurance can help mitigate these scenarios, because it is the most effective method to enforce zero trust at the resource or workload level.
A positive and often overlooked side effect of implementing zero trust system integrity assurance within your infrastructure is that it also helps reduce variation within your IT process. A material reduction in variance within a process will result in improved reliability and increased uptime.
Combining zero trust networking with zero trust system integrity assurance delivers a proven strategy to ensure that the right users are accessing the right resources, configured in the right way, and running the right software.
About the author
Robert E. Johnson, III
President and CEO, Cimcor Inc.
Robert E. Johnson, III is the President and Chief Executive Officer of Cimcor, Inc., a position he has held since 1997. Cimcor, Inc. develops cutting edge IT security and compliance software to enable companies to maintain IT system integrity, take immediate action to change, and meet compliance regulations.
Prior to Cimcor, Mr. Johnson was the manager of business systems for Kvaerner Metals and Manager of Process Automation & Control for Davy McKee Corporation. Mr. Johnson is currently the Chairman of the board of directors for The Methodist Hospitals, for which he has been a board member since 2009. Mr. Johnson is committed to giving back to the community is the former Chairman of the board of directors of the Legacy Foundation.
Mr. Johnson is also a board member of OneRegion, a regional economic development organization. He also serves on the board of Finward Bankcorp, a publicly traded bank (FNWD) on the NASDAQ., where he is currently Chairman of the Strategic Planning Committee. Mr. Johnson has lead Cimcor to become a globally recognized cybersecurity company has received many awards recognizing his achievements in business, academia, and security.