How Auditors Fit into the Zero Trust Journey

Adam Kohnke
Author: Adam Kohnke, CISA, CISSP, PNPT
Date Published: 17 March 2022
Related: Zero Trust: How to Beat Adversaries at Their Own Game | Digital | English

“Zero Trust” is one of those security buzzwords making the rounds on the inter-webs recently, but what does it mean and why should security or IT audits teams start caring about this term? Traditionally, enterprises concern themselves with forming a layered defensive perimeter via the deployment of firewalls, web proxies and other boundary isolation mechanisms to keep malicious actors out while expressing a certain level of inherent trust for the devices operating within the enterprise network interior. This traditional model of network defense is simply not working with cyberattacks increasing 600% since the emergence of COVID-19 alone, usually with a large degree of success. Malicious actors also have more avenues of attack open to them given the expansion of technology via the Internet of Things, cloud technologies and continued ease of phishing attacks against users. The cost of continuing to protect the enterprise’s critical assets and data using the traditional security approach is becoming increasingly ineffective with the average security breach toward the end of 2021 costing enterprises a whopping US$4.24 million.

This blog post will outline the Zero Trust security model and how Zero Trust can be iteratively instituted across the enterprise (see more in this related ISACA white paper). The blog post will also lay out some potential audit or consultation approaches audit departments can adopt to strengthen their position as “trusted advisors” within the enterprise. Zero Trust doesn’t seek to fully replace current network protection models or even infrastructure changes, but rather to augment them for enhanced network protection. Readers may take the opportunity to simply increase their knowledge on this topic or begin building assessment plans to determine readiness or the adequacy of controls needed to support this emerging model.

The Zero Trust Lifecycle
How Auditors Fit into the Zero Trust Journey

  1. Define Protect Surfaces
    The traditional security approach typically focuses efforts on defining and protecting a security perimeter around the enterprise network and attempting to distance sensitive data or vulnerable information systems from this perimeter. The remote workforce stretches this traditional boundary into the user’s home network through the use of technologies like VPN and makes not only defining the enterprise network challenging, but also makes  allocating  defense resource difficult.

    Zero Trust departs from this model by specifically defining and developing “Protect Surfaces” with groupings of critical Data, Applications, Assets, & Services (DAAS).
    • Data should be exhaustively identified and classified based on its relative importance to the enterprise, customers, and business partners using a data classification policy or standard.
    • Applications should be assessed to determine the levels of sensitive data they store, transmit or process and the value of the application to the enterprise should it become unavailable or be held ransom by malicious actors.
    • Assets (laptops, tablets, servers, routers, etc.) should be exhaustively inventoried and further assessed for inclusion in individual protect surfaces.
    • Services (DNS, E-mail, DHCP, etc.) should be identified and assessed for inclusion in protect surfaces.
    Audit focus at this stage may include obtaining and inspecting the organization’s data classification policies and determining if systems and resident data are classified per the policy. Further assurance activities may include if the enterprise has developed and communicated to necessary personnel a Zero Trust Roadmap that expressly identifies enterprise protect surfaces, the DAAS for each Protect Surface, responsible parties and status of identification and assessment activities. Audit focus at this stage will likely conclude with determining if the initial security policies to protect the DAAS for each protect surface have been formulated.
  2. Map Transaction Flows Within Protect Surfaces
    After defining the individual protect surfaces, effort should be placed into determining how data, applications, assets and services interact with each other. This includes a determination of ports, protocols, network traffic baselines, source and destination locations on the network. This mapping exercise will enable the enterprise to fine-tune and implement a custom degree of protection required for each protect zone without compromising usability, performance and availability of the DAAS.

    Audit focus at this stage may include obtaining and inspecting network diagram documentation pertaining to protect surfaces, whether relevant DAAS is accounted for within each diagram and if sufficient details are present depicting interaction between in scope DAAS. Further assurance activities may include assessing whether initial security policies defined in the previous steps have been modified or require additional controls following this review and if a routine review of the DAAs interdependencies is formally scheduled to identify changes and adjust security policy accordingly. 
  3. Develop Zero Trust Architecture
    Zero Trust is not simply about access control but also effectively leveraging a multitude of technologies such as deep packet inspection, endpoint protection, data loss prevention, web filtering, etc., to allow only trusted transactions to occur on the network. After the enterprise protect surfaces and their individual DAAS interdependencies have been identified, an actual Zero Trust architecture can form as dictated by the enterprise’s unique protection requirements. Enterprises will typically seek to use a firewall or other network isolation mechanisms to separate protect surfaces from each other, creating “micro-perimeters.” A Next-Generation Firewall is the backbone of this phase due to its inherent ability to provide network filtering at all seven layers of the OSI model.

    Audit focus at this stage may piggyback off the previous step to determine if the inclusion of specific security appliances or services listed above are readily associated to protect surfaces and properly situated on the network. Audit focus may also include determining if a well-architected review with appropriate technology and business executive sign-off has occurred to validate that the architecture meets business requirements.
  4. Create Zero Trust Policies
    The creation of Zero Trust policy prescribes uses of the “Kipling Method” to ensure any access granted to principals like users or systems is appropriate. This involves exhaustively determining:
    • Who should be permitted to access enterprise DAAS?
    • What applications will be allowed to access enterprise DAAS?
    • When should access to enterprise DAAS occur or be occurring?
    • Where is enterprise DAAS located (physically or logically)?
    • Why does the enterprise DAAS need to be accessed?
    • How should access to enterprise DAAS be granted?
    Audit activity at this stage may include assessing whether finalized security policies and requirements have been defined for each protect surface. Zero Trust is iterative, not a destination, so security policy and DAAS protection requirements should evolve as the process unfolds. Audit activity may conclude to determine if post-architecture reviews have occurred to identify if “unknown traffic” is traversing the network. “Unknown traffic” where the enterprise cannot determine its source, destination, purpose or validity is the “canary in the coal mine,” as Zero Trust requires that no traffic is ever unknown. 
  5. Monitor and Maintain Zero Trust Architecture
    Monitoring Zero Trust requires frequent logs reviews and inspection of artifacts produced by security appliances and end-point protection solutions. Over time, the enterprise should seek to baseline and identify what constitutes normal behavior on the network regarding asset communications, data transaction volume and user activity. The more data passed into the model for assessment and tuning, the better, as the monitoring activity and fine-tuning allow the protection applied to individual protect surfaces to become increasingly resilient.

    Audit focus at this stage should include determining whether management is engaging in formal baselining, log review and protect surface refinement activities. Audit focus may also include whether planned changes to security policies are resulting from these reviews and refinements then being implemented as directed.

    Zero Trust does not seek to replace existing infrastructure or burden the enterprise with large costs to realize its benefits. Zero Trust’s iterative nature also allows the organization to adopt the model slowly through the development of a single protect surface while model efficiencies and benefits become apparent. Internal auditors may assist the enterprise in this journey by educating themselves on the benefits of Zero Trust architecture and determining the extent to which they are following successful strategies for the adoption of this emerging security architecture model.