SCIT

School of Computing and Information Technology

Faculty of Engineering & Information Sciences

SIM Session 2
Assignment 1
CSIT302 – Cybersecurity

Name: UOW ID: Tutorial

Group:
Thant Zin Tun 7769271 T02F

Summary
With the continuous expansion of cyberspace and the advancement of AI technology, our society is facing
an increasingly sophisticated cyber threat. As cybercriminals become more skilled, traditional security
models are proving to be inadequate in safeguarding our sensitive data and protecting against cyber
breaches. Therefore, there is an urgent need for a more secure and effective security system to act as a
defense against these new and emerging cyber threats.
To address this need, we will explore the "Zero Trust Framework" for cybersecurity, its core principles,
benefits, and thoughts on it from a cybersecurity practitioner standpoint. This case study will delve into
the intricacy of the "Zero Trust" strategic approach to cybersecurity. First, let us briefly define what "Zero
Trust" is. It is a cybersecurity paradigm that challenges the conventional notion of trust within an
organization's network by eliminating implicit trust and continuously validating every stage of digital
interaction.
As the name suggests, a zero-trust architecture operates under the assumption that there is zero trust in
any digital interaction within or outside of the network. This means that threats can originate from both
internal and external sources. Therefore, it advocates for continuous authentication, verification, and
validation of every host, user, server, device, and network interaction, regardless of their origin or
location. It can be said to be a term for an evolving set of cybersecurity paradigms that move defenses
from static, network-based perimeters to focus on users, assets, and resources in order to enhance our
overall information security posture.

“Zero Trust” Detailed Study

Introduction

To understand how zero trust works in detail, we would need to first know how the conventional
cybersecurity approach works. Traditionally, cybersecurity relied on the premise of establishing a secure
perimeter to safeguard sensitive data and assets from external cyber threats. This is akin to building a gate
around your house with security personnel in place, to keep external threats and invaders from entering.
Though this approach has proved effective in the past, as the level and sophistication of cyber threats
evolve along with cyberspace, it is deemed to be less secure in the modern world. The main vulnerability
of this approach comes from the fact that social engineering attacks have increased multifold over the past
few years along with the increase in remote work, cloud computing, and mobile devices, the concept of
trying to establish well-defined secure perimeter has become even more obsolete.
Imagine a scenario whereby an intruder was able to pretend as a trustworthy insider, pass through
security, and enter your house. Since there is no further verification of identity within the gates of your
home, the adversity is free to do whatever he/she wishes to. That could very well be the reality of what
happens if we were to continue following the traditional approach.
When it comes to the "zero trust" approach, there is no such thing as an automatic trust even for entities
believed to be inherently safe within a secure network, it operatres on the premise that trust is never
granted implicitly but must be continually evaluated.The ultimate goal of zero trust can be said to enhance
the overall security posture by eliminating any assumption of "trustable entities" within a network by
implementing strict access controls, least privilege access, continuous monitoring, and micro-
segmentation to reduce the attack surface and prevent lateral movement by potential attackers.

Fundamental
approach Workings of “Zero Trust”
Identity Verification:
Zero trust begins with strong identity verification. Users, devices, and applications are assigned unique
identities, typically through the use of digital certificates, biometrics, or multi-factor authentication
(MFA). This ensures that only authorized entities can access resources.
Continuous Authentication:
Unlike traditional security models that authenticate users only at the initial login, zero trust continuously
verifies the user's identity and monitors their behavior throughout the session. This includes analyzing
factors such as device health, network location, user behavior analytics (UBA), and contextual
information to assess the risk level associated with each access request.
Least Privilege Access:
Zero trust follows the principle of least privilege access, which means that users are granted only the
minimum level of access required to perform their job functions. Access permissions are based on factors
such as role, responsibilities, and business need, and are regularly reviewed and updated as necessary.
Micro-segmentation:
Zero trust networks are divided into smaller, isolated segments known as micro-segments. Each segment
contains a specific set of resources and has its own access controls and security policies. This limits the
lateral movement of attackers within the network and reduces the impact of potential breaches.
Encryption:
Data is encrypted both in transit and at rest to protect it from unauthorized access. Encryption keys are
managed securely, and access to encrypted data is tightly controlled based on the principle of least
privilege.
Continuous Monitoring:
Zero trust networks employ continuous monitoring and real-time threat detection mechanisms to identify
suspicious activities, anomalies, and potential security threats. This includes monitoring network traffic,
user behavior, device health, and application interactions to detect and respond to security incidents
promptly.
Dynamic Policy Enforcement:
Zero trust policies are dynamic and adaptive, allowing organizations to enforce security controls based on
real-time risk assessments and contextual information. Policies can be automatically adjusted based on
changes in user behavior, device posture, or threat intelligence feeds.
Benefits of “Zero Trust” approach
Improves Network Visibility, Breach Detection, And Vulnerability Management
In a Zero Trust network, all network traffic is continuously inspected for malicious activity, enhancing
visibility and security. Security controls, such as next-generation firewalls, are placed close to the data to
enforce segmentation and inspect data flow thoroughly. Software-based solutions like microsegmentation
further enhance security by creating secure zones down to the workload level without requiring additional
hardware.
Zero Trust aims to prevent or limit the damage of data breaches by providing increased visibility into
network activity, enabling quicker breach detection and response. It also helps alleviate vulnerability
management issues by segmenting the network and allowing for more tactical patching and vulnerability
management protocols. Embracing Zero Trust can significantly improve network security, reduce the risk
of breaches, and better protect valuable assets against cyber threats.
Enhances Defense Against Malware Propagation
Zero Trust networks effectively halt the spread of malware, offering crucial protection against cyber
threats. Unlike traditional networks where malware can freely traverse routing and switch architecture,
Zero Trust environments limit its movement. By creating microperimeters around specific data, assets,
and applications, security professionals make it challenging for malware to propagate. Each
microperimeter enforces segmentation and inspects traffic using microsegmentation software or
hardware-based controls like NGFWs. This stringent inspection prevents malware from spreading easily.
For instance, if an employee clicks on a phishing link, the malware faces obstacles moving within a Zero
Trust network due to thorough layer 7 inspection and granular rule enforcement. Even if malware infects
a device within the network, Zero Trust's segmented structure impedes its progression. This was
exemplified by Banner Health's breach, where a compromised point of sale system led to the exposure of
3.7 million records. In a Zero Trust network, devices and networks are segmented into microperimeters,
preventing malware from traversing to other segments, thereby fortifying overall network security.
Reduces The Scope And Cost Of Compliance Initiatives
Segmenting your network under the Zero Trust model offers significant advantages in terms of
compliance and audit management. By dividing the network into microsegments, Zero Trust inherently
reduces the scope of compliance initiatives, aligning with regulations such as PCI DSS. For instance, PCI
DSS requires adequate network segmentation to limit the assessment scope, ensuring only relevant
segments are subject to compliance scrutiny. Zero Trust networks, designed with segmentation from
layers 2 through 7, naturally fulfill this requirement, utilizing physical or virtual security controls for
enforcement.
Moreover, Zero Trust simplifies compliance audits by aligning with audit requirements and minimizing
complexities associated with hierarchical network structures. Auditors find Zero Trust networks easier to
conceptualize, leading to smoother audits with fewer findings. This was exemplified by a CISO's
experience where internal auditors encountered no issues due to proper segmentation, resulting in a
smaller and less complex audit scope. Many aspects auditors seek are inherent to Zero Trust, easing the
audit process and ensuring compliance with industry regulations effectively.
Eliminates "Finger pointing" within an organisation while bolstering collaboration
In technology organizations, conflicts could arise between different teams like networking, security, and
operations, especially during incidents like network downtime, system failure, etc where finger-pointing
becomes common. Zero Trust requires breaking down these barriers, fostering closer relationships among
teams and encouraging collaboration. A Zero Trust network inevitably leads to more cooperation and less
finger-pointing, since the visibility and transparency of the solution provides significant insight into any
issues that might arise.
For instance, WestJet's Zero Trust deployment led to the creation of a center of excellence (CoE) that
facilitated collaboration between various teams to solve technical challenges. By promoting shared goals
and knowledge sharing, Zero Trust helps organizations break down interdepartmental silos, leading to
increased agility and a more mature technology management structure. This approach shifts the focus
from individual domains to secure networking as a collective effort, reducing conflicts and enhancing
cooperation across teams.

Thoughts on “Zero Trust” approach

I will now share my views, thoughts, doubts and any considerations i have on this new cybersecurity
paradigm ; Zero Trust.
Putting the the huge pile of benefits "zero trust" bring to the table in consideration, it would be no brainer
to not quickly shift to the new cybersecurity paradigm from our traditional model. However, that is only
possible in a world where everything goes as plan,our wishes get fulfilled without friction, where money
is an imaginary concept and things get done the very next moment we want. In reality, there are various
factors, complications, impacts, consequences, and etc that we must consider if we were to embrace this
new approach.
Firstly, lets just take a look at the concept of the approach, at first glance, the concept of zero trust in
cybersecurity may seem straightforward: never trust, always verify. However, delving deeper reveals its
elusive nature and complex implications, though i have done research and dived into the concepts of the
approach itself, i still find myself unsure about the intricacy of implementation and the depth of the
concept itself. I forsee this very elusive and complex nature of the concept itself to be a challenge to
organisations planning to embrace the approach. While the concept itself is clear, the execution is far from
simple.
Zero trust requires a holistic approach that encompasses technology, processes, and people. It involves
implementing robust identity and access management systems, continuously monitoring network traffic,
segmenting the network, and enforcing strict access controls. This complexity can be daunting,
particularly for organizations with limited resources.
Implementing a zero trust architecture can be complex, especially in large organizations with diverse IT
environments. It requires significant planning, resources, and coordination across different teams and
departments.
This could be a very costly endeavour as deploying and maintaining these technologies can be resource-
intensive in terms of both time and budget. Especially for smaller companies where cost is king and i can
see how they would rely on traditional means as it is much cheaper.
It also poses problems to legacy Systems as many organizations still rely on legacy systems and
applications that may not easily integrate with modern zero trust solutions. Retrofitting these systems for
zero trust can be challenging and may require significant investment or migration efforts.
My only solution to this is that companies weigh their options, risks , costs , resources and etc before they
can decide if they wants to shift their approach to Zero Trust as improper implementation could be
disastrous.
Secondly, from the perspective of a user, i will find this approach tedious, time consuming and annoying
if i were to experience it first hand. Lets face it, human beings love convenience and easy stuff. From the
look of it, Zero trust often involves multifactor authentication, continuous monitoring, and other security
measures that can impact user experience.
If i was an employee working in a company that started shifting to this approach, i would definitely get
annoyed and feels inconvenience as i have to now go through multiple steps of verifying and what not
just to get simple things done. It could take me much longer to get something i need as compared to the
old system that i am used to. Human beings does not like changes and we would much rather prefer to
stay in our comfort zone.
This could result in more "Shadow IT" activites done by employees to bypass new measures put in place
just because they finds it tedious or annoying. Ultimately, leading to new vulnerability and doing the quite
opposite of what our goal is in the first place, which is to enhance overall security posture.
Various implementation, maintenance and administration of the new system could also result in
productivity of the organisation to suffer if not managed properly, hence the need for an efficient system
integration to this approach is also needed which requires more money and what not. Therefore, i feel that
there is a need for balancing security with usability to ensure that security measures don't hinder
productivity or frustrate users.
Of course there are solutions to tackle this problem, i believe that education, trainning , adequate time and
enforcement in the organisation is needed to tackle this problem. The organisation could advocate for
more comprehensive cybersecurity trainnings that includes zero trust principles and best practices . They
could also organise workshops and training sessions for employees to learn more about zero trust ,
emphasise on its importance in improving the overall security posture of the company and why certain
things need to be done the way it is. Last but not least, harsh penalty could be enforced on employees not
following the new standards and putting the security of the organisation at risk through "Shadow IT"
activites.
Lastly, i feel that no matter how much we try to enforce our security posture with zero trust, human error
remains a significant cybersecurity risk. Zero trust frameworks can be undermined if users bypass
security controls due to laziness or fall victim to social engineering attacks.
So instead of controlling every nitty gritty detail like zero trust, why not we compromise and approach in
a more feasible way to cybersecurity. Rather than assuming zero trust by default, organizations could
focus on identifying and prioritizing their most critical assets and implementing security measures
accordingly. This could allow for more flexibility and scalability because organisations can now match
their specific risk profile. It also places less emphasis on continuous verification and monitoring, which
could alleviate some of the complexity , frustration , cost and various challenges associated with zero
trust.
In conclusion, the zero trust approach offers a pipedream for enhancing cybersecurity as it brings along
with it challenges that need to be addressed as well. However, if we could break through the initial
resistance , i believe that humanity will prevail as history has proven and we can overcome these
challenges and successfully implement zero trust principles in organizations of all sizes. For now, i will
stay open minded and neutral on this approach and continue learning about new development on this
particular topic.

References