The Cyber Ecosystem

• By Pascal Menezes
• Jun 17, 2022

The world of enterprise cybersecurity is racing toward zero, and the reasons are almost too numerous to count, but we need to make sure this migration doesn’t get bogged down in ecosystem challenges.

“Zero” in this case refers to Zero Trust security architectures built for an era in which everyone is using all kinds of devices from everywhere to access all kinds of applications, but also in which it is difficult to prove anyone is who they say they are. The answer, many believe, is to adopt cybersecurity practices that lead with the fundamental notion of not trusting anyone or anything.

This drastically simplifies security by treating all users, all devices, networks, applications and locations with the same essential sense of caution. Yet, Zero Trust makes the whole business of accessing enterprise resources and managing that access much more complicated.

An Insecure World
The movement toward Zero Trust is the result of several factors, some of which have been apparent for many years. The need for greater cybersecurity protection is inextricably linked to the nature of the evolving and increasing number of threats enterprises face. These threats aren’t just from malicious individuals or groups anymore, but also from state-sponsored attacks aimed at crippling entire industries or governments.

These threats on their own could be enough reason to embrace a new cybersecurity philosophy, but other trends are piling up to force the issue. The ongoing transition to cloud networking and the transformation of software into services are putting the old notion of private networks to rest, as resources, data, and applications live outside the physical walls of the corporate office.

Meanwhile, the number and variety of devices—not only PCs, phones, and tablets, but also the Internet of Things, including automated machines and AI-enabled systems—that need to be connected to enterprise networks and systems continue to expand. In this age, a “user” isn’t always human, but it can be hard to tell the difference.

At the same time, wireless devices with increasingly powerful compute and memory capabilities, along with higher-speed wireless networks, have made it easier for people to connect from almost anywhere and fully access all applications at a high level of quality, collaborating and sharing files with colleagues who also could be working from anywhere.

It all adds up to a world in which traditional network and security boundaries no longer apply. The network edge is vanishing. Usage is no longer centralized in a single-location or corporate LAN where it can be assumed users are already authorized to be there, can be trusted. The threats, attack vectors, and combinations of user and device variables continue to broaden, creating a historically difficult challenge for CISOs.

Zero Trust, Much Complexity
As those factors are spreading beyond the cybersecurity ecosystem’s ability to contain them, new thinking is taking root: Trust no one and treat all users and usage scenarios as potential threats.

That’s what Zero Trust does. For example, a service using Zero Trust employs policies for both “Subject Actors” and “Target Actors” to determine if the Subject Actor is permitted to access the Target Actor and if the latter is willing to accept access from the former. It is important to remember that in a Zero Trust scenario, all interactions are assumed to be malicious, and therefore are locked unless authorized by a policy. If no policy exists for a Subject Actor, that user, application and/or device will be blocked.

A service enforces Zero Trust policies at Policy End Points, which are placed by the service provider where appropriate for a given service, such as within the Subject Actor’s device; the Target Actor, when under control of the service subscriber; or on another networking device such as an SD-WAN Edge Ethernet switch or Wi-Fi access point.

Service subscribers define Access Control Policies that allow Subject Actors to perform operations on a set of Target Actors. An Access Control Policy encompasses both human-readable and machine-readable policy assertions. Identity Management (IdM) systems provided by the Subscriber or a third-party Identity Provider (IdP) may manage the Actor’s identity and those of its delegates. Different Access Control (AC) mechanisms may be used while performing authentication, authorization, accounting and auditing (AAAA) of the Actor and its delegates.

Once authenticated, the service continuously monitors authenticated Subject Actors for policy compliance. When found to be non-compliant, the service reevaluates policies for Actors that may result in a different policy action, such as the Subject Actor being blocked. The service also could reevaluate a policy based on different types of triggers, including context-based, such as blocking a Subject Actor after 30 minutes; event-based, as in the case of blocking a Subject Actor if the Target Actor is found to have been compromised by malware; or data-driven, e.g., a Subject Actor is blocked because machine learning has picked up an anomalous pattern of behavior.

That whole process makes managing Zero Trust a constant challenge. The price of better protection is greater complexity, and other ecosystem challenges add to that complexity.

The Zero Trust concept is decades old, but enterprises have begun to embrace it only recently, finally recognizing that security should be a top priority, and increasing their security spending. Research firm Gartner expected that more than $150 billion would be spent last year on information security and risk management technology.

Technology vendors and service providers are doing the same, investing in new products to support Zero Trust and Secure Access Service Edge (SASE) architectures, which incorporate Zero Trust policies and functions.

However, the fragmented vendor ecosystem is adding even more complexity to the extant challenges of deploying Zero Trust. Many vendors talk past one another, generating market confusion about SASE and Zero Trust definitions and capabilities. Enterprise buyers are forced to compare apples to oranges, often ending up with an accumulation of multiple overlapping products that are complex to integrate and manage. This lack of common language and APIs between systems is one of the biggest pain points for enterprise CISOs.

Zeroing In on Answers
MEF is creating SASE (MEF W117) and Zero Trust (MEF W118) service standards to provide the industry with common language and definitions, which will allow CISOs to compare “apples to apples” when choosing and implementing Zero Trust solutions. Removing some of the complexity allows CISOs to secure digital services regardless of where and how network resources are accessed. These standards ultimately helps the industry achieve interoperability while still allowing competitive differentiation.

In much the same way that enterprise network usage conditions and practices have forever changed, enterprise security is changing too. Zero Trust is helping to create a new mode of thinking around security architecture and defensive measures defined around user identity and context.

Getting this evolution right is important because it brings us that much closer to a future in which identity—like networks, data, and applications before it—will become more decentralized. Web 3.0 promises the benefits of blockchain technology for uses like Decentralized IDs (DIDs), giving greater control to users to establish the details of their identities and define the rules for how their private data can be shared, and which companies and applications can subscribe to engage with them.

Authentication and authorization through Zero Trust is the key to unlocking contextual enterprise access in a world where the old boundaries are quickly disappearing. As it turns out, trusting no one is the best way to help everyone, and MEF’s work will help simplify and reduce the complexity of deploying and managing Zero Trust.