Could ‘Zero Trust Security' have prevented the massive SolarWinds attack?

The Solar Winds related cybersecurity breach of many of the largest and most sensitive U.S. government agencies, as well as state and local governments and the majority of the Fortune 500 companies, will likely be remembered as the moment that an act of large-scale cyberespionage exposed the biggest single flaw in IT network security architecture.  That flaw is trust.  Not too little trust but too much trust.

The solution, according to John Graham-Cumming, CTO of Cloudflare, the web infrastructure and website security company described recently by Forbes as "the most important internet company nobody has ever heard of," is to build a network that operates on the principle of "zero trust." In a telephone interview, he told me:

Most traditional IT network security is built around the castle-and-moat concept, which is fine for keeping outside attackers out but everybody inside the network is trusted by default. If attackers get in undetected, that means they can snoop around pretty much unimpeded. Zero-trust architecture means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. 

Zero trust security is not a single technology but a holistic approach to network security that incorporates several different principles and technologies, starting with the assumption that there are attackers both within and outside of the network, so no users or machines should be automatically trusted. 

In order to control access to this level, the network is broken into zones, each of which requires authorization to access and use. The result of this approach is called micro-segmentation. Said Graham-Cumming:

The analogy we use is the system of watertight doors in ships that allow you to seal off a compartment that is flooding to prevent the water from sinking the entire ship. If a hacker gets into one part of your network then the attack is contained.  You can essentially make sure that even if the attacker got in through one door they can't get past the first room. 

Another important element of zero-trust security is called "least-privilege access," which means users are given only as much access as they need and are approved to access. Traditional technologies give users unfettered access to everything on the network, enabling the kind of lateral movement seen in the SolarWinds hack.  Micro-segmentation logically separates each application allowing administrators to be extremely detailed with how to assign permissions. Basically, it is access that operates on a "need to know" basis.  

Zero trust is not a new idea so the big question is why aren't more enterprises implementing it?  A Forrester survey found that 82% of organizations, both small and large say they now are committed to adopting a zero trust security architecture but only 39% of organizations surveyed reported having completed at least one zero trust pilot this year. Said Graham-Cumming:

There are a number of challenges related to overall cloud transformation and digital transformation in general. Eighty percent of organizations accelerated their cloud adoption plans in 2020, but most found they weren't ready. When large chunks of data have not yet moved to the cloud from isolated data centers, it's a lot harder to secure using a single security tool.

Another obstacle to zero trust adoption is the complexity of managing identity and access management.  Zero trust relies on a single source of truth for identity management, yet larger organizations in particular have often accumulated multiple incompatible identity providers over the years. These usually require weeks to update in the best of times.  They must also understand access patterns across a huge number of applications--most of which cannot be shut down even for a moment in order to be migrated to a new identity platform.

Cloudflare to the rescue?

In October, Cloudflare introduced a comprehensive, cloud-based network-as-a-service (NaaS) solution called Cloudflare One that is designed to replace a patchwork of appliances and WAN technologies with a single network that provides cloud-based security, performance, and control through one user interface.

At the same time, it introduced the Cloudflare Intrusion Detection System, a new product that monitors customers' networks and alerts them when an attack is suspected. Deeply integrated into Cloudflare One, Cloudflare IDS provides a bird's eye view of the entire global network and inspects all traffic for bad behavior, regardless of whether it came from outside or inside the network.

The IDS solution analyzes an entire network simultaneously and alerts tech professionals to events that traditional rules might not catch. For example, legacy security models implicitly trusted any connection inside the network which made them vulnerable to breaches and attacks from bad actors coming from within. 

The concept of zero trust essentially flips the legacy model by assuming every connection is hazardous. Instead of waiting for evidence that a definite breach has occurred, the assumption is that one has already happened.

Cloudflare's intelligent global edge network spans more than 200 cities in over 100 countries including more than 78 cities across Europe and 16 cities in China. It has 100,000 paying customers, but it hosts more than 3.2 million customers with over 26 million properties because it offers a free product to allow potential customers to try a scaled-down version of its products.  

With its network getting hit every day by more than 76 billion cyberattacks, the company says it views new threats as an opportunity to improve security for all customers.  Cloudflare's zero-trust system requires verification from any user attempting to access a network, which is used to prevent data hacks.

The SolarWinds breach is a strong reminder that we cannot inherently trust anything that has access to internal corporate data or infrastructure. Organizations must adopt a zero trust architecture in order to ensure all devices, individuals, and third-party software is free of malicious content.  There's going to be a lot of cleaning up but it's not something we can afford to ignore.  The consequences are just too serious. 

My take

Cloudflare is among the most important internet companies I had only vaguely heard of before responding to a PR pitch. I also like the fact that John Graham-Cumming, its CTO, was the principal driving force that secured an apology from the UK government for its shameful prosecution of Alan Turing.