Organizations of all industries evolve, and their compliance maturity changes. Most companies want to push forward and improve their compliance programs, privacy programs and overall cybersecurity posture. There are many methods for continual improvement, different standards to adopt, or adhere to, regulatory requirements to implement and support, or frameworks to strengthen security programs. There’s no silver bullet to improving cybersecurity but there’s a new trend that many organizations are investigating: Zero Trust Security.
The concept of Zero Trust Security originated a decade ago and has a simple premise.
No user, device, or application can be fully trusted. While strong perimeter defense from the public internet is a standard practice, the concept of a strong perimeter to enforce access controls from untrusted devices is decades old and considered by many to be a legacy configuration. External inbound connections are untrusted and once that connection is authenticated then it can access the resources available to it on the internal network. Devices internally are automatically trusted as corporate systems with reduced controls. Zero Trust Security throws this legacy model out of the window and assumes that any connection, any device, any user and any application is untrusted and must be continuously verified before accessing information security resources or systems.
Data privacy professionals have recently considered a similar concept for privacy data. Data classification schemes may not be sufficient to protect consumer and intellectual property data and that all data should be treated with the most rigorous of control schemes.
Zero Trust Security can be utilized for compliance, including PCI compliance.
Current guidelines from the PCI SSC encourage segmentation, basically isolation, to manage scope and ensure that systems in-scope cannot be reached by out of scope systems. This segmentation, or micro-segmentation is a concept shared by Zero Trust Security. It is a concept also utilized by defense-in-depth principles, at least in one aspect.
The Zero Trust Model is predicated that no system is trustworthy: regardless of past access to a protected resource. In PCI, this model is somewhat supported by the fact that in-scope systems must be isolated from all other systems. But Zero Trust Security would go one step beyond this. Even “similar” systems, or resources, under Zero Trust, must regularly be authorized to access other resources. Web or application servers would be continually authenticating and verifying themselves to access other resources. These systems would never trust each other and all communications and access to resources, file shares, databases, etc., would need to be authenticated continually.
In theory, this would reduce the risk to cardholder data systems.
All systems must be authenticated, including user access, before gaining access to resources. All communications are encrypted, even internal traffic, because there’s Zero Trust of the network. Asymmetric keypairs, multifactor authentication, or other technologies are in-use to authenticate all accounts. Network Access Control technologies are enforcing strong inbound and outbound rulesets and other policies to ensure that systems are patched and meet a minimum configuration prior to gaining access to the network. Security Event and Incident Management tools are utilized to audit all access to cardholder data, administrative actions. File Integrity Monitoring, change detection software, and anti-malware tools are installed, running and up-to-date and protecting the systems from unauthorized changes and malicious logic. It almost appears to be a cybersecurity utopia.
Very few organizations can sustain such an architecture without a large budget and a dedicated information security team with depth and breadth of expertise. While many of the items above are required by PCI, the means to meet those requirements vary and do not rely on Zero Trust. Many organizations, due to their size, nature, or complexity cannot manage the overhead or expense of Zero Trust.
In limited scenarios, such as protecting an ecommerce environment or small cardholder data environment, a Zero Trust model can be sustainable for many organizations.
A focused, surgical approach to treat all communications as untrusted can be accomplished with a modest investment in technologies and a team with a broad skillset.
For example, an organization would want to consider performing the following:
- Fully define the in-scope environment to be protected by Zero Trust.
- Perform a risk analysis to determine the risks to the environment.
- Identify and source the tools and expertise to mitigate the risks.
- Implement and adapt a Zero Trust Model for the defined environment.
- Analyze any residual risk present and adopt processes or technologies.
- Perform a risk impact assessment prior to making any changes to the environment.
- Regularly review the environment and incorporate “lessons learned.”
Zero Trust may not work for every organization but treating all systems as untrusted at all times will encourage, and require, adoption of processes and technologies to protect the organizations payment channels. Consider the risks to your organization to determine if a Zero Trust, or partial trust model, will address the goals of your PCI compliance program.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.
Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.