Cigref has published a report on the work of its « Zero Trust » working group, led by Thierry Borgel, CIO of the ICADE group.
Zero Trust is a development of IT security principles and a philosophy that organisations will need to adopt to strengthen the security of their digital assets. This concept requires an in-depth transformation approach, and a multi-year deployment roadmap; it is therefore not a question of applying a single solution or a single good practice but of implementing a programme including multiple projects in several areas: infrastructure, network, security, applications, cloud, etc.
This thought pattern or state of mind describes an approach where equipment and users are considered untrustworthy until proven otherwise. Thus, the concept of Zero Trust is based on the belief that trust must be established and verified with rules: « Never assume, always verify, give minimal privilege, monitor and respond quickly ».
Ce rapport est également publié en français. Cliquez ici pour le consulter.
A favourable context for the emergence of the Zero Trust concept
The current context shows the limits of the traditional model of the fortified castle – consisting in protecting the internal IS in a perimeter fashion (equivalent to ramparts and moats) – and promotes the emergence and development of the concept of Zero Trust. Among the contextual phenomena identified, we converged on the exponential increase in the cyber threat, the explosion of the IS associated with migration to the cloud, the mobility of employees and service providers, as well as technological developments and the increase in digital projects.
Today, most Cigref organisations are studying the concept, are beginning to understand it and are taking ownership of it. Some members are already « doing Zero Trust » without knowing it, but most are still only at the beginning of the process, and are seeking to identify the opportunities that they would have to integrate it into their security strategy and policy.
Zero Trust: « who accesses what, for what, how, and from where?
The participants of the Cigref working group formulated a global questioning to summarise all of the elements to be checked in the implementation of a Zero Trust project: « who accesses what, why, how, and from where? ». The « who » represents users and services, the « what » represents applications, whether in the cloud or not, the « why » concerns the reasons for the access, based on specified rules, the « how » refers to the network used, either the corporate network or, increasingly, the Internet network, and finally the « from where » refers to the user’s terminal equipment and its location, all of which must comply with the GDPR and other applicable regulations.
The working group has thus made it possible to understand that the subject is structural, complex, transversal, and part of the long term. As of today, in each of the projects under consideration, organisations can begin to integrate the principles of Zero Trust, regardless of whether around the workstation, user awareness, the identity repository, access techniques and the network. They must also question their ability to use the Internet as their majority corporate network and the impacts for their infrastructure and security model.
Zero Trust: a complement to good security practices
The Zero Trust model must be added to the good security practices to be implemented by all organisations. In a dedicated opinion on the subject, the ANSSI (French National Agency for the Security of Information Systems) recommends a certain vigilance in the deployment of solutions to avoid installation or configuration errors. With this approach, the intrinsic vulnerabilities of applications are indeed still problematic. Organisations therefore need to rely on applications that are secure by design and secure by operation.
To prepare for the future, this involves laying the foundations of the requirements for future networks now, notably 5G, identity and access management modes, in particular by anticipating passwordless approaches, and other possible organisational and technological breaks in the continuity of this philosophy.