Among the many things that may keep internal auditors up at night are cybersecurity, compliance, and data security and protection, according to a recent survey by the Chartered Institute of Internal Auditors. These top three concerns significantly outrank other risk categories like human resources, regulatory change, and digitalization, although, of course, many of these risks are related. Internal auditors are coming under tremendous pressure from audit committees and other stakeholders to do their part to provide greater control over how their organizations manage these inter-related risks.
Interestingly, in the world of the cybersecurity practitioner, “data security and protection” falls under the umbrella category of “cybersecurity.” After all, the vast majority of organizational data today are digital, and “cybersecurity” encompasses protection of everything from the servers that house the networks on which applications and databases are run to the data contained inside the applications and databases. Cybersecurity, therefore, can be viewed as an overriding theme for data protection, and even includes parts of compliance, given that regulations like GDPR, PCI-DSS, HIPAA, and several others have large data protection components.
Because cybersecurity is a high-priority business risk (any cyber incident is likely to affect the confidentiality, integrity, or availability of the business’s data or systems at some level), auditors have a pressing need to find methods of ensuring all systems and processes related to collecting, storing, and using data are functioning as intended and that they are safe from the disastrous failures we hear about too frequently today. One of the most promising strategies for strengthening cybersecurity and data protection is zero trust networking.
The Obsolescence of Trust
For many years, companies operated their networks on a “trust but verify” basis, meaning that once traffic passed through a security control—generally a firewall—at the perimeter of a network, it was trusted and allowed to communicate freely inside the network without many—or any—further controls to stop it. Further, these security checkpoints used IP addresses, ports, and protocols to inspect the first four network packets in every communication. If the first four were fine, the traffic was trusted.
This process is akin to crossing the border into the United States in your car: A border patrol agent asks you for identification and a few quick questions, and if you provide what’s necessary and don’t outwardly display any warning signals, you’re free to continue on to your destination without issue. You typically won’t encounter more questioning until your return trip. The problem with this is that you could, theoretically, wreak all kinds of havoc inside the border, and if police aren’t in the vicinity and you haven’t been caught on surveillance cameras, your actions will go undetected.
This was how network security worked for many years: Trust but verify. And this approach was generally adequate…until networks and networking became exponentially more complex and distributed. Today, organizations no longer own and manage one central, internal network. They may have dozens or even hundreds of networks across on-premises data centers, the cloud, and virtual environments. Plus, the explosion of device types (smartphones, tablets, IoT) that connect to the network, but are not corporate owned or managed, have eroded the perimeter, making it unreliable as a security gateway.
What’s more, modern businesses run on applications and services that may never travel outside the perimeter. If the main security control to stop malicious traffic is at a border which traffic never passes through, how can it possibly be effective? And what about the reality that threat actors are skilled at stealing valid user credentials, through phishing and other means, then using them to gain access into the network and its apps and services? Trust is too big a cybersecurity risk for corporations to bear.
Mitigating Cyber-Risk Through Verification
Zero trust is a concept introduced nearly a decade ago by Forrester Research. The premise was that modern-day networks are too complex and virtual environments too ephemeral for firewalls and other perimeter controls based on trust elements to protect effectively against cyber-attacks. In a zero trust network, all traffic, including traffic already inside the perimeter, is considered hostile and must be verified through strict authentication to communicate. Importantly, this verification process doesn’t just happen once, as is the case with perimeter-based security controls. In a zero trust network, every time an application tries to connect to another application or a server, whenever a database tries to communicate with a host, and so on (both inside and to gain access into the network), verification occurs before the communication initiates.
How does verification work, exactly, and why should internal auditors care?
Verification for each application, host, service, or network component is based on its cryptographic identity. This unique and immutable fingerprint allows systems to determine whether software and services should be allowed to communicate, or if they’ve been altered or tampered with in any way and must be checked for malware or other malicious activity before they’re authorized to communicate. Additionally, the policies that control authorization or denial within the network are configured on a least-privilege access basis, which means that fewer resources have access to other resources within the system which in turn decreases the network attack surface. While doing these things sounds logical, most networking today still occurs over flat, highly permissive networks that can’t differentiate between “good” and “bad” traffic or software.
So, how is this applicable to internal auditors?
Many regulations stipulate that organizations must know and be able to demonstrate how certain types of data have been collected or used. Because each asset in a zero trust network is fingerprinted before it is allowed to communicate, zero trust is an effective method of asset identification.
Another critical element of auditing data and systems security is data flow mapping: understanding where data is in the organization’s systems, how it’s communicating, and with what.
Zero trust maps data flow and ensures that organizations can find every application, database, and workflow communicating on and into their networks. Though each compliance mandate carries its own set of requirements, at the heart of every one (as it pertains to cybersecurity) is knowing all about the data and how it flows throughout networks. Compliance with the EU General Data Protection Regulation (GDPR), for example, requires organizations to map data flows to assess privacy risks. Zero trust accomplishes this requirement automatically.
Here in the United States, the Payment Card Industry Data Security Standard (PCI-DSS) requires entities to “ensure only designated systems in the corporate network can communicate … to systems in the CDE.” Within a zero trust network, corporations can not only see what systems are communicating (asset identification), but how and with what they’re communicating (data flow mapping), and allow the organization to apply fine-grained policies based on the asset fingerprint (implement security controls). Further, applied policies can create borders, boundaries, microperimeters, segmentation, and other rules around each asset, meaning companies can limit their compliance scope and apply auditable security.
Implementing Zero Trust
The idea of implementing a new or different type of network is enough to scare any security, IT, or audit practitioner into inertia. The good news about zero trust is that it’s not a “rip and replace” scenario. Zero trust requires no architecture or infrastructure changes. Many commercial tools are API, agent, or software based, and provide management consoles from which administrators can view data maps, applied policies, recommended policies, and any changes within the environment. In other words, zero trust eliminates traditional security tooling implementation nightmares yet provides the fine-grained controls security practitioners seek, the auditability auditors need, and the network flexibility IT operators want. 
One Reply to “What Auditors Must Know About Zero Trust Networking”