The hype around the well-documented cybersecurity talent shortage is tangible. Attend any security industry conference and you’re guaranteed to see at least a few talks on the agenda about the shortage itself (“1.5 million cybersecurity jobs will be unfilled by 2020! No, It’s 3 million!”), how to attract and retain cybersecurity employees, or how to compensate for your overworked and understaffed team. There are plenty of opinion pieces on the subject too (+1, including this one), some of them eschewing the idea of a shortage based on the premise that automation allows security and operations teams can do a lot more with less.
I think it’s fair to say that the number of operational security professionals needed to support the industry will grow alongside the technological changes that shape our world and that automation will counterbalance some of that need. The workforce “shortage,” in other words, might not be quite so traumatizing if organizations set themselves up for success now, using automation and other advantages.
One of the “tools” that fits nicely into the arena of how automation decreases the requirement for manual management of mundane tasks is the implementation of a zero trust framework.
By now you probably know the concept of zero trust:
- Assume adversarial activity is already happening on your network and approach all traffic with the motto, “Never trust, always verify.”
- Enforce access controls at the asset level (e.g., software, application) instead of at a perimeter; authentication and authorization occurs with every communication, regardless of its past permissions.
- Implement least-privilege access uniformly across applications, servers, hosts, users, and devices.
- Dynamically update and adapt policies based on the context.
OK, but what does any of this have to do with reducing the workforce shortage or even automation?
Zero trust: a uniform approach
Zero trust is an architectural concept that flips old models of how to segment and manage networks on their heads. With zero trust, there is no inside versus outside when it comes to traffic on the network; all traffic is treated as hostile and therefore needs to be verified based on identity every time a communication is sent or received. Configuring the network (or networks) in this way means that security and networking pros don’t have to monitor and manage different networks (e.g., public cloud vs. on-premises data center vs. container) or parts of the network differently. Administrators can treat all users and devices the same way, i.e., entities require verification every time a communication is attempted, regardless of who or what it is. A uniform approach to network security—whether on-premises, in the cloud, or on a container—saves time and effort, which in turn frees up staff’s time to focus on higher-level business-benefitting initiatives.
Another important element of a zero trust methodology is asset inventory and identification. Finding and classifying all networked assets is a mammoth project for most organizations. Software and services on the network change, users and devices touching the network change, and in today’s world, even networks themselves change as instances are spun up and down. Because one pillar of a zero trust network is the mandatory verification of assets each time they communicate, assets are automatically discovered, even if they have been provisioned without IT’s permission. Gaining automated visibility into what’s present and communicating on the network is another way zero trust saves time and effort, which decreases the burden of more headcount.
Building upon the theme of automated asset discovery, using zero trust, organizations achieve immediate and accurate visibility into how assets are communicating on the network. If Application A is trying to connect to Host A in a zero trust network, network/security teams will see that transaction. No more searching through mountains of logs to determine what’s talking to what and how. No more time spent in manually creating visio diagrams—which become obsolete as soon as they are finished—of how network apps communicate. Removing the need for manual intervention without sacrificing quality or efficacy is a huge win for resource-strapped cybersecurity teams.
Reducing the network attack surface
Attackers are after organizations’ data, and zero trust puts data protection back at the heart of the security strategy. As assets are discovered—applications, users, hosts—they are identified by their identity attributes. Although a different identity than the identity in “identity and access management,” the concept is similar — properties of communicating assets are used to determine what it is and which permissions should be granted if the identity can be positively verified. Fingerprinting happens automatically in a zero trust network, which should be music to the ears of anyone who has ever spent countless hours, weeks, or months conducting a data classification project.
Further, zero trust policies are reliant on the identity of assets and how they are permitted to communicate, which is a much smaller data set than the number of network communication pathways that exist in any given network, especially public cloud. Reducing the scope of the potential exploitable attack surface allows security and network eams to hone in on what’s important — data. Most current conventional wisdom says that determined attackers are going to find their way into organization’s networks no matter what high walls are erected, so focusing time and energy on preventing access to data assets once an adversary is inside truly provides the most “bang for your buck.” This doesn’t mean organizations can do away with firewalls and perimeter-based tools, but moving the most hardened protection from the perimeter to the application (based on its identity) results in security staff spending less time analyzing inumerable network pathways that may or may not even be necessary to operate the network.
Saving time by sharpening focus
Security and operations teams have numerous ways to automate the more mundane parts of their job. Though some people in the industry have expressed concern that things like automation, machine learning, and artificial intelligence will diminish the need for cybersecurity professionals. I think it’s more than fair to say that none of those developments will decrease the need for qualified, talented, hardworking security professionals. What they will do, however, is cut down on some of the busywork (that no one likes anyway), putting time back on security and ops’ pros calendars to focus on more strategic work. Zero trust networking is one of those areas. Not only does it mean that some of the more-tedious manual work can be automated, but zero trust increases the level of efficacy of an organization’s cybersecurity plan.
Zero trust is truly a, “do more with less” solution, but doesn’t mean anyone’s job is disappearing in the near or distant future. As someone said recently at one of those industry conferences referenced above, “Zero trust is a novel concept now, but eventually ‘zero trust’ will just be called ‘security.’” I hope that’s correct, because it does ease a lot of problem, but it also means starting with a zero trust plan now, before the busywork buries your team in alerts and maps and other manual processes.