An introduction to zero-trust security architecture, its basic principles and what it means for credit unions
“Guilty until proven innocent.” Not a phrase one usually thinks of when discussing credit union cybersecurity practices, but those four words offer a simple introduction to the philosophy behind zero-trust architecture for information and technology security.
For our starting point, let’s look at the NIST definition of zero trust:
“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
“Zero-trust architecture is an enterprise’s cybersecurity plan utilizing zero trust concepts and encompasses component relationships, workflow planning, and access policies.”
Breaking down the above, let’s look at several aspects of what zero trust is and is not for the credit union.
Zero Trust: What It Is and What It Isn’t
First, zero trust is not a technology. It’s not something you simply buy from some vendor. While not specified in the above definition, further information from NIST on ZT uses the word “resources” (as in, “protecting resources.”) In the context of ZT, resources include hardware, software, information, databases, personnel and processes (workflows). So, ZT is holistic and considers multiple aspects of credit union operations beyond just technology. It requires examination, analysis and potential modifications to many aspects of credit union operations (e.g., training, policies, procedures) beyond just technology. And while technology will be a component in the implementation of a ZT security strategy, it will not be the only area where work is needed.
Second, ZT is not something that can only be implemented at large credit unions. While budgets and resources may limit the technological aspects smaller credit unions may be able to implement, there are many aspects of ZT smaller credit unions can work through to achieve a stronger security posture. In fact, work related to understanding what data is located where might actually be easier for smaller credit unions than for their larger brethren.
A Multi-Layered Data Security Model
As with other security models, ZT is about securing data, wherever that data may lie—within the CU’s four walls, at a vendor or in the cloud. When data is accessed, security and secure connections are key. And while confidentiality tends to bubble to the top when thinking about connections and security, ZT requires an examination of both integrity and availability when looking at connections and how data is accessed.
With zero trust, there is an assumption that bad guys will be able to penetrate credit union systems and get behind various firewall and perimeter defenses. So, in a zero-trust architecture, an emphasis is placed on creating multiple layers and barriers (i.e., defense-in-depth) to minimize the spread of an intrusion. This is not to say perimeter and end-point security is not important, but it is viewed as only one component of a ZTA.
A key aspect of ZT is the idea of granular access. Resources are examined, the minimum amount of need-to-access/need-to-do is determined, and then access is granted. And while technology plays an important role in maintaining this access, the credit union needs to employ significant time and effort in reviewing procedures and processes to determine what these needs are. For example, how does the credit union ensure only necessary rights are available to an employee when they transfer from one position to another and unnecessary rights are not carried over? How does the credit union regularly review and confirm inappropriate access is not granted to a user or device?
Per Request Access
Another key concept is the idea of “per request” contextual access. Rather than thinking of allowing access as a once-and-done process, in a zero-trust model, access is looked at on a session-by-session, case-by-case basis. To help explain this, let’s look at a couple of examples.
Rather than having blanket access to loan applications, a check is made each time an employee logs into the loan origination system. If they are in the office, access may be granted. If they are working from home, the use of two-factor authentication may be needed for access. If they are working from a public Wi-Fi hotspot, access might be denied.
Similarly, access to the LOS using the employee’s work computer may be granted the week before they go on vacation, as the computer’s software and anti-virus is current. Their login after returning from vacation, however, may be delayed until needed patches are applied to software and the latest antivirus definitions are downloaded and scans are completed.
Building off the above is ensuring assets (hardware, software, devices, etc.) are secure and constant monitoring and reporting is completed. Zero trust means no device is assumed to be secure. As in the above example, before a connection is made, the security of the device and connection is checked. While I stated earlier that ZT is not a technology you can buy and deploy, this is one area where a technological solution will play an important role.
Working through and thinking about all the bits and pieces of a zero-trust implementation can be overwhelming. But rather than thinking about the “zero,” focus on the “trust.” Trust is about creating and ensuring confidence, fidelity, transparency, security and certainty in connections and relationships—something credit unions have decades of experience doing for their members. Adopting a zero-trust model is simply expanding that idea to digital connections, transactions, resources and interactions.
Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting LLC, Silverdale, Washington, and offers insights to credit unions on information technology governance, information security and technology risk management. In addition, he volunteers his time and sits on the supervisory committee at a local CU.