alphaspirit - Fotolia
Zero-trust model case study: One CISO's experience
Adopting a zero-trust environment was the right move for GitLab, according to the company's former security chief, but it may not be well suited for all enterprises.
Kathy Wang had a significant challenge when she stepped into the top security role at GitLab: figuring out how to fortify a company that had no parameters to protect.
Wang said when she became head of security for the company in 2017, she knew a conventional security program wasn't going to work with an employee base that was 100% remote. She opted to implement a zero-trust model because it was the most effective way to defend a network that had no borders while still enabling workers the access they needed.
"Our users were all over the world working in a [software-as-a-service] environment. That necessitated a different defense strategy than the perimeter-based model that most companies use," Wang said. "We just believed that every host and asset in the network needs to be protected."
The zero-trust roadmap
Wang came into GitLab already familiar with the zero-trust model, having followed Google's publicized implementation of this approach. She said GitLab, as a cloud-native company, seemed a strong candidate for the cutting-edge philosophy, but she also knew there was plenty of work to do to move GitLab to a zero-trust environment.
"Zero trust is a process," she added, "so it's never done."
She started the process by classifying the company's data into four categories -- red being the most sensitive, orange, yellow and green was public information. "That gave us a good understanding of what we had to protect," she explained.
When this was done, her team built a roadmap for implementing a zero-trust model. The roadmap included separate lines to implement zero-trust for each of three buckets:
- Data stored and processed by GitLab itself as part of its SaaS service.
- User assets such as employee laptops used to access data.
- The back-end infrastructure that supports the business, all of which was managed by third parties.
From there, Wang identified opportunities that overlapped all three areas to accelerate adoption, minimize cost and maximize benefits.
"Not all solutions would work across all three roadmaps, but we tried to implement first the solutions that would work across more than one," she explained.
For example, all three lines called for using single sign-on for identity and access management, so Wang started there, rolling out a single sign-on solution from Okta that would govern access across all three buckets.
Wang's security team also implemented Uptycs' Osquery-Powered Security Analytics Platform to help them build out an asset database that could identify, or trust, all the attributes of a server or host before allowing access -- another key element of a zero-trust model. Wang said this move supported zero trust across the first two buckets on GitLab's roadmap.
GitLab's security team also implemented a Universal 2nd Factor (U2F) solution from YubiKey.
Kathy WangFormer CISO, GitLab
Wang, who left GitLab in 2019 after two years as the security chief, acknowledged that moving to a zero-trust model comes with challenges. For example, Wang and her team had to be careful to ensure that implementing new security measures, such as single sign-on, did not disrupt workflows. Wang's team planned small-phased rollouts to minimize the potential for disruptions. She also promoted the benefits of zero trust companywide to get buy-in, something that was particularly valuable when she needed users to take extra steps to help verify themselves before gaining access.
Increased adoption of zero trust
More security leaders are buying into the zero-trust concept. The 2020 Zero Trust Progress Report from software company Pulse Secure found in its survey of 400 cybersecurity decision-makers that 72% of organizations plan to assess or implement zero-trust capabilities in some capacity in 2020. Some 43% have projects planned and 29% have a zero-trust model in place or under way.
The report further identifies the zero-trust capabilities that organizations see as most compelling, including:
- Continuous authentication/authorization (67%)
- Trust earned through user/device/infrastructure verification (65%)
- Data protection (63%)
- End-to-end access visibility (56%)
- Facilitate least privilege access strategies (54%)
- Centralized, granular access policy (46%)
- Resource segregation (44%)
- No trust distinction between internal and external networks (39%)
Despite the promise -- and the hype -- around the zero-trust approach, Wang does not see it as a single stand-alone model for securing an enterprise.
"Zero trust, if rolled out well and thoughtfully, will cover a lot of bases, but it's not the only thing you need to do," she said. "Security is people, process and technology. If you don't have a large enough staff to put this together, if you don't have the budget to bring this to scale, that's a problem. Security is always about layers."
Others offered a similar outlook.
Gartner, the technology research and advisory firm, includes zero trust as part of its Continuous Adaptive Risk and Trust Assessment.
"We call it a strategic approach, a way to think about the evolution of security where everything is in flux all the time," said Gartner analyst Neil MacDonald.
He said organizations should see the zero-trust model, with its underpinning philosophy that nothing accesses anything until its identity is verified, as a starting point but should also implement processes to watch assets once they're in the network, too.
"Security can't be a set of one-time gates; security has to be continuous all the time," he explained. For instance, identity and access management is one gate, but then user and entity behavior analytics, with its use of analytics to monitor users' actions, provides an element of ongoing monitoring.
Although the studies that show the majority of security leaders are at least considering zero-trust capabilities, MacDonald said movement to a zero-trust model and continuous monitoring is itself an ongoing process.
"This is a journey of phasing in zero trust, especially when legacy devices are involved," he said. "You can't just flip a light switch. It's hard [work], and that's why it's going to take years."