Zero Trust Patching: ‘Never Trust, Always Patch’

Wondering what today’s hot Zero Trust trend means for your organization? Zero Trust is a massive shift based around the principle of “never trust, always verify.” 

To many IT professionals, that sounds like a lot of work. But don’t worry; the industry is moving this way already, driven by large tech companies, government, and other security and risk leaders. And as the big players shift, so does the entire industry, with tools entering the market to meet the demand from a range of business sizes and budgets.

This means you can benefit from solutions that make adopting Zero Trust much simpler.

In this post, we’ll look at how the need for Zero Trust came about, what it involves, and how a few simple steps can help your organization start getting ready today.

Why Zero Trust Became Necessary 

You may have heard rumors that the perimeter is “dead” or “irrelevant” when it comes to computer security. What does that mean? Well, a traditional on-site network is typically defined by a perimeter-based security model. This creates an environment of trust, which works fairly well.

This classic model is like when you go to a sports event/game—there’s always a security guard at the turnstile. Let’s look at the procedure:

• They check your ticket to make sure you’re allowed to come in.
• They check your backpack to make sure you’re not bringing in unauthorized substances (alcohol, drugs, glass bottles, weapons, etc.).
• Once you’ve passed this check, you’re “trusted” and can roam freely around the stadium.
• You can even take a seat that isn’t yours (unless the seat’s legitimate ticket holder catches you!).

Computer security—at least with the classic model—works this way as well. When a user shows up at the perimeter of your organization’s network, say a traditional VPN…

• There is a basic check to make sure they are who they say they are (this is done often with passwords, which are flawed in several important ways).
• There are probably malware checks to ensure that malicious payloads don’t sneak in with them.
• And then, very often, they are set loose and can sometimes roam wherever they like within your network.

It’s not that this model doesn’t work. But it is easy to see why it can’t cope with the complexities of today’s networks, as the range of endpoint types accessing the network has broadened. From a fairly simple model in which servers and workstations were connected through a LAN or WAN, enterprise networks today have evolved into a distributed model that can include a complex web of cloud-based infrastructure and services, mobile and remote endpoints, and connections to a nearly infinite possible variety of IoT devices. In other words, it’s no longer enough just to post a security guard at the door.

Zero Trust security, on the other hand, introduces a model similar to badges in many workplaces:

• Every door, filing cabinet, server room, production floor, etc., are locked by default.
• Everybody entering the business is verified and gets a badge, from the CEO to ordinary visitors.
• Your badge identifies the types of resources you have access to.
• The badge automatically opens doors to which you have access—all other doors stay locked.

The whole process begins with strong user identity verification. In a Zero Trust system:

• No user gets through the door (accesses the network) without proving their identity.
• This is often done via multi-factor authentication for stronger-than-password identification.
• User “health” is also part of this verification check in most Zero Trust systems since a compromised endpoint is by definition a security hazard.

This model tightens security holes and makes regulatory compliance easier as well. That’s because many regulatory standards require users to have “least privilege” by default, meaning they only have access to the data they need for business purposes. Zero Trust automatically takes care of this for you.

From Zero Trust to ZTX

Over the last decade, Forrester has become the leading expert when it comes to promoting a consistent, secure definition of Zero Trust. Forrester’s Zero Trust eXtended (ZTX) framework creates standardization with seven essential pillars for a totally airtight “trustless” environment:

1. Workforce security: Identification and access control of all network users
2. Device security: Identification and verification of all devices accessing network resources; covers a vast range of endpoints 
3. Workload: Isolation of all applications, processes, and resources to avoid unauthorized access
4. Network: Segmentation and other strategies to isolate sensitive resources and prevent access
5. Data security: Categorization of data within the organization to aid in determining which users must be granted access
6. Visibility and analytics: Monitoring and analysis, including through the use of automation and AI to detect anomalies and configuration problems and control data flow
7. Automation and orchestration: Implementation of centralized control over the zero trust model

One reason Forrester created the ZTX framework is that the term really resonated across the industry. But then, as it became a popular buzzword, it began losing its meaning. ZTX resolves this by providing concrete criteria for success.

It’s important to understand that ZTX isn’t a single tool or even a suite of tools; it’s a framework to ensure that organizations and vendors are on the same page. When security products comply with ZTX, they help your organization move in the right direction.

So how can you do that?

As a recent Forrester article on ZDNet explains, there’s no “easy button” when it comes to implementing ZTX, but they strongly advise beginning by “considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects.”

The Most Dangerous Myth of Zero Trust

In light of Zero Trust, a dangerous tendency has emerged in the security world to dismiss patching as obsolete. This is due to a few myths that have popped up about patching, but they are all just that—myths.

• • Myth: We need Zero Trust since “patching doesn’t prevent hacking,” as stated in this Security Week article.
  • Myth: Since most exploits rely on social engineering, no amount of patching is good enough.
  • Myth: Zero Trust REPLACES the need for patching because it’s more secure.

• Fact: Smart security professionals realize that we still need both.

As Forrester has made very clear through its seven pillars, the role of ZTX is not to supersede patching—patching simply becomes part of the Zero Trust ecosystem.

For instance, patching is an essential element for Pillar #2: device security. The health of endpoints will always be a major consideration in any Zero Trust framework because all it takes is one rotten apple to infect your entire network.

In this report on the Zero Trust paradigm, AT&T states that “a comprehensive vulnerability and patch management program will keep enterprise-owned devices in their most protected and functioning state;” thus, patching forms the foundation of a successful Zero Trust architecture.

And in fact, the best patching tools also help your org advance toward Pillar #7: automation and orchestration.

JetPatch: One Big Step Toward Zero Trust

It probably won’t come as a surprise that Zero Trust is nothing new for JetPatch, a modern tool that helps you red-flag and remediate vulnerabilities. We’ve built JetPatch around the core principle of Zero Trust: “Never trust, always patch.”

According to the AT&T zero trust architecture report, in order for Zero Trust to succeed, “Continuous monitoring of device and application state is required to identify and address security vulnerabilities as needed.”

This is exactly what JetPatch is designed to provide: continuous monitoring via a dynamic dashboard that gives you clear visibility into the health status of your endpoints. This means your move toward a Zero Trust framework could be far easier than you imagined.

JetPatch is designed to work in modern distributed environments across a broad range of endpoints, including on-premises, cloud, hybrid, and BYOD through JetPatch remote workforce Patching. It’s truly a one-stop platform, offering a simplified view of current patching status, along with tools to help you automate patch rollout and predict patch success so you can plan accordingly. No point in waiting—to be Zero Trust ready, you have to proactively fix those vulnerabilities. Now you have the data at your fingertips and the ability to automate those processes, once and for all.

Make your shift to Zero Trust simpler, no matter where you are in the process.