What’s Logs Got to Do With It?

Leveraging the cross-cutting capability of visibility and analytics for Zero Trust implementation

Written by Shruti Kulkarni, Cyber Security Architect at 6point6.

Visibility and analytics is a cross-cutting capability for Zero Trust. In simple terms, visibility is achieved based on logging and monitoring. System logging and monitoring have been around for a long time and existed before the term Zero Trust was coined. So what do logs have to do with Zero Trust, which centers around strong authentication and context-aware authorization before granting access? When we talk about logging and monitoring from the perspective of Zero Trust, we need to look at the Zero Trust principles and how visibility and analytics help implement those principles.

One of the key design principles of Zero Trust is eliminating implicit trust, which, in the absence of strong authentication of the entity and context-based access authorization, may allow breaches to occur. From an implementation perspective, the easiest way to start to address this challenge is to authenticate an entity with a phishing-resistant multi-factor credential each time it requests access to resources. However, this approach has an operational overhead and leads to poor user experience.

Addressing such challenges can be tricky. Here is where logging and monitoring, which is integral to visibility and analytics, supports Zero Trust implementation. Zero Trust recommends that logs from all log sources be aggregated in a common location. Logs provide visibility to the access requests placed by entities from specific devices and geolocations. Depending on their risk appetite, the organization may try to correlate and assess contextual information for access requests using analytics tools such as AI. Both these aspects provide support in determining if the entity was properly authenticated and authorized before granting access to the requested resource.

Policy deviations and manifested security incidents are detectable in the logs. This visibility helps provide feedback to finetune the contextual criteria around which access requests can be evaluated to reduce the number of deviations and incidents. Understanding the contextual criteria helps in evaluating access scenarios such that operational overhead is minimized and user experience is not impacted.

Another key principle of Zero Trust is that access is policy-based. Zero Trust recommends that policies be configured for fine-grained authorization of access requests based on risks, need-to-know basis, and least privilege. Based on the risk tolerance of the organization, policies can be based on contextual elements associated with access risks and applicable threats. Feedback obtained from logs by observing deviations and failures supports finetuning the policies.

Logs provide needed visibility to the inner workings of the Zero Trust implementation. Analytics can be utilized to analyze trends and identify patterns of behavior, which can then be used as feedback to finetune contextual criteria and access policies.

Using automation and orchestration, which is another cross-cutting capability of Zero Trust, the feedback loop into the finetuning of contextual information and access policies can be orchestrated with well-defined signals and alerts. This evolution with increasing degrees of automation is an important maturity level aspect of Zero Trust implementation. Automation reduces the time spent in applying the feedback manually and minimizes deviations that may take place in the time gap between the manifestation of the deviation and the manual application of feedback.

Logging and monitoring, which is known as visibility and analytics in Zero Trust, is intertwined with Zero Trust implementation and actively supports it in providing visibility to the inner workings of the security controls and helps reveal ways to improve Zero Trust operations.