What is Zero Trust Security?
Table of Contents
Hackers are experts at tricking people into revealing their login credentials and exploiting employee access privileges to carry out cyberattacks. This ability to enter through the digital "front door" rather than hack into a network has led to massive increases in ransomware and data breaches.
Cloud computing has exacerbated the volume and complexity of cyberattacks, as digital resources fall outside the corporate perimeter. The latest data show that the average cost of a data breach is $4.88 million. A methodology that helps mitigate security breaches is a security model known as "Zero Trust security".
What is Zero Trust Security?
Zero Trust security is a robust approach to securing your organization against cyber threats. Zero Trust is based on the principle that you should protect users, devices, and digital resources, rather than focusing on the network perimeter. All of these resources should be verified before a transaction is allowed to occur. For example, any access request must always be validated.
The methodologies and technologies behind Zero Trust are integral to the verification and validation of access events; all identities, both human and non-human (e.g., a device), are checked in real-time. If verification fails, i.e., a trigger event identifies a potential issue, then the access attempt will either fail or require additional security. For example, if an employee is traveling and needs access to the corporate network, a Zero Trust approach would require the user to undergo additional security checks before allowing access. Zero Trust is a shift from static, closed-wall network perimeters to fluid and dynamic environments that accommodate disparate users, assets, and resources.
Why Have Zero-Trust Security Models Evolved?
A more comprehensive and risk-based approach was needed to secure corporate IT resources as the corporate perimeter changed with the advent of cloud computing. On-premise corporate networks were augmented or replaced by complex multi-cloud infrastructures. Increasingly, remote or hybrid working patterns have compounded the complex nature of modern organizational IT infrastructures. Sitting at the center of this digital transformation is digital identity. Users and their devices require seamless access to carry out work tasks.
However, identity accounts proliferated with the uptake of cloud computing and the sprawl of SaaS apps. The resulting complex mix of multiple identities and complex infrastructure was exploited by cybercriminals. Digital identity has become the focus of cyberattacks, with user access being abused to gain unauthorized access to disparate corporate resources. A Zero Trust approach to security was developed to help mitigate the identity-focused techniques and tactics used by modern cybercriminals.
Main Principles of a Zero Trust Approach
Zero Trust is based upon the following core principles:
"Never trust, always verify"
Never trust, always verify is the fundamental driving principle behind Zero Trust. Any user or device attempting to access an IT resource, such as data in an application, must have their access verified first. This Zero Trust response to an access request is performed for all users and devices, no matter if they are within the corporate network or accessing from outside, such as when traveling for work.
Each access attempt must be verified. Part of the fundamental "never trust, always verify" standpoint is that employees must be correctly assigned privileges. This stance aligns with the Principle of Least Privilege (PoLP) and associated methodologies, such as the use of "zero standing privileges," i.e., providing access only as required and for a limited period.
Continually Monitor and Assess
To enforce Zero Trust access control, networks, apps, users, and devices must be continually monitored. Monitoring should continue throughout a session to identify any unusual behaviour, such as exfiltration of large volumes of data. By monitoring the behavior of users and devices across a network and cloud environment, an IT team can be alerted to unusual events, allowing them to respond to potential security breaches.
Assume Complex Environments
Zero Trust is designed to handle secure access and authorization in complex environments. Its security approach is comprehensive, mitigating security breaches in mixed infrastructures that encompass local networks, cloud-based environments, and hybrid models.
Seven Pillars of Zero Trust Security
The Department of Defense (DoD) Zero Trust Reference Architecture has developed a Zero Trust reference architecture (ZTRA) that is based on industry-recognized pillars describing capabilities and standards. The DoD's view of Zero Trust is a useful framework for any organization wishing to establish Zero Trust security principles:
Zero Trust Framework
Source: The Department of Defense
Data
Securing your organization's data is fundamental to a Zero Trust approach. However, your organization must have a clear understanding of what, where, and how that data is generated, shared, and stored. Security policies provide the framework for implementing appropriate data security based on the classification of data. However, technologies like encryption and least privilege access controls are fundamental to Zero Trust data security.
Automation and Orchestration
Various tools and processes are used to orchestrate and automate security responses to streamline and enforce security. For example, Security Orchestration, Automation, and Response (SOAR) is used to coordinate security tools and processes within an organization's IT environment.
Users
Verify the identity of humans and non-humans, such as devices, using identity security methods like multi-factor authentication (MFA) and Privileged Access Management (PAM). Continuously authenticate, authorize, and monitor activity to enforce appropriate privileges.
Devices
Devices, as well as people, need to be guided by the Zero Trust, always verify, never trust approach. This includes real-time authentication, assessment, and patching of devices. Mobile Device Management (MDM) is part of a ZTRA.
Workloads
Securing the entire lifecycle of a workload and the application layer it utilizes is an essential layer in a Zero Trust approach.
Visibility and Analytics
You can't protect what you can't see. Visibility of data across the expanded network and endpoints is essential to enforce ZT security policies.
Network/Environment
Network segmentation is a fundamental component of a ZTRA. Networks should be logically and physically isolated. Granular access is used to control the network for both on-premises and off-premises environments. By using microsegmentation, an organization can control privileges, manage and secure data flows, and prevent lateral movement.
How To Implement Zero Trust Security
Zero Trust security is about taking a 360-degree view of your data, IT infrastructure, and people. The core parts of a Zero Trust approach cover:
- User management and control
- Device and app security
- Network security
- Policy enforcement
Each of these parts has components that are utilized to create Zero Trust security:
Identity and Access Management (IAM)
Trusted interactions begin with robust identity management. Zero Trust expects that access events are verified and validated, and that these interactions are continually monitored to identify anomalous behavior. IAM should include the enforcement of least privilege access, zero standing privileges, privilege access management (PAM), multi-factor authentication (MFA), and risk-based authentication. In some use cases, such as consumer-service transactions, identity verification may also be required.
Multi-Factor Authentication (MFA)
MFA is a secondary layer of authentication security performed during access.
Risk-Based Authentication
MFA can be triggered if a signal identifies an access event as potentially risky. This capability is useful, for example, if a company has implemented single-sign-on (SSO) to allow employees to sign on once and use multiple apps. If there is a change in the employee's behavior or location, the ZT system will initiate an MFA check during the SSO session.
Network Segmentation
Segmenting a network into areas and isolating those areas from each other helps to reduce the impact of a cyberattack. It also helps to prevent privilege escalation if an attacker gains unauthorized entry to a network. Segmentation can be applied on a digital identity or device basis to create highly fluid microsegmentation.
Visibility and Analytics
Tools, such as mobile device management (MDM), help to visualize all devices across the organization. SIEM (Security Information and Event Management) can provide logging and analytics to gain insights into device security, data workflow issues, and configuration errors.
Continuous Monitoring
Visibility can help to identify any anomalous behaviour or events, and analyzing data from monitoring tools provides actionable insights.
Security Orchestration Automation and Response (SOAR)
SOAR tools help automate responses to security events. The SANS Institute's survey on "The State of Automation in Security Operations" found that many companies do not deploy SOAR due to cost and the engineering effort required for deployment. Instead, they use SIEM to manage security alerts. The report predicts that companies will increasingly rely on the automation offered by SOAR to manage alerts and incident response.
Encryption: Securing data at rest and during transit is essential to protect information during its lifecycle.
Secure Devices and Applications
The security of devices and apps encompasses regular updates and patching. Also, data loss prevention (DLP) tools help to stop sensitive data from leaving the organization via email. Devices and applications should be part of a penetration test to identify vulnerabilities.
Policy Enforcement
Who, what, when, where, and why of interactions with your IT environment should inform the creation of Zero Trust security policies. The tools and solutions that implement a Zero Trust security approach are then used to enforce those policies.
Using a Zero Trust approach to security is a tried and trusted way to ensure that digital resources across the expanded network have robust security enforced. To achieve a Zero Trust environment, an organization must implement a range of security measures and policies to create a defense-in-depth approach. By never trusting and always verifying interactions across an IT infrastructure, an organization can mitigate the increasing volume of cyberattacks that exploit modern computing.
FAQs
Who invented the concept of Zero Trust?
The concept behind Zero Trust emerged from the "deperimeterization" of the corporate network with the advent of cloud computing. Around 2004, the Jericho Forum, now part of the Open Group, developed the idea of defense in depth to close security gaps in the expanded corporate perimeter. In 2010, Forrester Research analyst John Kindervag opened the floodgates for Zero Trust when he talked about how trust was a vulnerability and that security strategy should be based on the notion of "never trust, always verify".
What is the NIST Zero Trust architecture (ZTA)?
NIST SP 1800-35 presents an architecture that, when implemented correctly, can help protect digital resources both within and outside the corporate perimeter. The NIST guidance covers 19 example Zero Trust architectures (ZTA) achievable by using off-the-shelf commercial technologies.
How can a small company implement Zero Trust?
Implementing a Zero Trust approach to security can seem onerous as there are many areas of a business and security measures involved. If your organization has in-house security skills, you can use the myriad of online resources to begin the process of creating your own Zero Trust architecture. However, if you do not have skilled staff to carry out the necessary implementation, you can use a managed service provider (MSP) that specialises in security. An MSP will have the staff and knowledge to apply the tenets of Zero Trust to secure your digital resources.