What is Zero Trust?
Complexity has outstripped legacy methods of cybersecurity as there is no single, easily identified perimeter for enterprises. As a result, security teams are shifting network defenses toward a more comprehensive IT security model to accommodate this new security climate.
The Zero Trust approach enables organizations to restrict access controls to networks, applications and environments without sacrificing performance and user experience. Simply stated, it’s an approach that trusts no one.
As more and more organizations leverage cloud computing, the traditional network security perimeter has all but vanished, and security teams are finding it difficult to identify who and what should be trusted with access to their networks. As a result, a growing number of organizations are considering adopting a Zero Trust network architecture as a key component of their enterprise security strategy.
What is a Zero Trust architecture?
Perimeter network security focuses on keeping attackers out of the network. However, this traditional approach is vulnerable to users and devices inside the network.
Traditional network security architecture leverages firewalls, access controls, intrusion prevention systems (IPSs), security information and event management tools (SIEMs) and email gateways by building multiple layers of security on the perimeter — layers that cyber attackers may have already learned to breach. “Verify, then trust” security trusts users inside the network by default. So anyone with the right user credentials can potentially be admitted to the network’s complete array of sites, apps and devices.
Zero Trust assumes the network has been compromised and challenges the user or device to prove that they have an acceptable risk level. It requires strict identity verification for every user and device attempting to access resources on a network, even if the user or device are already within the network perimeter. Zero Trust also provides the ability to limit access once anyone is inside the network, preventing an attacker from exploiting lateral freedom throughout an organization’s infrastructure.
Recently, Zero Trust, as a concept came into focus when U.S. President Joe Biden issued an executive order requiring agencies to have a plan to adopt a Zero Trust framework within 90 days. The order also provided clear recommendations and timeframes for public and private organizations to implement key technology and process improvements.
Here is more information on the Executive Order.
Principles of Zero Trust
As part of its effort to guide federal agencies' efforts to adopt Zero Trust, the National Institute of Standards and Technology (NIST) outline the principles of Zero Trust as the following:
- All data sources and computing services are considered resources.
- All communication is secure regardless of network location; network location does not imply trust.
- Access to individual enterprise resources is granted on a per-connection basis; trust in the requester is evaluated before access is granted.
- Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes.
- User authentication is dynamic and strictly enforced before access is allowed; this is a constant cycle of access, scanning and assessing threats, adapting and continually authenticating.
Zero Trust security benefits
Zero Trust enables organizations to reduce risk to their cloud and container deployments while also improving governance and compliance. Organizations can gain insight into users and devices while identifying threats and maintaining control across the network. A Zero Trust approach can help identify business processes, data flows, users, data and associated risks. The model helps to set policy rules that can be automatically updated based on associated risks,.
Adopting Zero Trust enables organizations increase their level of continuous verification, enabling them to detect intrusions and exploits quickly in order to help stop attacks before they can succeed:
- Phishing emails targeting employees
- Lateral movement through corporate network
- Redirecting a shell to a service to compromise a corporate machine
- Stolen developer password
- Stolen application database credentials
- Exfiltration of database via compromised application host
- Compromising application host via privileged workstation
- Using developer password to elevate application host privileges
- Installing keylogger via local privilege escalation on workstation
Putting the Trust in Zero Trust
Zero Trust capabilities can be integrated into business processes, services and systems that, as a result, are better enabled to:
- Prevent data breaches and contain lateral movement using application micro-segmentation.
- Expand security protection across multiple computing and containerized environments, independent of the underlying infrastructure.
- Gain visibility into users, devices, components and workloads across the network, all while identifying what is running and enforcing policies.
- Monitor and respond in real time to signs of compromise; providing logs and reports and delivering alerts that promote detection and response to threats.
- Ensure organizational security while still providing a consistent user experience.
Best practices for implementing Zero Trust
Organizations seeking to implement a Zero Trust security framework must address the following:
- Identify Sensitive Data – Identify and prioritize data according to risk: know where it lives and who has access to it.
- Limit and Control Access – Establish limits to users, devices, apps and processes seeking data access; a least-privilege access control model should be limited to a “need-to-know” basis.
- Detect Threats – Monitor all activity continuously related to data access, comparing current activity to baselines built on prior behavior and analytics; combining monitoring, behaviors, rules, and security analytics enhances the ability to detect internal and external threats.
A strong Zero Trust security model features the following principles:
- Authenticated access to all resources – Zero Trust views every attempt to access the network as a threat. While traditional security often requires nothing more than a single password to gain access, multi-factor authentication (MFA) requires users to enter a code sent to a separate device, such as a mobile phone, to verify they are in fact who they claim to be.
- Least privilege-controlled access – Allowing the least amount of access is a key principle of Zero Trust. The objective is to prevent unauthorized access to data and services and make control and enforcement as granular as possible. Zero Trust networks grant access only when absolutely necessary, rigorously verifying requests to connect to systems and authenticating them beforehand. Constricting security perimeters into smaller zones to maintain distinct access to separate parts of the network limits lateral access throughout the network. Segmented security becomes increasingly important as workloads become more mobile.
- Inspect and log activity using data security analytics – Continuous monitoring, inspection and logging of traffic and activities. User account baselines should be established to help automatically identify abnormal behaviors indicative of malicious activity