Zero Trust

Zero Trust has become one of cybersecurity latest buzzwords. It’s imperative to understand what Zero Trust is, as well as what Zero Trust isn’t.

Zero Trust is a significant departure from traditional network security which followed the “trust but verify” method. The traditional approach automatically trusted users and endpoints within the organization’s perimeter, putting the organization at risk from malicious internal actors and rogue credentials, allowing unauthorized and compromised accounts wide-reaching access once inside. This model became dated (and in some cases obsolete) with the cloud migration of business transformation initiatives.

The Zero Trust Network, or Zero Trust Architecture, model was created in 2010 by John Kindervag, who at the time was a principal analyst at Forrester Research Inc. based on the realization that traditional security models operate on the outdated assumption that everything inside an organization’s network should be trusted. Under this broken trust model, it is assumed that a user’s identity is not compromised and that all users act responsibly and can be trusted. The Zero Trust model recognizes that trust is a vulnerability. Once on the network, users — including threat actors and malicious insiders — are free to move laterally and access or exfiltrate whatever data they are not limited to. Remember, the point of infiltration of an attack is often not the target location.

Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. It is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing OSI model Layer 7 (Application Layer) threat prevention, and simplifying granular user-access control.

The strategy around Zero Trust boils down to don’t trust anyone. We’re talking about, ‘Let’s cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized. Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

One of the inherent problems we have in IT is we let too many things run way too openly with too many default connections. We essentially trust way too much, so if you trust everything, then you don’t have a chance of changing anything security wise.

The Technologies behind Zero Trust

The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. The governance processes and industry guidelines are Forrester eXtended, Gartner’s CARTA, and more recently NIST 800–207, which act as an optimal way to address current security challenges for a cloud-first, work from anywhere world.

Execution of this model combines advanced technologies such as Multi Factor Authentication (MFA), Identity and Access Management (IAM), identity protection, and next-generation endpoint security technology to verify the user’s identity and maintain system security. Zero Trust extended also requires consideration of encryption of data, securing email, giving users the least amount of access they need to accomplish a specific task and verifying the hygiene of assets and endpoints before they connect to applications.

Basically, the Zero Trust Approach says for instance, let’s understand who the user is. Let’s really make sure this is [for example] Bill and let’s make sure we understand what endpoint Bill is coming from — is it a known secure endpoint and what is the security status of that endpoint? And now let’s have a conditional policy, a policy [specifying] someone can have access to something.

What are the core principles of the Zero Trust Approach?

• Re-examine all default access controls. In a Zero Trust model, there is no such thing as a trusted source. The model assumes would-be attackers are present both inside and outside the network. As such, every request to access the system must be authenticated, authorized and encrypted.
• Employ a variety of preventative techniques that touch on identity, endpoint, data, and application access such as Identity Protection and Device discovery as well as Multi Factor Authentication (MFA).
• Enable real-time monitoring and controls to identify and halt malicious activity by using a Security Information and Event Management Software (SIEM).

• Align to a broader security strategy: Companies must adopt a holistic security solution that incorporates a variety of endpoint monitoring, detection and response capabilities to ensure the safety of their networks.

Tips to achieving Zero Trust

• Assess the organization.

Define the attack surface and identify sensitive data, assets, applications, and services and assess the organization’s current security tool-set and identify any gaps within the infrastructure. Ensure that the most critical assets are given the highest level of protection within the security architecture.

• Create a directory of all assets and map the transaction flows.

Determine where sensitive information lives and which users need access to it. Review all authentication protocols and remove/raise connection challenges on any outdated or weaker systems (often local legacy systems). Consider removing stale accounts and enforce a mandatory password rotation.

• Establish a variety of preventative measures.
• Multi factor authentication: MFA, 2FA, or third-factor authentication, are essential to achieving Zero Trust. These controls provide another layer of verification to every user inside and outside the enterprise, and should be triggered by risk increases or anomalous traffic.
• Least privilege principles: Once the organization has determined where the sensitive data lives, grant users the least amount of access necessary for their roles. Review privileged accounts regularly, and assess if those elevated privileges are required as a user moves from group to group.
• Micro-segmentation: Micro-perimeters act as border control within the system, identity/credential, and preventing any unauthorized lateral movement. The organization can segment based on user group, location or logically grouped applications.

Challenges of Zero Trust

• Regulations have not yet adopted the Zero Trust model, which means the organizations under compliance may have trouble passing an audit.
• Legacy apps, legacy network resources, legacy authentication protocols, administrative tools such as Mainframe Computers, HR Systems etc.
• Visibility and Control within the network are often one of the major factors challenging enterprises’ implementation of Zero Trust networks. Most organizations don’t have a comprehensive view into — or ability to set protocols around — all service accounts, individual users, and the privileges of each within their network, and are thus vulnerable to threats posed by unpatched devices, legacy systems, and over-privileged or stale users.

Conclusion

Zero Trust Approach requires organizations to continuously monitor and validate that a user and their device has the right privileges and attributes. It requires that the organization know all of their service and privileged accounts, and can establish controls about what and where they connect. One-time validation simply won’t suffice, because threats and user attributes are all subject to change.