by Anastasios Arampatzis
“Trust is like blood pressure. It’s silent, vital to good health, and if abused it can be deadly.” –Frank Sonnenberg, author of Follow Your Conscience
“Trust, but verify.” –Ronald Reagan
As cybersecurity professionals defend increasingly distributed and complex corporate networks from sophisticated cyber threats, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them to secure sensitive data, systems, and services.
Digital transformation, the proliferation of disruptive technologies and emerging trends such as ‘work from home’ have made the digital boundaries of corporates disappear. With boundaries diminishing, traditional perimeter security solutions have become inadequate to respond to increasing demands for access from literally everywhere. These developments coupled with the alarming increase in data breaches and security incidents have rendered the concept of trust extinct. Hence, Zero Trust security is based on the tenet “Never Trust, Always Verify” and views trust as a vulnerability.
What is Zero Trust security?
Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.
Zero Trust is a strategic initiative and principle that helps organisations prevent data breaches and protect their assets by assuming no entity is trusted. The National Institute of Standards and Technology (NIST) defines Zero Trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Zero Trust goes beyond the “castle-and-moat” concept which dominated traditional perimeter security, recognising that when it comes to security, trust is a vulnerability. The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Traditional security concepts considered all users trusted once inside a corporate network – including threat actors and malicious insiders. Trust gave them the right to move laterally and freely access or exfiltrate whatever data they were not limited to.
Zero Trust is a security model that requires strict identity verification and moves the decision to authenticate and authorize closer to the resource. The definition of Zero Trust indicates that its focus is on authentication, authorization, and minimizing implicit trust zones while maintaining availability and providing seamless authentication mechanisms. Access to resources is as granular as possible, based on the combination of several contextual factors to enforce least privileges required to perform the requested action.
To achieve its goal, Zero Trust is governed by the following foundational principles:
- Access to corporate resources is dynamic, enforced per session, and adapted based on information collected about the status of the user or device identity, the application or service to be accessed, and other behavioural and environmental factors.
- All communications to resources must be authenticated, authorized, and encrypted.
- Authentication and authorization are location agnostic.
- Continuous monitoring of the integrity and security posture of all corporate assets.
The above principles are technology agnostic and apply to policies and strategies within an organization to provide a holistic approach to network security.
Approaches to Zero Trust security
NIST published recently the publication NIST SP 800-207, Zero Trust Architecture, which serves as a blueprint for Zero Trust and “gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture.” The publication describes two approaches to building an effective Zero Trust security architecture: an identity-centric and a network-centric.
The identity-centric approach places the identity of users, services, and devices at the heart of corporate security policy. Policies to access corporate assets are based on identity and assigned attributes. The primary requirement to access corporate resources is based on the access privileges granted to a user, service or device. The policy enforcement considers other factors, such as device used, asset status, and environmental attributes to provide an adaptive authentication mechanism.
The network-centric approach is based on network micro-segmentation of corporate resources. To implement this approach, the enterprise should use infrastructure devices such as intelligent switches (or routers), Next Generation Firewalls (NGFW) or Software Defined Networks (SDN) to act as policy enforcement protecting each resource or group of related resources.
A Zero Trust mindset
To be fully effective to minimize risk and enable robust and timely responses, Zero Trust principles and concepts must permeate most aspects of the network and its operations ecosystem. Organizations, from chief executive to engineer and operator, must understand and commit to the Zero Trust mindset before embarking on a Zero Trust path.
Zero Trust security is more of a broad strategy, rather than a defined architecture, which allows it to adapt and respond to changing times. The goal of Zero Trust is a mindset shift to treat all devices as potential threats. While this level of suspicion may seem like overkill, it is necessary in today’s emerging threat environment. Between employees working remotely and companies extending bring-your-own-device (BYOD) policies, it is harder for security teams to protect devices behind a firewall as they may have done in the past.
To adequately address the modern dynamic threat environment, a Zero Trust mindset requires:
- Coordinated and aggressive system monitoring, system management, and defensive operations capabilities.
- Assuming all requests for critical resources and all network traffic may be malicious.
- Assuming all devices and infrastructure may be compromise
- Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.
Five steps to Zero Trust
Here are some steps to keep in mind when implementing a zero-trust security strategy:
- Define the surfaces you want to protect: Protect the surfaces that include the data and assets most critical for your company.
- Map workflows across your network: Knowing how different resources communicate with each other gives better insight into where to place security controls.
- Build the Zero Trust network as a custom solution: Zero Trust needs to be unique to your business. Identifying how employees interact with their applications and data allows you to build a strategy to specifically address those use cases.
- Create specific security policies: Zero Trust demands granular policy enforcement. You need to know who accesses what data on which device. Once you have mapped that, you can build the strategy around it.
- Monitor and maintain all networks: Zero Trust is an iterative process. Because it is customized to your business, it requires maintenance and revision as access patterns change.
ADACOM offers a wide variety of services and solutions which businesses can leverage to engineer a Zero Trust architecture. These services span from data governance and risk assessment to strong authentication and endpoint detection and response (EDR) to privileged access management (PAM) and identity access management (IAM).
As cyberattacks increase in frequency and severity, new strategies are necessary to secure organizational networks and data. Data is paramount today. The companies that protect their customer and employee data will be the ones who stay one step ahead of the competition.
You may learn more about how ADACOM can help you build your Zero Trust strategy by, contacting our experts.