Today’s organizations need a security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located. Zero Trust is a significant departure from the traditional network security framework which followed the “trust but verify” method. This model is becoming more and more obsolete as the business transformation initiatives of migrating to the cloud and the acceleration of a distributed work environment (due to the pandemic that started in 2020) becomes more entrenched. Because our computing environments have changed, our security framework for securing and protecting these environments needs to change as well.
what is zero trust security?
First, it’s important to understand that Zero Trust isn’t a product (although, you will need new and different products to support it!). Zero Trust is a security framework. More specifically, Zero Trust is a holistic, strategic approach to security that ensures every user and device that is granted access to a company’s resources is who or what they say they are. The traditional approach automatically trusted users and endpoints within the organization’s perimeter, putting the organization at risk from malicious internal actors and legitimate credentials taken over by malicious actors, allowing unauthorized and compromised accounts wide-reaching access once inside.
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement.
The NIST 800-207 standard for Zero Trust is the most vendor neutral and comprehensive set of standards, not just for government entities, but for any organization.
why is zero trust relevant now?
The traditional network security perimeter barely exists now, and it’s continuing to erode by the minute. In today’s digital world, data is spread across an almost infinite number of services, devices, applications, and people, and that number just keeps growing. Zero Trust assumes that the traditional network edge isn’t there. In the modern enterprise, networks can be local, in the cloud, or part of a hybrid model. Resources can be anywhere - and the workers accessing those resources can be anywhere, too. If a business is still trying to secure its digital assets with an outdated model of perimeter security, it’s at risk.
If this sounds familiar, it’s time to consider a switch.
Even agencies in the federal government are transitioning to Zero Trust now. In fact, that’s a key reason that this methodology has been generating so much attention over the past year. In May 2021, the Biden administration issued its Executive Order on Improving the Nation’s Cybersecurity, mandating that federal agencies move to a Zero Trust security model. Earlier this year, it followed up with the Federal Zero Trust Architecture Strategy, which outlines specific actions federal agencies need to take to adopt Zero Trust architecture over the next few years.
However, many other organizations in the public and private that don’t need to move to zero trust are still deciding to make this journey because they see it as a way to reduce risk and better secure digital transformation. An ESG Research Report shows that this approach to security can result in 50% fewer breaches. But beyond protecting valuable data by reducing the chance of a breach, there’s also a bottom-line benefit to Zero Trust: Companies spend 40% less on technology because everything is integrated.
Also, according to a recent Forrester study, companies that adopted Zero Trust were twice as confident in their ability to bring new business models and customer experiences to market. Preventing attacks and reducing the risk of data loss are great outcomes of a Zero Trust approach, of course, but making products and experiences that customers love is what makes a company great.
The core principles of zero trust
The Zero Trust model (based on NIST 800-207) includes the following core principles:
- Continuous verification. Always verify access, all the time, for all resources.
- Limit the “blast radius.” Minimize impact if an external or insider breach occurs.
- Automate context collection and response. Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc.).
zero trust security best practices
So, what’s involved in enforcing a Zero Trust security policy? It requires the application of an array of security best practices - ones that just make good business sense anyway given the nature of today’s cybersecurity threat landscape. For example, an organization that has adopted a Zero Trust framework will need to implement practices such as:
- Validating the identities of all users through multi-factor authentication (MFA)
- Keeping all devices updated and in good health through vigilant patch management and software updates
- Conducting thorough observation and monitoring to obtain the most valuable data to inform access control implementation
- Limiting access controls to specific applications, resources, data, and assets, rather than the broader network
identify what you need to protect most
But what is the real first step toward implementing Zero Trust other than deciding to make the journey? It’s outlining the “protect surface” - or what is most valuable to your organization. What data, applications, assets, and services (DaaS) does the organization need to protect to keep the business up and running normally? By defining the protect surface, an organization can then focus its resources strategically on defending what really matters to the business, instead of trying to identify and protect the entire attack surface or focusing on just the perimeter (which we already know isn’t effective). Also, because the protect surface is much smaller than the attack surface or the perimeter, it is easier to protect.
identify the nooks and crannies of your network
When you’re building a Zero Trust architecture, it’s extremely important to start by mapping the organization’s network topology so that you know where your assets are located. The goal is to understand who your users are, what devices they’re using, what applications they’re running, and which services and data they’re accessing. Pay special attention to components that use the network. Under Zero Trust, you need to consider any network as hostile - whether it’s your local network or an unsecured public network. Also, consider existing services that weren’t designed for a Zero Trust architecture, as they may not be able to defend themselves under the new, stricter methodology.
Once the network topology is mapped, it’s time to determine how your systems work. This will help you understand where you need to create access controls, so you can verify that a user or entity fulfills the correct criteria for gaining access to protected areas. These controls will also help ensure that no communication can occur between a user and application that are unknown to security admins.
additional resources on the zero trust framework
To reiterate, when a business adopts a Zero Trust approach to security, it’s making the choice to require all users, whether they’re inside or outside of the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before they are granted access to applications and data - or allowed to maintain access to those resources.
The Zero Trust framework uniquely addresses the security challenges that most modern businesses face, such as securing remote workers and hybrid cloud environments and protecting against disruptive, costly cyberthreats like ransomware. Zero Trust can help organizations secure their infrastructure and data so they can operate more confidently in today’s complex, digital world, and pursue digital transformation knowing they’re protecting what’s most important to the business all along the way.
The Cybersecurity and Infrastructure Security Agency (CISA) offers a Zero Trust Maturity Model that includes five pillars - Identity, Device, Network, Application Workload, and Data - and is intended to help support an organization’s Zero Trust journey. And really, it is a journey, just like digital transformation itself. It can take several years for an organization to get where it wants to be with Zero Trust security, and because networks are always evolving, it will be an ongoing process to maintain an effective Zero Trust architecture. Also, keep in mind that there is no one-size-fits-all approach to zero trust. Even NIST acknowledges in its recently published Zero Trust Planning Guide for federal organizations that “there is no single specific Zero Trust infrastructure implementation or architecture.”
Zero Trust is more than just a technology change, it is a new security model that gives organizations a way to achieve user to application segmentation. What seemed impossible to achieve with complex and sophisticated network rules and VPN configurations is now centralized with a trust broker. Logical Zero Trust Network Access policies can be easily created and even shared among those who manage access privileges.
Even if you’re not ready to fully implement the Zero Trust framework just yet, getting a handle on the basics of Zero Trust now can only help your organization better secure your resources and ensure a strong cybersecurity posture going forward.
Are you considering moving to the Zero Trust framework? Is this part of your cybersecurity enhancement plan or part of this year's strategic technology plan? Please share your thoughts in the Comment box below or shoot me an email if you'd like to chat about this in more detail.