09/24/2021 | News release | Distributed by Public on 09/24/2021 00:41
Zero Trust is a security model - a strategy for protecting an organization's IT assets, including data, services and applications. The Zero Trust model is built upon research more than a decade ago by analysts at Forrester, and it is now recommended by many security experts and vendors, including Microsoft.
Zero Trust is a security architecture model that requires no implicit trust to be given in any quarter. NIST SP 800-207 defines Zero Trust as "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised."
One Microsoft expert calls it a "deny-until-verified" approach.
As the name implies, with Zero Trust, access to resources from both inside and outside of the network should be restricted until the validity of the request can be confirmed. Every user, regardless of their position in the organization, must still go through specific protocols to verify their identity so that they can be authorized for the secure level of access they seek.
Because Zero Trust policies force users and services to verify their credentials when attempting to access enterprise resources, it's much more difficult for unauthorized users to gain access to vital architecture. For example, an automation process requesting access to a database should be vetted to ensure it doesn't become an avenue through which an attack can be launched.
Another thing important to understand is that, just as it's impossible to fully achieve cybersecurity, it's impossible to fully adopt Zero Trust principles. Many enterprises operate in a hybrid mode, with a combination of Zero Trust principles and perimeter-based mode, as they work on reinforcing and modernizing various IT initiatives and making improvements to business processes. As a result, companies may end up having newer Zero Trust policies working alongside older security workflows.
According to the book "Zero Trust Networks: Building Secure Systems in Untrusted Networks" by Evan Gilman and Doug Barth, Zero Trust is built upon five pillars:
Zero Trust helps close security gaps, including:
This approach effectively addresses the challenges associated with a shifting security perimeter in a cloud-centric and mobile workforce era. In the new reality, people are the new corporate perimeter; the time when "trust" was granted whenever you were within the corporate firewall (physically in the network or even connected via a VPN) is gone.
The Zero Trust model took shape as hackers became adept at exploiting the shortsightedness of organizations that presumed they only had to worry about threats from the outside. If attackers managed to find an opening in a company's network or steal a user's credentials, they gained the ability to move laterally and gain further system privileges. Zero Trust recognizes the importance of installing security controls at all vulnerable access points, including those inside the network.
By focusing on identity, Zero Trust makes it possible to limit the movements of hackers even if they manage an initial breach. For example, even if they manage to log into an employee's account, the protocols put in place would recognize any unusual movements or attempts to access resources outside of the scope of that worker's role.
Zero Trust security is not something that can be accomplished through technology alone. Instead, the organization must develop a comprehensive strategy that includes making changes to company culture.
To start moving toward establishing a Zero Trust network architecture, companies must commit to:
A Zero Trust architecture encompasses all of a company's networks and computing services, including connected devices that send data to sources like databases and software as a service (SaaS) platforms. You have to think beyond the network location when outlining security requirements for access requests sent by assets connected to your network infrastructure.
Logical components of a Zero Trust infrastructure, as described by NIST SP 800-207, include:
Data sources that typically feed the core components of a Zero Trust architecture include:
There are multiple ways in which an organization can deploy a Zero Trust architecture for various workflows. Your implementations may vary depending on the components in use. Here are some common approaches:
Depending on the final confidence level calculation, the access given to a user may be altered, including providing them with only partial access to a resource.
Start by getting buy-in from those who would benefit from the transition to a Zero Trust architecture. Working together, map out the steps necessary to make Zero Trust a core part of your organization's security posture.
Many companies start the process gradually to observe the effects of the changes. For example, use multi-factor authentication to establish the authenticity of entities requesting access to your organization's networks. Try setting up device security controls to prevent exploitation of a device's weak points. Use micro-segmentation to add a layer of protection around vital infrastructure. Set up a network security standard that applies across the organization.
Consider operating in reporting-only mode to see how well the changes work. In this mode, you'd grant most access requests as you gauge the effects of various decisions. Once you gain confidence, you can put the changes into operation.
Zero trust architecture typically contains one or more of the following technologies:
1. What is Zero Trust security?
Zero Trust is a security framework built around the idea that no person or service should receive automatic trust from a company's networks. Instead, companies should rely on a combination of security controls, including stronger authorization and authentication techniques.
2. What is a Zero Trust architecture?
A Zero Trust architecture is based on Zero Trust principles. It's designed to minimize the risk of a data breach and limit internal lateral movement.
3. How do you implement Zero Trust?
There are many ways of implementing Zero Trust principles. Approaches vary based on business drivers and the organization's cybersecurity level maturity. Implementation options include enhanced identity governance, logical micro segmentation and network-based segmentation.
4. What are the components of Zero Trust?
The logical components of a Zero Trust infrastructure, as described by NIST SP 800-207 "Zero Trust Architecture," include:
5. Why is Zero Trust important?
Zero Trust helps prevent hackers who manage to breach one access point to the network from moving laterally through your company systems. It also helps block internal threat actors, such as a disgruntled admin or runaway script, from stealing sensitive data or doing other damage.