Zero trust is a security model that hinges on strict ID verifications for every device connected to a specific network. This applies to known and unknown devices, as well as those already in the network. Zero Trust is not strictly defined by a set of technologies. It is a holistic approach to minimizing network security risk. This marks a clear shift from the old “castle-and-moat” approach. The castle-and-moat security model scrutinizes devices from outside the network while trusting those within it by default. If an attacker penetrates a system’s security, they gain full access to the entire system.
The ongoing rise of cloud technology further invalidates the traditional model. Data is no longer stored in a single location, so a localized security system is not up to the task of preventing breaches. It is no surprise then that major cloud providers were the first to develop the zero-trust model. Cloud architecture is designed to provide access to large numbers of remote users- all the more reason to adopt a “trust no-one” mentality.
The Two Main Principles of Zero Trust
The core principle of zero-trust security is the assumption that a threat can come from both inside and outside of a network. With this in mind, no machine or user should be trusted by default. User access is highly segmented as well, and this is done using a least-privilege model. Users are only given the level of access that they need. Depending on the system, privileges can be assigned based on business units, roles, seniority, time of day and various other parameters.
Another core principle of zero trust networks is microsegmentation. Put simply, it is the process of dividing security perimeters into small, easily maintainable segments. This granular approach ensures workloads are individually secured and isolated from one another. In practice, a micro segmented data center can consist of a large number of separately secured zones. Access to each zone is strictly monitored and restricted- personnel and programs have precisely defined authorization rights. In the event of a security breach, microsegmentation limits the potential damage, as the network attack surface is significantly decreased.
Zero Trust Security Tools
The “never trust always verify” approach can be a pain for regular users. Per the castle and moat analogy, employees would have to lower the bridge to cross moats and unlock gates each time they wanted to access their work. This could adversely affect productivity and user experience. The following four tools provide a way to authenticate users on an as-needed basis.
Single Sign-On (SSO)
SSO is a user and session authentication service that allows a user to use a single set of login credentials (like a username and password) for multiple accounts. SSO is also useful for enable single sign on access to on premises legacy apps. This increases usability and provides a pain-free login experience for employees. SSO is often mistaken for password vaulting, or password managers, but there are significant differences. The biggest one is that password vaulting requires you to enter your credentials every time you switch to another website or application. SSO allows one time log in to all company-approved resources without.
MFA (Multi-Factor Authentication)
MFA is a security system that uses multiple credentials in order to verify a user’s identity. It was developed as a way to mitigate risks associated with traditional username/password solutions. In addition to these credentials, MFA requires additional security inputs such as security question answers, biometrics or a code from a user’s mobile device. This added level of security protects accounts from brute force attacks, and alerts users when any login attempt is made.
If you want to implement zero trust successfully, you will need a provisioning system that will quickly deal with provisioning and deprovisioning users. AI and machine learning systems detect suspicious logins and flag them. A great example of this is if an employee logs in at unusual times or from a previously unknown location. Adaptive authentication then jumps into play and ramps up security by demanding additional verification. Adaptive authentication works both ways- it can loosen or remove MFA requirements when it detects normal behavior. This is especially valuable in recent times when remote work is becoming the norm.
Devices that users log in from are the end target of attacks, and as such need to be the first line of defense. You need to know, manage and control all the devices trying to access your data in order to assess their reliability. It is equally important to protect and monitor your local devices in order to nip threats in the bud.
Advantages of Zero Trust Strategies
Zero trust bolsters innovation and facilitates the implementation of new features. New initiatives and complex collaboration with internal and external stakeholders can be handled in a secure environment. In addition to this, zero trust allows companies to learn from collected data and facilitates data driven growth initiatives.
Once implemented, a zero trust security system will be able to respond more effectively to potential threats. Seamlessly detecting and fixing potential information leaks guarantees that the business as a whole remains unaffected. This means no costly downtime. The security systems and controls put in place also go a long way toward facilitating compliance with GDPR and other data privacy and security regulations.
Obstacles to Zero Trust
Implementing zero trust can be difficult and lengthy for some businesses. For starters, all office equipment and work related personal devices need to be inventoried. It is then time to write and implement corporate policies. The complexity of this process scales with the size of the company, especially if there are branches across the globe.
Some systems are less suited to the transition to Zero Trust than others. Complex infrastructure poses additional challenges, and existing software might not support the newest security standards. Replacing obsolete software and devices presents a significant cost in both time and money. Resistance to change is another thing that you can expect when shifting to zero trust. Employees and even IT security teams may not be ready or willing to make the change. Having this in mind, it is common for companies to implement zero trust in a gradual and incremental way. A great example of this is Google’s seven year transition to their BeyondCorp zero-trust framework.