Today, we see increasingly distributed workforces and work regularly outsourced to contractors, partners and freelancers alike. As a result, the traditional company network perimeter has altered dramatically and many businesses have struggled to keep up with the rate of change. All that is a prerequisite for external cyberattacks and potentially harmful internal data breaches.
At its core, Zero Trust is a framework in which an organization forgoes one large perimeter in favour of protection at every endpoint and for every user within a company. This approach relies on strong identity and authentication measures, trusted devices and endpoints, and granular access controls to protect sensitive data and systems. Zero Trust requires granular visibility.
So, implementing a Zero-Trust framework does more than increasing the security. It also helps your data management and accessibility efforts by providing the visibility into connected endpoints and networks that a great percentage of organizations lack.
Implementing a Zero Trust Model
While establishing a Zero Trust architecture can increase security, many organizations find the implementation challenging. Understanding the steps involved, can help move toward a zero trust security approach.
- Establish strong authentication processes (Identity and Authentication)
Identity authentication is the foundation of a zero-trust security strategy. To continuously evaluate access to resources, you must first centralize user management and establish strong authentication processes. In order to track and manage all users across your systems, user identity must be centralized in a user and group directory. As employees join the company, change roles or responsibilities, or leave the company, the databases should update automatically to reflect those changes. The user and group database acts as the single source of truth to validate all users that need to access your systems.
A single sign-on (SSO) system, or centralized user authentication portal, can validate primary and secondary credentials for users requesting access to any given resource or application. After validating against the user and group directory, the SSO system generates a time-sensitive token to authorize access to specific resources. A centralized user database supporting a single sign-on system is essential. Data in a SaaS application environment must be assumed vulnerable unless access is limited to an endpoint that you control. Once that database is in place, you can introduce an authentication process such as 2FA (two-factor authentication) or MFA (multi-factor authentication) to harden your system and ensure that the users accessing your applications are who they say they are.
- Define and implement policies around Access Management
Building on the identify and authentication mechanisms, the next step is to define and implement policies around who can access specific data and when they can access it. What makes the Zero Trust approach unique is that in order to minimize the ‘perimeter’ of any given individual and isolate the risk associate with that user, the Zero Trust approach supports the idea that an employee should only be given the minimum access and permissions needed for that employee to do their job. By limiting access in this way, risk is minimized. Should an attacker gain access to the credentials of a user in marketing, for example, that perpetrator is ‘laterally’ limited in that they cannot gain access to any of the tools, assets, or information outside of that user’s specific role.
There are several ways to ensure that an employee’s access is restricted to the tools and assets required for their job. The first is granular, role-based access and permission levels. These should be defined for each role within your organization, with cross-functional input agreement. Your organization’s appetite for risk and the breadth of access needed to effectively collaborate across teams will determine the level of granularity needed for team and individual role-based access levels. Once these role-based access levels have been defined, you can begin to map out the controls needed for each system and vendor in your organization. While your SSO or identity provider may be able to support some of your access control needs, you may find that not all applications provide the level of granularity needed to limit access in this way. Access controls are an important part of any vendor risk management assessment and integral to the long-term implementation of Zero Trust.
In order to adhere to the “continuous verification” tenant of the Zero Trust model, you will also need a way to consistently analyse audit logs to verify access controls and identify suspicious or unsanctioned activity in your systems. This information helps detect suspicious activity within your systems and supports the application of access and permission levels by allowing you to verify that those levels are implemented correctly and that there aren’t any suspicious actors that have gained access to a user’s credentials.
- Monitor and audit everything
In addition to authenticating and assigning privileges, it is vital to monitor and review all user activity across the network. This helps organizations to identify any suspicious activity in real-time. Deep visibility is especially important for administrator accounts which have rights to access a wide spectrum of sensitive data.
- Implement Principle of Least Privilege
Every Zero Trust architecture should include Principle of Least Privilege, which is based on the concept that individual users should only be granted sufficient privileges to allow them to complete specific tasks. For example, an application developer should not be allowed to access financial records. For maximum effectiveness, PoLP should be extended to “just-in-time” access, which restricts users’ privileges to specific time periods.
Implementing the Zero Trust security model is no simple task. For many organizations, especially large, established enterprises, implementation can take a considerable amount of time and effort. But the upsides are significant. Beginning to implement the foundational elements of Zero Trust Security is the key to securing your sensitive company data in the midst of the proliferation of cloud applications, devices, and user identities.