Nowadays the security modernization should be on the top of mind for most organizations, especially with increasingly complex hybrid environments and the need to support a remote workforce. At the same time, IT budgets are getting reduced in many organizations, and the cost to maintain aging legacy infrastructure continues to grow. To struggle the rising costs, more and more enterprises are turning to cloud-based services with the goal of enabling posture-driven, conditional access and zero-day threat sharing. Large companies need to streamline the security environment with cross-platform automation which provides secure access to applications and data.
As cybersecurity professionals defend increasingly dispersed and complex enterprise networks from sophisticated cyber threats, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them to secure sensitive data, systems, and services. As we mentioned in our previous articles, Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.
Principles of Zero Trust security
To be fully effective to minimize risk and enable robust and timely responses, Zero Trust principles and concepts must impregnate most aspects of the network and its operations ecosystem.
- Comprehensive security monitoring and validation
The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.
The philosophy behind a Zero Trust network assumes that there are attackers both within and outside of the network, so no users or machines should be automatically trusted. Zero Trust verifies user identity and privileges as well as device identity and security. Logins and connections time out periodically once established, forcing users and devices to be continuously re-verified.
- Least privilege
Another principle of zero trust security is least-privilege access. The principle refers to the concept and practice of restricting access rights for any entity (users, accounts, computing processes) where the only resources available are the ones required to perform the authorized activities. The privilege itself refers to the authorization to bypass certain security restraints that would normally prevent the user to use the needed resources. This is extremely important to prevent the risks and damage from cyber-security attacks.
Implementing least privilege involves careful managing of user permissions. VPNs are not well-suited for least-privilege approaches to authorization, as logging in to a VPN gives a user access to the whole connected network.
- Variety of Preventative Techniques
To prevent breaches and minimize their damage, a variety of preventive techniques are available. Multi-factor authentication is the most common method of confirming user identity. It requires the user to provide at least two forms of evidence to confirm credibility. These may include security questions, SMS or email confirmation, and/or logic-based exercises. The more means required for access, the better the network is secured.
Limiting access for authenticated users is another layer used to gain trust. Each user or device only gains access to the minimal amount of resources required, thus minimizing the potential attack surface of the network at any time.
Zero Trust networks also utilize microsegmentation. Micro-segmentation is a network security technique that involves separating networks into zones, each of which requires separate network access. For example, a network with files living in a single data center that utilizes microsegmentation may contain dozens of separate, secure zones. A person or program with access to one of those zones will not be able to access any of the other zones without separate authorization.
- Multi-factor authentication (MFA)
Multifactor authentication (MFA), or strong authentication, is a key component to achieving Zero Trust. It adds a layer of security to access a network, application or database by requiring additional factors to prove the identity of users. MFA combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.
The goal of MFA is to create a layered defence that makes it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.
Implementing the five principles of zero trust listed above will enable organizations to take full advantage of this security model. A continuous process model must be followed that cycles though each principle – then it starts over again. The zero-trust model also must continually evolve to accommodate how business processes, goals, technologies and threats change.
For more information about Zero Trust, watch the video below: