What You Need to Know about the Zero Trust Model
Network infrastructures are getting more complex and thus harder to secure with traditional network security tools. Fortunately, there’s a viable alternative: the zero trust model. Here is what you need to know about this model.
The term “zero trust” is not new. It emerged a decade ago when a security analyst became frustrated with all the numerous data breaches and other cyberattacks taking place. He knew that adding another layer of defense wasn’t going to solve the problem, so he developed a new security model which he dubbed “zero trust.”
Interest in the zero trust model quickly grew, pushing it into the media spotlight. Although the media’s interest faded away, many companies and government entities liked what they saw and began successfully deploying the model in their organizations.
Recently there’s been renewed interest in the zero trust model. This re-emergence is due to a new problem plaguing organizations, coupled with the upcoming release of a long-anticipated resource for zero trust. The National Institute of Standards and Technology (NIST), which is part of the US Department of Commerce, will be releasing the final version of Special Publication 800-207 “Zero Trust Architecture“. Special Publications are not standards. Instead, they are documents that provide guidance and recommendations about important subjects.
Here is a look at the new problem plaguing many companies and how adopting a zero trust model can help.
More Complexity, More Security Problems
Companies’ IT network infrastructures are getting more complex. Long gone are the days when all of a company’s IT resources were on-premises and employees only accessed those resources during standard business hours using company-provided computer systems set up in the workplace.
Nowadays, companies have their IT resources onsite and in multiple clouds, and employees access those resources from not only the workplace but also home offices. And the resources need to be available 24×7 because employees use their own personal devices to check emails and do other work during off hours.
This new reality is making companies’ security boundaries much more difficult to identify. Despite this, companies are still using perimeter-based network security practices to protect their IT environments. This can be problematic. For example, employees working from home or using their own personal devices for work might connect to their companies’ IT resources using networks that aren’t controlled by those businesses. If the companies are using perimeter-based network security, those connections and the data traversing through them won’t be protected.
There is another downfall when using perimeter-based network security. If cybercriminals are able to breach the security perimeter, they can often access other parts of the network through reconnaissance, credential theft, and lateral movement, according to security experts. Plus, perimeter-based network security is not very effective at detecting or blocking insider attacks. Given these downfalls, some companies are turning to the zero trust model.
Zero Trust 101
Zero trust is a model for securing an IT network infrastructure. It is based on the concept that a company-owned network infrastructure is no more trustworthy than one that isn’t owned by the company, according to NIST’s “Zero Trust Architecture“. Therefore, a company cannot assume that something is safe just because it lies within its own infrastructure. “Nothing should be implicitly trusted — not your identities, not your devices, not your network components. explained one security expert. “‘Trust, but Verify‘ gives way to ‘Do not trust. Verify every time.‘”
Because trust is never implicitly granted, companies must continually identify and analyze the risks to their internal IT assets and business functions and then take measures to mitigate those risks. These measures typically include:
- Minimizing access to IT resources. In the perimeter-based network security model, authenticated users are usually given access to a broad collection of resources. As a result, cybercriminals that breach the perimeter and malicious insiders are often able to move laterally through a network. In the zero trust model, authenticated users (and assets) are only given access to the resources they use. Furthermore, they are only granted the minimal privilege level that will allow them to perform their job duties — a principle known as least privilege.
- Continually using authentication and authorization to vet each request for resource access. Both authentication and authorization are important. Authentication is used to verify that the employee sending the request is who they say they are. Authorization is used to verify that an employee has the necessary privilege to access that resource.
The ZTA
Companies that want to adopt the zero trust model need to generate a zero trust architecture (ZTA). The ZTA is a “cybersecurity strategy that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement,” according to “Zero Trust Architecture”.
When designing and deploying the ZTA, companies need to adhere to a set of seven tenets. For example, one tenet notes that companies must consider all data sources and computing services as resources. Another tenet states that businesses must secure all communications, even those inside a company-owned network infrastructure (i.e., inside the perimeter of a company’s network infrastructure).
Although companies must adhere to specific principles when designing and deploying their ZTAs, they are not required to use certain tools, technologies, or methods to carry out those deployments. That’s because there is no single “right” way to achieve zero trust. Companies can use what works best for them, including the tools, technologies, and methods they are currently utilizing.
Besides not having to follow a formula, companies do not have to follow a preset timetable. They can go at their own pace and operate in hybrid mode if needed. “Implementing a ZTA is a journey rather than a wholesale replacement of infrastructure or processes,” notes the “Zero Trust Architecture” document. “An organization should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect its highest value data assets. Most enterprises will continue to operate in a hybrid zero-trust/perimeter-based mode for an indefinite period while continuing to invest in ongoing IT modernization initiatives.”
While most businesses apply the zero trust model to improve security in their network infrastructures, it can be used to improve security in other areas as well. For instance, companies can apply the model to improve security in endpoints.
A Viable Alternative
Cloud computing, telecommuting, and other common business practices are making network infrastructures more complex and thus harder to secure with the perimeter-based network security model. The zero trust model offers companies a better way to secure complex network infrastructures. If you would like more information about zero trust, give us a call.