The business world is steadily embracing the concept of zero trust (ZT) to make their networks more secure. It's not so much a technology as it is a strategy for maintaining network privacy that involves setting network access policies. An example of a zero trust solution is using multifactor authentication to grant network access. Here's a deeper look at what ZT is and how it can protect your network.
What is Zero Trust?
A simple explanation of zero trust is that it's a security strategy that starts with the premise that anyone who seeks network access must prove their identity. This paradigm makes no assumptions about permissions or identities just because a visitor is on your network. Ultimately, ZT is a system of thinking for maximizing data protection.
The term was coined in 2010 by analyst John Kindervag of Forrester Research. It presumes that all traffic is considered hostile until authenticated, as a strict risk management precaution. His concept of zero trust architecture (ZTA) challenged the previous "defense-in-depth" cybersecurity model that limited data protects within the network perimeter. By contrast, Kindervag's model included building security into the network through authentication processes.
A network perimeter is a boundary between private intranet and public internet resources. Network perimeter devices include routers that permit traffic to pass. Routers contain firewalls that can be configured in customized ways to determine which devices or users have network access.
By 2015 after many large organizations including financial institutions and tech firms faced severe cyberattacks causing millions of dollars in damage. IT experts began questioning the relevance of relying on the defense-in-depth model, which consists of anti-virus software, intrusion prevention systems and advanced firewalls. Around that time ZTA began to emerge in the form of online companies commonly requiring a second or third factor to authenticate accounts.
In the IT world when trust is unquestioned, it can open paths for bad actors to enter a private network. Once intruders penetrate your network, they will likely be invisible while they create havoc by stealing information or unleashing malware. While no cybersecurity solution is 100 percent perfect, the most reliable solutions such as encryption and multifactor authentication are so complex that hackers don't bother wasting their time.
The way cybercriminals usually gain access to private networks is by tricking unsuspecting employees with fraudulent emails that pose as trusted sources. One way hackers trick employees is by providing them with a link to their accounts. The hacker requests for the victim to log in to their account, but really the victim is just giving up their password to a fake web page with an application that collects this confidential information.
What is Zero Trust Security?
The concept of zero trust security is based on methods that make visitors prove their identities before getting on a network. A historical analogy to how ZTA is embedded with security layers can be compared with how ancient kings and queens protected their castles from revolting invaders with multiple tall, thick walls made of stone. But in order to cross the drawbridge over water to enter the castle, the visitor needed to answer a series of questions or solve riddles.
Here are the five concepts that define how zero trust security is embedded in the architecture:
- All resources must be accessed securely - You cannot assume that all resources have their own built-in protection systems. In a ZTA all resources require explicit permission.
- Access control is implemented on a need-to-know basis - A network member will only gain network access to minimal resources if they are assigned tasks for certain timeframes.
- Do not trust anyone, verify their actions - By not taking any network visitor for granted and monitoring their behavior, your system will be less vulnerable to a cyberattack.
- Inspect all log traffic for suspicious or malicious activity - Cybercriminals are often able to hide their identities and their presence on networks in which they lack permission. The effects of their damage, however, are usually detectable by advanced 24/7 data monitoring systems. Less experienced hackers are easier to detect.
- Design networks from the inside out - Strong security should be at the foundation of your network design. It starts by setting policies on who can access your network.
Cybercrime has exploded over the past decade to the point businesses can no longer ignore zero trust architecture. The reason this architecture is so resilient is because of its multiple layers that make hackers jump through too many hoops. Many hackers aren't really programmers, as they simply rely on software tools to do the hacking for them.
Another form of zero trust security is network segmentation, in which you split your network into multiple segments. Each segment can represent a department or other characteristic of your operation. Certain members are granted access only to specific segments. This strategy limits the amount of damage a cybercriminal can do when they attempt to hijack, disrupt or exploit a network.
Constantly monitoring your network with automated cybersecurity software is one of the major keys to identifying and neutralizing suspicious activity. Many businesses don't know where to begin with cybersecurity, so they outsource to IT experts who provide 24/7 data monitoring. The software sends alerts to management. If it's integrated with machine learning, the software can make automated decisions on how to respond to cyber threats.
To understand more about Zero Trust Security and everything in it, it’s essential to learn the zero trust basics including the tenets and pillars of ZT model, as follows:
Zero Trust Basics
Trust simply isn't granted automatically in a ZT model. It must be evaluated every time a new device joins your network. Zero trust architecture involves identity, credentials, endpoints and various other events relating to specific network devices and online activity. It further consists of hosting environments and digital infrastructure. Another basic ZT principle is that authenticated network members are only granted limited access and privileges. These privileges may include reading, writing or deleting data.
The traditional perimeter defense approach was much more flexible, allowing network members to access a broad range of resources. But managers are rethinking this approach that's getting eclipsed by the ZT strategy. Tighter access policies reduce the chances of an employee stealing confidential information or compromising data. Even companies with loyal and honest employees must use ZT as a form of risk management and data protection.
Trusted Internet Connections (TICs) and perimeter firewalls are effective at blocking external hackers but are not as reliable at identifying and mitigating internal attacks from within the network. Nor are TICs and firewalls able to protect network devices outside the perimeter, such as those used by remote workers or cloud service subscribers.
Should employees be trusted in your network? Not under a zero trust regime. When social media networks and online games rose in popularity earlier this century, it coincided with a decline in worker productivity. Even worse, countless employees have used employer resources to access illegal websites that engage in copyright infringement. So, it's crucial to set company policies as to how your network resources can be used.
Understanding Zero Trust Tenets
A ZT policy must closely follow the following seven tenets that determine user access and data management:
- Enforce mandatory authentication and authorization to access any network resources. A few of the technologies that tie into this policy include encryption and multifactor authentication (MFA).
- Maintain data integrity through routine inspection and testing. Continuously monitor your network for system vulnerabilities and cyber threats.
- Collect data from multiple sources to analyze and improve security. Pay close attention to security standards to protect your network infrastructure and digital assets.
- View all data sources and network devices as resources. Any device with access to a business network should be considered and protected as a resource.
- Ensure all communication through your network, regardless of origin, is secured. That means using multiple security layers to protect confidential voice messages, email, chat and video conferencing.
- Only grant network access on a per-session basis. Using a least-privilege policy, users are only granted access to the resources necessary to complete a task.
- Adopt an approach that provides moderate access and a transparent policy that regularly updates information regarding resources, accounts and associated privileges.
Pillars that Represent Products and Services of ZTA
Many different products and services associated with zero trust architecture are available, including zero trust security services, and solutions. The main components that make up ZTA for the user pillar besides authentication include access management, user and event behavior analytics, identity management and conditional access. Access management includes managing identity and privilege access.
User and event behavior analytics can be generated from machine learning technology to reveal how users behave on your network. The identity management component is a set of policies and technologies that allow authorized network users to gain access to the resources they need. The conditional access aspect of a ZTA product or service protects data by requiring specific conditions to be met before an individual is granted access.
The device pillar of ZTA products and services encompasses the components of dynamic risk scoring, vulnerability management, device security and device identity. Other components relating to device requirements include compliance, authentication and device management, as well as device inventory and enterprise mobility management.
For the network pillar, product and service components include software-defined networking, segmentation, network security, zero trust network access, network access control and transport encryption. It further provides session communication protection so that company secrets don't leak.
Other products and services are designed for the application, data, analytics and automation pillars. Each of these product categories has security tools and processes that make network activity more secure. Encryption is a key component of data pillar products, as it provides protection for data-at-rest, data-in-transit and data-in-use.
Zero Trust View of a Network
When you implement zero trust architecture, you will need to make basic assumptions for network connectivity. These assumptions apply to both your company's network infrastructure and your digital resources used on third-party networks, such as public Wi-Fi or cloud service providers. Here are the six key assumptions to consider for deploying a ZTA policy:
- A business network is not an implicit trust zone. Digital assets and all communication should be as secure as possible. Encryption of traffic data and confidential information is ideal due to its complexity which frustrates even the most skilled hackers.
- Some devices on a business network may belong to third parties such as partners, vendors, suppliers and customers. Many companies now allow bring-your-own-device (BYOD) policies, in which employee devices should be identified by your security monitoring systems.
- No resource should automatically be trusted. Every digital asset needs its own security features and should have a barrier to access that requires authentication. The evaluation process of determining who should have network access must be an ongoing pursuit to account for continuous changes in network activity.
- Not all of a firm's resources operate on its local infrastructure. It's common now for companies to use third-party resources to create and store digital assets. These non-enterprise-owned resources may include online production-oriented cloud services, social networks and search directories.
- You cannot completely trust your local network connection. No data center or cloud service provider can guarantee 100 percent uptime. Remote users should presume that non-enterprise-owned networks are hostile and that all network activity is monitored. There should be no flexibility in requiring authentication, as users should expect to prove their identities with credentials.
- A consistent security policy should exist for devices and workflows moving between your business and external organizations. This policy must also apply to workloads moving from your local data center to external cloud services.