Zero Trust—is it just another IT security buzzword?
Palo Alto Networks describes Zero Trust as a “strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.” Much like it sounds, Zero Trust is based on the principle that all users—whether they’re inside or outside of an organization—are never trusted and must undergo authentication, authorization and continuous validation before being granted access to business information.
Gone are the days where organization’s could assume that anyone inside an organization’s network could be trusted. Zero Trust was designed to address the security challenges of the modern workplace—including hybrid cloud environments, the rise of remote work, and increasing ransomware activity. With the Zero Trust model, no one is given the benefit of the doubt—which helps to prevent lateral movement in the event that someone with malicious intent does get inside the network.
How Zero Trust Works
Developing a Zero Trust framework starts at ground zero. To carry it out, a combination of technologies and methodologies including multi-factor authentication, endpoint security protocols, security system maintenance and more must work in unison. It’s a harmonious effort that involves an organization's users, applications and infrastructure to reach maximum effectiveness.
Users — Step one is giving users the least access possible and requiring ironclad and repetitive authentication and device verification.
Applications — Assume that no applications can be trusted and that continuous monitoring and validation is required.
Infrastructure — Everything and anything related to infrastructure including servers, routers, cloud and more should be considered within the Zero Trust strategy.
Tenets of the Zero Trust Model
According to the National Institute of Standards and Technology (NIST 800-207), Zero Trust architecture should be designed and deployed to adhere to the following basic tenets.
- “All data sources and computing services are considered resources.” This might include all devices, devices that send data to SaaS and other systems, and personally owned devices if they can access enterprise-owned resources.
- “All communication is secured regardless of network location.” In other words, access requests from assets within enterprise-owned infrastructure are required to meet the same security requirements as non-enterprise-owned assets.
- “Access to individual enterprise resources is granted on a per-session basis.” It should also be granted with the least privileges required for the user to be effective at a task. Here, authentication that grants access to one resource does not automatically grant access to others.
- “Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—any may include other behavioral and environmental attributes.” These policies should be based on business processes and what your organization considers an acceptable level of risk.
- “The enterprise monitors and measures the integrity and security posture of all owned and associated assets.” When your organization implements Zero Trust, it should establish a system for continuous diagnostics and mitigation to monitor the state of devices and applications, where patches and updates are applied as needed.
- “All resource authentication and authorization are dynamic and strictly enforced before access is allowed.” Organizations on a Zero Trust model are expected to have identity credential and access management systems in place, including things like MFA and Conditional Access.
- “The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications.” Insights gained here should be used to improve the organization’s security posture, policies and enforcement on an ongoing basis.
Here’s a simple explainer video from IBM that breaks down the concept of Zero Trust at a high level.
Is Zero Trust for Your Business?
Zero Trust is a model that can work for any enterprise who wants to secure their network—whether you’re undergoing transformation, moving your data to the cloud, or planning to rebuild your security infrastructure from the ground up. Talk to our team about what a Zero Trust strategy could look like for your organization today.