Introduction to Zero Trust
Zero Trust is a security model — a strategy for protecting an organization’s IT assets, including data, services, and applications. Founded in research more than a decade ago by analysts at Forrester, it is now recommended by many security experts and vendors, including Microsoft.
Zero Trust represents a departure from security models focused on defending the network perimeter. In those older models, all users and applications inside the perimeter (physically in the network or even connected via a VPN) were assumed to be trustworthy — which is inadequate for dealing with cyber threats such as malicious insiders and attackers with compromised user credentials. Moreover, perimeter-based models are simply not designed for today’s cloud-centric and mobile workforce.
With Zero Trust, identity is the new corporate perimeter. It is built on the hypothesis that threats exist both inside and outside the corporate network and therefore requires that no implicit trust be given to any user, application, service, or other identity. One Microsoft expert calls it a “deny-until-verified” approach: Access to resources must be restricted until the validity of the request is confirmed. In particular, every user, regardless of their position in the organization and whether they are on premises or remote, must go through specific protocols in order to be authenticated and authorized for the access they seek.
The Core Tenets of Zero Trust
According to the book “Zero Trust Networks: Building Secure Systems in Untrusted Networks” by Evan Gilman and Doug Barth, Zero Trust is built on five pillars:
- Assume breach — Assume that the network is compromised and that every access request could be malicious.
- Never trust, always verify — Authenticate and explicitly authorize every requesting user, device, application, and data flow to the minimum required privileges.
- Verify explicitly — Adopt a consistent and secure process to make decisions about access to resources. Rely on dynamic policies fed from as many sources of data as possible, such as the established behavior patterns of the requesting identity, the device they are using and the nature of the access request.
Benefits of Zero Trust
By focusing on identity, Zero Trust makes it possible to limit the activity malicious insiders and hackers who have managed to log into an employee’s account — the security controls will recognize and block any unusual movements or attempts to access resources outside of the scope of that worker’s role.
More broadly, Zero Trust helps close important security gaps such as:
- Excessive or inappropriate access rights being granted
- Unrecognized devices accessing the company networks from within
- Adversaries exploiting software vulnerabilities to steal data or encrypt it for ransom
This approach effectively addresses the challenges associated with a shifting security perimeter in a cloud-centric and mobile workforce era. In the new reality, people are the new corporate perimeter; the time when “trust” was granted whenever you were within the corporate firewall (physically in the network or even connected via a VPN) is gone.
The Zero Trust model took shape as hackers became adept at exploiting the shortsightedness of organizations that presumed they only had to worry about threats from the outside. If attackers managed to find an opening in a company’s network or steal a user’s credentials, they gained the ability to move laterally and gain further system privileges. To prevent such exploiting identities in a corporate network, it’s essential to implement a Zero-Trust security model in Active Directory and Azure AD security groups, distribution lists and MS 365 groups.
Zero Trust Architecture
Zero Trust security is not something that can be accomplished through technology alone. Instead, the organization must develop a comprehensive strategy that includes making changes to company culture.
To start moving toward establishing a Zero Trust network architecture, companies must commit to:
- Understanding the current IT ecosystem and business processes, including the jobs performed by employees, how business processes work, and the capabilities of your company’s current technology versus any existing gaps.
- Assessing where you’re strongest and where you’re going to need further reinforcements.
- Figuring out how to address the shortcomings in your current security protocols and start integrating Zero Trust concepts into your business and IT processes.
A Zero Trust architecture encompasses all of a company’s networks and computing services, including devices that connect to sources like databases and software-as-a-service (SaaS) platforms.
Keep in mind that just as it’s impossible to fully achieve cybersecurity, it’s impossible to fully adopt Zero Trust principles. Many enterprises use a combination of Zero Trust and perimeter-based approaches as they work on modernizing their security strategy.
Logical Components of a Zero Trust Infrastructure
Logical components of a Zero Trust infrastructure, as described by NIST SP 800-207, include:
- Policy engine (PE) — Controls decisions around granting access to a resource. It relies on enterprise policy and input from other security infrastructure.
- Policy administrator (PA) — Is responsible for establishing and shutting down communication between a requester and a resource. It authenticates credentials or security tokens before allowing a session to be processed.
- Policy enforcement point (PEP) — Enables, monitors, and terminates connections between requesters and enterprise resources.
Data Sources
Data sources that typically feed the core components of a Zero Trust architecture include:
- Continuous diagnostics and mitigation (CDM) system — Gathers information about enterprise assets to update software and configuration components
- Threat intelligence feeds — Delivers information from internal and external sources that help the policy engine make access decisions
- Network and system activity logs — Provide real-time information about events in the IT environment
- Data access policies — Define rules and attributes that govern access rights to specific enterprise resources
- Identity management system — Creates, stores and manages user accounts and identity records
Supporting Technologies
Because Zero Trust makes identity the perimeter, implementation of Zero Trust centers on strict access controls, including strong identity governance and least-privilege access to resources and services. It typically includes many of the following technologies:
- Multi-factor authentication (MFA) — Forces users to confirm their identity in more than one way before allowing them access to IT resources
- Activity auditing and analysis — Monitors and analyzes network activity to spot active threats
- Privileged access management (PAM) — Helps manage accounts with elevated permissions to critical resources and control the use of those accounts
- Identity & access management (IAM) – Helps manage users, computers and other identities, as well as their membership in security groups and distribution lists that grant access to sensitive corporate resources
- Device security controls — Reduces the risk posed by devices; examples include firewalls, antivirus software, and interface constraints
Deployment Options
There are multiple ways in which an organization can deploy a Zero Trust architecture for various workflows depending on the components in use. Here are some common approaches:
- Micro-segmentation — Involves setting up granular security zones within the network so that resources in them receive protection from a gateway security component.
- Enhanced identity governance — Informs access decisions by calculating the level of confidence in the authentication process using factors such as:
- The user’s current access privileges
- The device being used to access the company network
- The current status of the user
Depending on the final confidence level calculation, the access given to a user may be altered, including providing them with only partial access to a resource.
- Network infrastructure and software defined perimeters — The policy administrator (PA) functions as a network controller responsible for setting up and reconfiguring the network based on decisions by the policy engine (PE). Implementation can include the use of an overlay network, which is often referred to as a software-defined perimeter approach. In this scenario, clients continue receiving access via policy enforcement points (PEPs) managed by the PA.
- Device agent or gateway-based deployment — The PEP is divided into two separate components that either reside on the resource or exist directly in front of it. An example of this architecture is having an agent installed on an enterprise asset to coordinate connections to that asset, as well as a resource sitting in front of the asset that prevents the asset from communicating with anything other than the gateway.
Steps for Moving Toward a Zero Trust Architecture
Zero Trust security is not something that can be accomplished through technology alone — the organization must develop a comprehensive strategy that includes making changes to company culture. To begin establishing a Zero Trust network architecture, companies need to do the following:
1. Establish the right team.
Start by identifying those who would benefit from the transition to a Zero Trust architecture. Working together, map out the steps necessary to make Zero Trust a core part of your organization’s security posture. Be sure to get buy-in from senior management, since it is vital for both obtaining budget and making cultural changes.
2. Understand the current IT ecosystem and business processes.
- Learn everything you can about the organization. Learn about the people working at your company, the access they hold and how business processes work. Next, inventory the company’s IT assets, including systems and devices. In the end, you want to have thorough visibility into the workloads and the connections required to keep them running.
- Establish a security baseline. Come up with a baseline of your current security capabilities, identify any gaps, and then start setting goals for transitioning different pieces of company infrastructure.
- Determine business priorities for migration to Zero Trust. Assess the importance of each workflow or service to the organization and document how it ties into the overall goal of improving security.
- Conduct risk assessments and develop risk-based policies that build on your strengths and address any gaps.
3. Deploy Zero Trust controls.
A prudent approach is to start the implementation process gradually to observe the effects of the changes. First steps can include the following:
- Introduce multifactor authentication for access to your most sensitive data and most critical systems.
- Set up device security controls to prevent exploitation of a device’s weak points.
- Use micro-segmentation to add a layer of protection around vital infrastructure.
- Set up a network security standard that applies across the organization.
Consider operating in reporting-only mode to see how well the changes work — granting most access requests as you gauge the effects of various decisions. Once you gain confidence, you can put the changes into operation.
FAQ
1. What is Zero Trust security?
Zero Trust is a security framework built around the idea that no person or service should be implicitly trusted. Instead, companies should rely on a combination of security controls, including stronger authorization and authentication techniques.
2. What is a Zero Trust architecture?
A Zero Trust architecture is based on Zero Trust principles. It’s designed to minimize the risk of data breaches and downtime by limiting lateral movement, privilege escalation and other malicious activity.
3. How do you implement Zero Trust?
There are many ways of implementing Zero Trust principles. Approaches vary based on business drivers and the organization’s cybersecurity level maturity. Implementation options include enhanced identity governance, logical micro segmentation, and network-based segmentation.
4. What are the components of Zero Trust?
NIST SP 800-207 “Zero Trust Architecture” describes the following logical components of a Zero Trust infrastructure:
- A policy engine (PE) that controls access decisions
- A policy administrator (PA) that establishes and shuts down communications between requesters and resources
- A policy enforcement point (PEP) that enables, monitors and terminates sessions between requesters and resources
5. Why is Zero Trust important?
Zero Trust helps prevent hackers who manage to breach one access point to the network from moving laterally through your company systems. It also helps block internal threat actors, such as a disgruntled admin or a runaway script, from stealing sensitive data or doing other damage.