greg jorgensenIn today's digital era, securing company assets and resources has taken on paramount importance. This article seeks to shed light on one of the leading concepts transforming the cybersecurity landscape - Zero Trust.
What is Zero Trust?
Zero Trust Architecture (ZTA) has become a cornerstone in cybersecurity strategies, and for good reason. It pivots traditional notions of cybersecurity, focusing on trust, access, and risk mitigation. ZTA doesn't just fortify defenses against threats outside your network; it prepares your organization for risks that could originate from anywhere, even within.
There isn't a specific checklist that defines the Zero Trust model, but it does revolve around three core principles:
- Least Privilege Access: Minimize the permissions granted to each user, system, or device.
- Explicit Verification: Always authenticate and validate identities and access rights.
- Assumption of Breach: Operate under the assumption that breaches will occur and plan accordingly.
Together, these principles condense into the tenet of "never trust, always verify". In Zero Trust, no system or user is assumed trustworthy, irrespective of their identity or origin.
A Real-World Example of Zero Trust
To better comprehend the Zero Trust approach, let's examine how it contrasts with traditional methods of access requests.
Previously, once a user was authenticated and connected to the business network, their subsequent access requests to resources, like file servers, were trusted by default. This trust was founded on their initial log-in and any authorizations assigned to them.
The risk with this model was that if the user's credentials were compromised, an attacker could gain the same level of access as the user, including access to sensitive documents.
Zero Trust changes the game entirely. In a Zero Trust system, every access request is considered untrusted, regardless of prior authentications. Consider the following scenario:
You log into your work device and connect to the business network. When you try to access a document, your request is treated as untrusted. Multiple factors are then evaluated - your identity, your device's security status, your network connection, and the sensitivity of the requested file.
Contextual elements, like an unusual access time or location or an out-of-date device, can heighten the risk score of your access request. Your access might be denied or you might be required to provide additional authentication, like a multi-factor authentication (MFA) code, depending on your company's policies.
This dynamic and context-dependent approach means that even if your credentials were stolen, the chance of an attacker gaining access to the resources you could access is greatly reduced.
The Rising Importance of Zero Trust
So, why is Zero Trust garnering increasing importance in today's business landscape? The answer lies in the outdated assumptions of legacy network security models.
Traditional models typically operate on a binary trust mechanism - trust everything inside the network perimeter and distrust everything outside it. This model fails to account for the evolving realities of modern business networks, which have become largely remote and rely heavily on cloud assets. The concept of a trusted zone within an office network has become largely obsolete.
Enter Zero Trust. This model operates under the assumption that every access request, irrespective of origin, is untrusted. Each request is authenticated, authorized, and encrypted before it is granted, leveraging a wealth of contextual information for these decisions. The result? A significant improvement in your business's security.
To draw an analogy, consider the practice of a bartender checking your ID every time you buy a drink, even if you're a regular and they've checked your ID before. The bartender never assumes your identity, instead verifying it each time. That's the essence of Zero Trust.
Introduction to NIST 800-207: Zero Trust Architecture
In 2020, the National Institute of Standards and Technology (NIST), a renowned US agency that provides standards and guidance on cybersecurity, released a special publication on Zero Trust Architecture (ZTA), known as 800-207. This publication serves as a vendor-neutral guide to help organizations understand and transition towards ZTA. It is not a standard but a flexible and adaptable framework that can be utilized regardless of an organization's type or size.
The document includes a variety of deployment scenarios and use-cases, and offers strategies to migrate from traditional networks while ensuring protection against common threat models. It defines several crucial components of a Zero Trust system, including the Policy Engine, Policy Administrator, and the Policy Enforcement Point.
The Policy Engine makes access decisions based on behaviors and inputs from the Policy Administrator. The Policy Administrator defines the desired state of the network, specifying sensitive resources and identifying unusual behaviors. The Policy Enforcement Point, usually a firewall or web gateway, is where access requests are granted or denied. All these components are governed by Zero Trust Policies.
Key Principles from NIST 800-207
The NIST publication also presents several key principles that resonate with the core ideas of Zero Trust discussed earlier. It's important to note that these principles can be categorized or grouped differently depending on an organization's specific needs and focus.
Least Privilege Access:
Under this principle, access permissions should be limited and given only as necessary. For instance, the HR team should only be granted access to relevant HR documents, not engineering files.
Monitoring and Regular Audits:
Regularly reviewing, adjusting, and monitoring access permissions is crucial. These permissions should always align with the user's role and be strictly necessary for their job functions.
Continuous Authentication and Authorization:
This principle is about constant validation of user identity and access permissions, not just at login but throughout the entire session.
All Data Sources and Computing Services Are Considered Resources:
In a Zero Trust Architecture, all network-related assets, including applications, servers, and data sources, are considered resources that require protection.
Multi-factor Authentication (MFA):
MFA involves the use of multiple pieces of evidence for authentication or additional verification. These could include something you know (like a password), something you have (like a hardware token), or something you are (like biometrics).
Analytics for Visibility and Adaptability:
Complete visibility into all network and system activities is necessary for effective monitoring and adaptation. Tools like a Security Information and Event Management (SIEM) system can assist in gaining this visibility.
Microsegmentation:
This involves dividing a network into isolated sections to prevent a breach in one area from compromising the entire network.
End-to-End Encryption:
All data, whether at rest or in transit, should be encrypted to ensure that unauthorized access yields only encrypted information.
In Conclusion
Zero Trust Architecture (ZTA) isn't a standard, a product, or a solution specifically designed for a certain type or size of organization. It's a strategic approach to cybersecurity that emphasizes verification and controlling access to company resources. It acknowledges that threats can originate both inside and outside the company network and offers a way to enhance business security, visibility, and control over its network.
Adopting ZTA doesn't have to be a sudden, drastic overhaul; it can be a phased, gradual process that can significantly enhance your organization's security posture.
Thank you for reading, I used this article for a youtube video so check them out if you prefer listening over reading: