Every great relationship thrives on trust. So, what is all the talk about companies needing to have their IT networks moved to a "Zero Trust" model?
Just like I needed to learn about blockchain and cryptocurrency a few years back, I needed to get educated on the specifics of what Zero Trust truly means. I hope this helps you do the same.
It is strange that while we are watching networks closer than ever before and investing more in cybersecurity, it has become even harder for us to stay ahead of who is on our networks and from where. Proper segmentation, Artificial Intelligence (AI) and automated tools, and a proper strategy are what is needed now more than ever.
So, what is Zero Trust?
Zero Trust architecture is not a technology; it is architectural modeling. The Zero Trust cybersecurity model requires that all users, devices, and applications connected to your network are continuously authenticated, authorized, and monitored to ensure appropriate configurations are properly employed before granting them access to networks and data, regardless of whether they are on-site or remote.
In traditional on-premises network architectures, users and devices connecting to networks were considered "trusted" because you could limit their activity using hardwired connections and firewalls. However, with the rise of wireless networks, the concept of trust eroded. Zero Trust is a way that companies can reduce risk by continuously requiring authentication and authorization.
What are the basic principles of Zero Trust?
The Zero Trust network access model was created by John Kindervag during the 2010s during his time with Forrester Research. The model was initially focused on:
- Segmenting and securing networks across locations and hosting models (private cloud, on premises, public cloud)
- Preaching the Zero Trust gospel that risk is an inherent factor both inside and outside the network – to challenge and eliminate the trust assumptions we have made over the last decades
Kindervag has advocated for the Zero Trust model in continued roles outside of Forrester, and Chase Cunningham has taken over the Zero Trust architecture and the Zero Trust extended wave that Forrester publishes since 2018.
The model evolved significantly from then on and is now a usable framework that gives IT and security a chance to implement a Zero Trust model in a pragmatic way.
Zero Trust means just that. Do not trust it unless you can verify it. According to the National Institute of Standards and Technology Special Publication (NIST SP) 800-207, the basic principles of a Zero Trust enterprise cybersecurity architecture include:
- Assume you will be breached
- Assume enterprise-owned environment is no different or more trustworthy than non-enterprise-owned environment
- Continuously analyze and evaluate risk
- Continuously enact risk mitigation protections
- Minimize user and asset access to resources
- Continually authenticate and authorize identity and security for each access request
What are the different approaches to Zero Trust Architecture?
As with everything in cybersecurity, no "one size fits all" approach to Zero Trust exists. Many companies choose to take a "mix and match" approach across the areas of importance. This is where seasoned experts can help you design your model just like you would employ an architect to build a building for you.
What is the difference between Zero Trust Access (ZTA) and Zero Trust Network Architecture (ZTNA)?
When discussing Zero Trust, people often toss around the terms ZTA and ZTNA. The two both enable Zero Trust but do it differently.
Zero Trust Access
ZTA relies on your Identity and Access Management (IAM) policies, often requiring Multi-Factor Authentication (MFA) to verify that they are who they say they are. Additionally, ZTA usually includes maintaining a continuous inventory of devices and users connecting to the network while continuously scanning for new access.
Zero Trust Network Architecture
While ZTA focuses on who and what connects to a network, ZTNA focuses on who and what can connect to applications located on the network. ZTNA places the applications behind a gate called a "proxy point," creating a secure, encrypted tunnel that data travels across. This makes it easier to secure remote users and entities without having to use a VPN.
How do you implement a Zero Trust model strategy?
Identify Your Data
Knowing where and what your sensitive data is is the key to protecting your environment and establishing a Zero Trust architecture strategy.
Identifying traffic flows between applications, spotting the attack surface, is one of the most important and most daunting tasks in creating your Zero Trust security model. Not only is it hard to get the traffic, but also your network changes, and those changes need to be reflected in the model in real time. Identifying applications and application dependencies is key before moving to the next stage.
Once you see traffic, it will become easier to create a Zero Trust architecture policy with a default deny standard rule. It gets much easier not only to define and spot perimeters for specific applications, but also to see traffic for privileged access at the application boundaries. The proper tools correctly deployed will help you automatically generate the optimal policy for the application and help you to identify flows that are not compliant. Testing the policy is part of the workflow and gives you a way to test without going into full enforcement of the policy. This results in less risk and decreases the failure rate to a minimum.
Enforcing a Zero Trust policy used to be very risky. Every policy and tool change could result in network outages and availability problems for applications. With test and safety modes, these threats go away to achieve enforcement faster and without the risk of breaking applications. You should also be able to track alerts for policy violations in real-time and enhance your alerting to give you full visibility throughout the application lifecycle.
Monitor & Maintain
Keeping and maintaining your enterprise security and your implementation requires constant work and effort. Remember that Zero Trust architecture is not a technology but a framework and process. With what you learn you can implement a Zero Trust model with each new application in your enterprise and find the optimal workflow over time while maintaining a never trust, always verify approach.
Only through orchestration and automation will you be able to maintain a stable, predictable, and reliable network security model.
Our CIO Services and R-Security teams give River Run clients a clear advantage via expert development of the proper Zero Trust environment and model for their industry specific compliance and individual business needs.
We develop proper workflow that reduces complexity, decreases the risk associated with changes, and gets you to a Zero Trust architecture model much faster – all while we keep you up and running and productive as possible. And that you can trust.
Share this article