The mantra is trust nothing, verify everything. It’s a relatively new way of thinking about cybersecurity, but Zero Trust is leaving some organizations confused or unsure of where to start.
The Zero Trust security model is ideal for the remote and dispersed work environment, as well as the digital transformation organizations of all sizes, are undergoing right now. A Zero Trust model is a way to provide access to devices, networks, files, applications, and resources in a way that’s secure but also reduces user friction.
It can sound intimidating and complex at first, especially to a non-cybersecurity-proficient audience, but there’s a reason this approach is what the federal government is calling for. Zero Trust is going to move from being something that’s talked about in theory to a framework that’s in practice across the board in the near future.
With that in mind, the following is a breakdown of what Zero Trust is and what it isn’t, put in simple terms.
Zero Trust isn’t a type of technology or one particular security platform. Instead, the term is a cybersecurity model or framework. The underlying philosophy is straightforward—by default until proven otherwise, nothing is trusted.
There’s a default deny posture that underlies the philosophy of Zero Trust for everyone and everything.
The old way of thinking in terms of access control was based on a sense of implied trust. That implied trust might have come from IP address or network location, for example.
That was okay in an environment where everything is done on-premises.
It doesn’t work as well in the world we’re in now.
The philosophy of the old way of doing things was that once someone or something is inside the network, they are trusted, and outside means they’re untrusted. If a bad actor were to gain a connection, they were still trusted, giving them free rein to move around the network.
In the traditional model, the use of elements like firewalls and VPNs created a perimeter around the network. Relying on a perimeter approach now, given how many people work remotely and the number of assets is in the cloud, is not only ineffective and dangerous, but it’s also inefficient.
Along with generally being more in line with the current work environment that’s largely remote and cloud-based, a Zero Trust model has other relevance.
First, it provides a high level of protection against the attacks that most commonly affect businesses, including asset and identity theft.
A company or organization using Zero Trust frameworks can protect data, lower the breach risk and detection time and gain the advantage of more visibility into network traffic. It also increases the level of control in a cloud environment, where this can otherwise be a significant challenge.
When an organization moves away from traditional perimeter-based security and toward Zero Trust, it allows for continuous verification that can also help stop attacks like phishing emails that target employees and stolen application database credentials.
The Principles of Zero Trust
The elemental principles of Zero Trust that are most important to the framework include:
- Ongoing monitoring and validation: Since the philosophy is based on the idea that there are attackers within and outside a network, user identity has to be verified, as do device identities. Logins and connections should periodically time out after they’re established so that every user and device is constantly being re-verified.
- Least privilege: The concept of least privilege is extremely important to Zero Trust. Least-privilege access means that each of your users has only the bare minimum of access they need. It’s like being on a need-to-know basis but with access capabilities. You want to limit potential exposure, particularly to sensitive data or areas of the network, as much as possible. Using a VPN isn’t often a good approach for a least-privilege philosophy because logging into that VPN then gives a user access to the connected network in its entirety.
- Device access: User access is tightly controlled, as is device access. A Zero Trust system needs to be monitored at all times, including the devices that are trying to access the network. Every device needs to be authorized, and there should be assessments carried on continuously to make sure no device is compromised.
- Prevention of lateral movement: When an attacker gains access to a network, in the perimeter security model, they can move laterally. It’s tough to detect so-called lateral movement even if you detect the entry point because the attacker by that time can have compromised every area. Zero Trust contains lateral movement through segmentation of access. Once a threat or breach is detected, the device or account that’s compromised can fairly easily be cut off from any more access.
- Multi-factor authentication: MFA means that all of your users need more than one thing for authentication. A password isn’t enough for entry.
Finally, there are some acronyms you might see used in conversations about Zero Trust.
These can include:
- ZTA: This stands for Zero Trust Access. The term refers to knowing and controlling who and what is on your network at any given time. Role-based access control is critical. A least-access policy is used to cover endpoints.
- ZTNA: Zero Trust Network Access is a method to control application access no matter where the application or user is. Applications are hidden from the internet, reducing the potential attack surface.
- ZTE: The acronym is one described by Forrester, and it brings together networking and security, but it’s not cloud-limited.
The network edge is changing, growing, and becoming increasingly dispersed at a rapid pace. Organizations, as a result of the changing edge, are exposed to more threats, which are often increasingly advanced. Edge environments include the Internet of Things, remote workspaces, multi-cloud, WAN, and data center environments.
Zero Trust is proving to be a framework that works for hybrid IT architectures and meets the growing cybersecurity demands of organizations in the present world.
The big takeaway is that Zero Trust is a mindset and an approach—not a product.