Today, we can’t talk about security with customers without taking Zero Trust into consideration. Cyber security has changed drastically for many with the ever-emerging security models and concepts. Developed in 2010 by John Kindervag, Zero Trust is a unique framework requiring every user to authenticate, authorize, and continuously validate, while assuming that there is no traditional network edge.
As Clif Triplett from StealthPath defines, ‘Zero Trust as an evolution of thinking, not a revolution. We need to have a defined set of capabilities in place to consistently assess where we are on our journey to achieve Zero Trust. We need to eliminate the premise of inherent trust; we must verify credentials with each session connection and achieve a more granular approach than the current perimeter-based security and defence-in-depth approaches are delivering. Zero Trust advances traditional cybersecurity solutions by introducing the concept of “trust-but-verify”; independently scrutinizing and verifying every user before granting access.”
The core idea of the model treats every device, user, and application as a potential threat to the enterprise. And in current times of rampant ransomware attacks, it is the need of the hour. Some studies even suggest that by 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favour of Zero Trust Network Access.
What sets Zero Trust apart is its core principles that can take various forms for different industries but the idea remains intact – to provide security, optimal user experience and enable productivity.
3 Core principles of Zero Trust Policy
According to reports, 94% of enterprises are researching, implementing, or have completed a Zero Trust initiative. Shelley Hill (Global Black Belt for Zero Trust at Microsoft), in her webinar, has splendidly introduced the concept of Zero Trust and addressed the most common questions around the subject. In an intriguing conversation with her, we discussed the following core principles of Zero Trust:
-
Verify Explicitly
The basic idea of the architecture is to remove trust from the packets. Both internal and external networks are not trusted and verified each time the user requests access. Following the path of how the data flows through your networks is a primary step towards marking the access points.
The architecture of Zero Trust redefines the meaning of access and makes us look at our policies with more scrutiny. For many, Zero Trust will be a huge jump from the traditional structures as we build stronger principles of security.
-
Least Privilege
The idea behind implementing Zero Trust frameworks originates from considering that the internal networks will not be sufficient enough for security. As a concept, it cannot be achieved with a single tool, technology, or in a few months. It requires you to evaluate the tenants of Zero Trust – authenticated users, right devices, networks segmentation, encryption, workloads, analytics, and automation. And maintaining limited access within these tenants. Shelley stresses the importance of using the least privileges possible here. ‘Don’t use admin accounts for day to day tasks. The more privileges you have, your blast radius extends, if and when they (hackers) have access to your account.’’
-
Assume Breach
This principle of Zero Trust is to assume that the network is always hostile. Adopting Zero trust can be a difficult task for organisations. It forces us to assume that a breach is going to happen or is already happening. And such mindsets require introducing solutions like multi-factor authorisation(MFA) at multiple levels. MFAs can be annoying for users at times but, ‘by enabling multi-factor authorisation, you reduce the risk of identity-based attack by 99%. Obviously, the attack can still take place, but it’s much less,’’ believes Shelley. So, always assume that security breaches are around the corner and focus on securing the networks from that vantage point.
How to Achieve Zero Trust
Being able to understand what and how the environment can be leveraged goes a long way for Zero Trust. So, let’s decode the steps towards achieving Zero Trust:
- Identify and Evaluate: Zero Trust is not limited to IT or security teams. It affects multiple cross-functional stakeholders throughout the enterprise. Thus, identifying the gaps where it can be leveraged and maximised is the first step. While the attack surface will always be expanding with the cloud, you should define the protect surface encompassing the critical data, application, assets and services. Once you gain contextual insight about the interdependencies and map the transnational flow in the system, it’s time to implement.
- Implement and Protect: As the network flow and areas to protect are mapped, implement network controls and position them accurately. Utilise your resources on developing the Zero Trust architecture, establishing the roadmap and allocating budgets. Focus your investment on implementing a wide range of consistently enforced policies, processes and solutions on the known only Protect surface.
- Detect and Build: The goal here is to remain dynamic, flexible and scalable. As an organisation, you should be able to constantly adjust to the evolving threat landscape. This can involve bringing in broader security approaches that can shake decade-old strategies. Zero Trust seeks constant evolution and building of policies most effectively done using the ‘Kipling Method’. Asking who, what, when, where, why, and how for every user, device, and network that wants to gain access.
- Monitor and Respond: This step certainly involves the introduction of the right teams and resources in your enterprise. Once the Zero Trust environment is established, it needs regular feeding and monitoring. Bench the activities against performance metrics with analytics as this can help identify elements that need attention. This also keeps you on alert for potential issues and give valuable insights. Once you are comfortable with the process, you can expand to other data, applications, assets or services from your legacy network to a Zero Trust network.
With all this in place, yet, we cannot look at Zero Trust as a quick leveller or an easy trick to execute. Zero Trust demands a cultural and mindset shift within the organisations. And also, be cautious of approaching it from a product-only perspective rather than looking at it in its entirety. Zero Trust adds the concept of resilience to the model of cybersecurity. While many organizations already have the elements of Zero Trust in place, it’s about time to implement them in the right way.
Want to know more about the latest cyber security updates? Sign up for our newsletter.
