What is zero trust? The security model for a distributed and risky era – Source: www.csoonline.com

What is zero trust?

Zero trustis a cybersecurity model or strategy in which no person or computing entity is considered inherently trustworthy, regardless of whether they are inside or outside the organization’s network. It’s distinct from a more traditional way of thinking about computer networks that considers everything inside some defined boundary — everyone on a corporate network, say, or everything on the right side of a firewall — was allowed access to data or resources. In organizations where zero trust reigns, users must be authenticated and authorized whether they’re inside corporate HQ or logging on from a Starbucks public Wi-Fi network.

In zero trust, the principle of least privilege prevails: Systems and data are locked down by default, and access is granted only to the extent necessary to meet defined goals. While traditional security might be summed up by Ronald Reagan’s motto “trust, but verify,” the rallying cry of the zero trust infosec warrior is “never trust, always verify.”

The term zero trust was introduced into the cybersecurity world by Forrester analyst John Kindervag in 2010, though he was building on existing ideas. The idea took the better part of a decade to go mainstream, but more and more organizations have been getting on board with zero trust over the course of the 2020s. “Zero trust architecture is becoming more popular as organizations face increasingly sophisticated cyberthreats,” says Kevin Kirkwood, CISO at Exabeam. “The general concept for the model is to find ways to limit the blast radius of damage that could be caused by a bad actor, as well as slowing down that bad actor across the known network of systems.”

How zero trust works

To visualize how zero trust works, consider a simple case: a user accessing a shared web application. Under traditional security rules, if a user was on a corporate network, either because they were in the office or connected via a VPN, they could simply click the application and access it; because they were inside the security perimeter, they were assumed to be trustworthy.

Zero trust takes a different approach. In a zero trust environment, the user must authenticate to use the application, and the application must make sure the user’s credentials match with someone who has the right access privileges. This ensures that someone who has managed to slip onto the corporate network can’t access restricted data or functionality. Moreover, the lack of trust goes both ways: The user should be able to authenticate the application as well, with a signed digital certificate or similar mechanism. This ensures the user doesn’t accidentally encounter or activate malware.

Given the number of interactions with systems and data a typical user encounters in a day, the scope of what zero trust must cover is considerable. “All requests for access [must] meet the standards of the zero trust architecture,” says Jason Miller, founder and CEO of BitLyft, a leading managed security services provider. “Common attributes for verification include geographic location, user identity, and type of device. As you might guess, this requires continuous monitoring. This is the only way to validate a specific user and their device.”

How to build a zero trust architecture

“The core architecture of a zero trust model — using a building as a foundation for the description of the architecture — is defined by your willingness to control the access of folks at the front door, and then by ensuring that they are authorized to enter any room in the house,” says Exabeam’s Kirkwood. “By requiring continuous authentication and strict access controls, zero trust ensures that all users and entities are verified before accessing critical resources, making it harder for attackers to penetrate deep enough into the network to cause major damage.”

One important thing to keep in mind about zero trust architecture: You can’t just go out and buy it. “There are no ‘zero trust products,’” says Darren Williams, founder and CEO of exfiltration and ransomware prevention firm BlackFog. “Zero trust architecture is an approach to managing your existing network infrastructure. It is not a rip-and-replace solution for improving cybersecurity.”

Instead, you could implementing a zero trust architecture by adapting your existing architecture or rolling out new systems. The important thing is that you adhere to important zero trust principles:

• Least privilege: Users should have only the access they need to do their jobs and no more. This minimizes the exposure of sensitive data or applications.
• Multifactor authentication: The zero trust philosophy extends to user logins: Someone might have the right username and password, but what if those credentials have been compromised? Multifactor authentication, which requires a credential beyond the password, is a good way to make sure someone is who they say they are.
• Microsegmentation: Instead of thinking of a corporate network as a big safe playground, you should be dividing it into a number of smaller zones, each of which requires authentication to enter. This can prevent an attacker from moving laterally if they do gain a foothold on the network, limiting the “blast radius” of a successful cyberattack and restricting them to a microsegment where they can be quarantined.
• Continuous monitoring, verification, and context collection. To make these principles possible, your infrastructure must constantly monitor network activity, verify users (both human and automated), and collect information from the entire IT stack to spot anomalies.

Implementing these principles in practice is no easy task, and require an array of tools, including:

• Comprehensive identity management
• Application-level access control
• User and entity behavior analytics
• Network detection and response (NDR) tools
• Endpoint detection and response (EDR) solutions

Ashish Shah, co-founder at Andromeda Security, adds that artificial intelligence tools are helping more organizations move toward zero trust, which in turn is boosting the model’s popularity. With AI, you can “automate high-risk requests with intelligence to improve access without slowing down operations,” he says.

In 2021, the US Federal Government issued NIST SP 800-207, a document laying out one version of a zero trust architecture. This is the framework used by US government agencies, and you can use it as a resource for your own organization as well. You might also want to check out CSO’s “5 practical recommendations for implementing zero trust.”

Zero trust and VPNs

One venerable security technology that isn’t on the list of potential zero trust elements: virtual private networks, or VPNs. In a pre-zero trust world, a VPN offered a secure connection between a corporate network and a computer outside that network, allowing access to internal resources. From the corporate network’s perspective, a computer connected by a VPN is inside the network.

But because zero trust moves beyond being “inside” or “outside” a secure network, it replaces VPNs with an array of granular tools for authenticating and authorizing users, and for assessing the potential threat posture of user devices based on a wide array of signals, of which the user’s network location is just one.

Zero trust benefits and drawbacks

Hopefully many of the benefits of the zero trust model are clear at this point. It represents a heightened security posture adapted to a world where “inside” and “outside” are meaningless from a network security perspective. Between distributed workforces and an increasing reliance on cloud computing and SaaS applications, it makes more sense to assume a legitimate — or illegitimate — connection could come from anywhere and assess risks accordingly. The zero trust mindset also assumes that a breach is a matter of when, not if — and by mandating segmented networks, zero trust prepares you to minimize the effects of those breaches.

Zero trust also lays a solid foundation for security expectations in the modern age. “Zero trust isn’t just another buzzword,” says Bryan Hornung, CEO of Xact IT. “It’s one of the quickest ways for companies to tick those compliance boxes. More and more IT leaders are realizing that if you set up zero trust correctly, dealing with all regulations will be easier. It’s becoming a no-brainer for modern security.”

But, he adds, there are drawbacks, too: “It’s not all smooth sailing. Companies need to brace themselves for a ton of alerts and tighter controls on computers and devices. That means you’ll need more IT resources to help employees or improve processes with automation.”

Exabeam’s Kirkwood concurs. “It can reach a point where it may slow down the business too much and trade-offs will have to occur to ensure the flexibility and viability of business operations while ensuring the integrity goals of systems are met,” he says. “It should be the goal of every company or sector to determine what the risk tolerance is and define zero trust that will fit into the tolerance level. You can define a system that is as safe as Fort Knox, but you might also build something so inflexible that you can’t get the gold (or your data) out.” 

You should also keep in mind that zero trust isn’t a security panacea. CSObreaks down “5 areas where zero trust can’t protect your organization.”

Zero trust best practices

Thinking about transitioning to a zero trust model for your organization’s IT security? David Redekop, founder and CEO of ADAMnetworks, suggests the following best practices to guide you as you plan your rollout:

• “Know what you are trying to protect and start with the crown jewels. Build policies that align with what those particular systems require.”
• “Take a methodical approach with your policy engine and ramp up slowly.”
• “Utilize test devices and users to ensure a policy won’t disrupt the business prior to moving whole business units into a new policy.”

“Moving to a zero trust architecture organization takes time and patience,” he says. But he believes the move is worth it: it will “take you from a reactive security posture to a proactive security posture.” Good luck on your journey!