Today's security landscape is behind the times in responding to security vulnerabilities from inside a trusted network. Hackers have tools at their disposal to sneak inside these walled gardens and compromise the network from the inside.
How do we learn a better approach to securing our information? Part of bridging this gap is a new concept called zero trust Networking. It is a high-level viewpoint of security, but what is it? Read on for an overview of what it is and what it isn't.
What Is Zero Trust Networking?
Zero trust Networking is a set of guiding principles that represents a shift away from broad network perimeters to a closer focus on protecting individuals or small groups of resources. In Zero Trust, there is no implicit trust to a system or user based on a physical or network location. The core of the idea is "never trust, always verify."
The US National Institute of Standards and Technology (NIST) currently has a draft for zero trust architecture standards. They lay out several principles that will be helpful for companies and cyber-security firms to put in place a zero-trust network. Let's break these principles down.
Hyper-Converged Secure Access
Hyper-Converged Secure Access (HCSA) promises to add simplicity and flexibility to your business. With HCSA, access to your zero trust Network is managed by a single system. This single system breaks down trust into five categories.
1. User Trust
Zero trust models are built around strong identity and access management (IAM).
Establishing a user's identity before letting them into your network is central to this trust model. Thus it is essential to use measures such as multi-factor authentication (MFA), single sign-on (SSO), and other IAM elements to confirm that every user has a high assurance session. This means that they are using a valid machine and are accessing the appropriate types of resources for his role.
The Principle of Least Privilege (PoLP) states that only the minimum necessary rights should be assigned to a user requesting access to a resource. These rights should be in effect for the smallest time needed, then relinquish the requested rights when finished. PoLP works hand in hand with IAM to keep your network safe and secure.
2. Device Trust
As the Bring Your Own Device (BYOD) phenomenon has become a necessary part of companies in general, you cannot assume unmanaged devices are 'bad' or untrusted. Instead, companies need to assess the context and posture of the device itself. Assessing the posture of a user’s device at any given point in time is a core element of zero trust networking. This can include device compliance checks such as the patch level of the operating system or verifying the device has an approved anti-virus.
3. Applications and Data Trust
Both applications and data need to be vetted just as much as users do. Applications need to be verified for both purpose and integrity of said purpose, while data needs end-to-end encryption and verification. PoLP works for both users as well as applications and data, keeping the applications' access to data and resources to the absolute minimum.
4. Infrastructure Trust and zero trust networking
In a zero trust architecture, all users and data traffic is to be considered to be coming from an unsecured network. This means that all network traffic coming in or going out of your network needs to be encrypted. Each packet of the encrypted data needs to be verified for integrity once the data reaches the intended destination.
5. Session Trust
A robust zero trust networking strategy takes into account the full context of the session to determine trust. The identity of the user, the state of their device, the applications they are using, and the sensitivity of the data they are trying to access are all applied to the policies that tell us when to allow, block or restrict access, or when to require additional authentication strategies.
In this way, a bad actor attempting to access the network using stolen credentials on an unknown device or a known user on a healthy device will be denied access to information it does not have the permission to view.
While you should be eager to put in place a zero trust model for your enterprise security, there are things to keep in mind before you start and as you implement it. You need to make sure that you have the best strategy for yourself. Remember, Zero Trust is data-centric. You need to make sure that you know where that data is, who needs to access it, and what you can use to secure it.
If you have thought for and set up the above five points right, then you will have constructed a far better secure access moat around your applications & key resources
Forrester Research recommends dividing the data into three categories, Public, Internal, and Confidential — each category having its trust requirements. Start small.
This sounds basic, but if you try and put in place zero trust throughout your infrastructure, you will likely get overwhelmed by the breadth of all the changes, as well as the work required. If you roll it out in chunks, the process will get easier as you gain experience. Put together strong policies for user authentication and device authentication. The foundation of zero trust is that no one and no device can be trusted. Each person and each device needs to be constantly and thoroughly verified as having the right to access a resource.
Consider opportunities to redesign your work processes as also opportunities to transform your security and put in place a zero trust model. The system will be more robust if you can design workflow along with your security measures. This also goes for creating brand new workflows.
As Covid-19 has changed the workplace, the need for zero trust networking is high. More people are working from home as offices close down. The time is right to change how we think of cybersecurity and how we use it.
If you enjoyed this content, please take a look at our website for more zero trust content.