The Concept of Zero Trust
In the past, companies focused security policies on controlling network perimeters, assuming that everything inside the network was safe. But as corporate data footprints have vastly expanded outside physical networks to reach the cloud and traverse the world to capitalize on global talent and resource pools, the cyber security Zero Trust security model has evolved to address an identity-focused approach instead of an entry-focused approach to network security. Zero Trust security means that no one is trusted implicitly from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network and at every stage of digital interactions. The main idea behind the Zero Trust architecture is “never trust, always verify.” This means that users, devices, and applications that were previously verified or are in physical proximity to the corporate resources that are being accessed should not be implicitly trusted.
Even the President is Talking About Zero Trust
In response to increasingly sophisticated cyber threats, President Biden issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. The order requires US Federal Government organizations to adhere to mandated standards and redefine their overall approach to security by implementing a Zero Trust security model.
As Zero Trust becomes a trend that is gaining federal advocacy and wild popularity, John Kindervag, founder of the Zero Trust model and Forrester research analyst, observes that many people are confused about what Zero Trust means.
Packets are not People: Don’t Trust Them
Kindervag explains, “The point of Zero Trust is not to make networks, clouds or endpoints more trusted; it’s to eliminate the concept of trust from digital systems altogether.”
People like to trust and be trusted. Somehow, along the digital journey the world has embarked on, people have attributed trust as a positive attribute of a digital network. They theorize that a strong network should be “trustworthy”. But decades of information security researchers have concluded that the effort to create “trusted” networks has never actually been proven effective. On the contrary, in the context of a digital network, implicit trust is a point of failure that can be exploited by malicious actors, and therefore should be avoided at all costs.
Data is transferred over a network through packets. “By depersonalizing packets”, says Kindervag, “we can do what we need to do, which is inspect that packet and apply access control methodologies.” There is no need to grant privileged access to a data packet that originates from a corporate executive. In other words, there are no VIP discounts in a Zero Trust model. The data contained in one packet doesn’t have bluer blood than the data contained in the other trillion packets being sent over the network. When we eliminate intrinsic trust in the people who access, send, and receive the data, we get to a situation where each packet is treated as equally untrusted. This is what defines a well-controlled network.
Three Focus Areas of a Zero Trust Environment.
The focus of a Zero Trust model subjects the following three categories to scrutiny checks to ensure secure interactions across all corporate layers.
- Users: Central to any Zero Trust implementation are strong authentication policies for user identity, “least privilege” policies, and verification that only authenticated users have been granted access to critical assets.
- Applications: Remove implicit trust from all components of an application and monitor processes during runtime to analyze behavior and validate communication between applications.
- Infrastructure: Any device which hosts data on-premises or in the cloud must be untrusted.
- Physical infrastructure components include routers, switches, IoT, operating systems, firmware, and supply chain vendor infrastructure.
- Cloud infrastructure would include containers, microservices, and third-party cloud service providers.
Each of these categories is important when embracing a Zero Trust security model. They can all be exploited by malicious hackers or erroneous employees using different attack vectors, and they all act as entry points or channels that can potentially breach a system and provide access to sensitive corporate information.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Underlying Concepts That Define Zero Trust:
Zero Trust addresses the following key concepts based on the NIST guidelines:
1. Continuous Verification
Implementing continuous verification policies within an organization requires identity protection, strong password access controls, risk-based identity management, data encryption, and multi-factor authentication. Zero Trust policies need to be implemented on cloud infrastructure as well to enable continuous verification.
Continuous monitoring and authentication are the core of a Zero Trust architecture. In the Zero Trust Model, security professionals must assume that all traffic is a potential threat until it is verified, inspected, and logged. This means continuously authenticating both users and devices during the session and changing permissions as necessary.
2. Limit the Blast Radius
If a breach does occur, minimizing the lateral movement of the attacker is critical. Zero Trust limits the east-west path an attacker might take to traverse a network maliciously. Limiting the attack radius can be achieved through:
- Identity-based segmentation is a security method that divides workload identities in a network into small islands and applies custom security policies to each workload. Traditional network-based segmentation can be challenging to maintain in a Zero Trust environment.
- Least privilege principle. Users, processes, and devices are given access to the minimum permissions required to perform a task. As tasks change, privileges should change in sync with task responsibilities. Traditionally, many attacks have been orchestrated using privileged accounts, as they are typically not monitored and are often overly trusted. The principle of “least privilege” will make it impossible to grant implicit trust to privileged accounts.
3. Inspection and Logging of Traffic
Zero Trust promotes the inspection and logging of all traffic internally and externally. We’ve been so conditioned to protect our network perimeters. But in the age of Zero Trust, we need to recondition ourselves to assume that our most cyber-resilient system has been breached and a malicious user is lurking on our internal networks. Most organizations have good control of their network perimeter, but with Zero Trust they will need to add controls on the internal network as well. Once there are appropriate controls implemented throughout all network layers, security teams must log that data.
Where Do You Buy Zero Trust Solutions?
To date, there is no off-the-shelf solution. Zero Trust is not available in a single commercial product; rather, it is a mindset that is implemented by adopting various technologies and processes. A Zero Trust strategy sets up a control plan across multiple corporate layers.
Drawbacks to the Zero Trust Model
The verdict is out if the enormous task of implementing a “Zero Trust” model of information security makes sense for small and medium-sized businesses. The cost and effort involved in revamping an existing security structure that complies with industry standards may not be a worthwhile financial investment. Experts hypothesize that the benefits of the Zero Trust security mode are apparent for high-profile targets like government agencies, critical services, and large financial institutions. They also contend that new companies will have an easier transition to Zero Trust, as their systems are not rigged by legacy infrastructure.
It is worth noting that Zero Trust architecture is most effective as an overarching security approach. Implementing new technologies that claim that they use Zero Trust methods doesn’t ensure that your entire system is operating with Zero Trust. Again, the investment in a solution that touts “Zero Trust” as one of its features can be expensive to purchase, and not achieve full Zero Trust on your network.
NIST SP 800-207 Compliance with Centraleyes
Centraleyes platform can help you achieve Zero Trust in your organization by helping you comply with the NIST 800-207 standard. In 2020, NIST announced the final publication of Special Publication (SP) 800-207, Zero Trust Architecture, which discusses the core logical components that comprise Zero Trust architecture.
With Centraleyes, you can crosswalk existing controls and share data across multiple frameworks throughout our platform, increasing efficiency, accuracy, and of course, security in a streamlined cloud-based environment.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
