Today’s organisations need a new security model that effectively adapts to the complexities of the modern environment, embraces the mobile workforce, and further protects people, devices, apps, and data irrespective of their location. This is where the Zero Trust model comes in.
Zero Trust is extremely effective in reducing security incidents, as it implements the ‘deny all, allow some’ principle even within a trusted environment.
Forrester developed the original Zero Trust model of cybersecurity in 2010. But the model was not fully embraced until Google successfully developed and implemented their version of Zero Trust – Beyond Corp almost after six years. In 2019, Gartner, a global research and advisory firm, listed zero trust security access as a core component of secure access service edge (SASE) solutions.
To trust or not to trust?
In the Zero Trust paradigm, the answer is not to trust anyone. This new approach to cybersecurity states that access should only be granted after a user is verified and only to the extent needed to perform a particular task.
“Zero Trust” explained
It is a security framework requiring all users, whether in or outside the organisation’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
It also requires the ability to enforce granular policy controls based on the results of that health check. Basically, you cut off all access until the network knows who’s trying to connect. Don’t allow access to IP addresses, machines, etc. This approach depends on the visibility of whether basic device and network security standards are met.
Based on the principle of verified trust (i.e. in order to trust, you must first verify), Zero Trust eliminates the inherent trust assumed inside the traditional corporate network.
Why ’Zero Trust’, you may ask. Without assumed trustworthiness, the network is more secure. If the organisation is under cyberattack, the virus can’t move laterally throughout the network since that movement is also regulated.
The ‘Zero Trust’ framework entails:
- Increased monitoring and alerting
- Improved end-user experience
- Enhanced data security
- Reduced time for breach detection
- Less vulnerability
- Streamlined compliance
Key technologies for the Zero Trust model
- Privileged Access Management (PAM) refers to systems that securely manage the accounts of users who have elevated permissions to critical, corporate resources.
- Identity and Access Management (IAM), which is a framework of policies and technologies for ensuring that the right users have the appropriate access to technology resources.
- Multi-factor Authentication (MFA) i.e. in addition to entering a password, users must also enter a code sent to another device, such as a mobile phone, thus providing two pieces of evidence that they are who they claim to be.
- Network Detection and Response (NDR) solutions that enable organisations to monitor network traffic for suspicious behaviour and respond to the detection of cyber threats.
- Micro-segmentation – A security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network in order to contain attacks.
What are the core principles of the Zero Trust model?
‘Zero Trust’ principles are built on inherently not trusting users, devices, networks, and access to sensitive resources based on any single one of those identity types and their associated attributes.
- I. Verify explicitly i.e. authenticated access to all resources based on all available data points, including user identity, location, device health etc.
- II. Use least privilege-controlled access i.e. limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection
- III. Assume breach and employ a variety of preventative techniques that touch on identity, endpoint, data, and application access
Challenges of Zero Trust
- Time and effort to set up is high as reorganizing policies within an existing framework can be a tedious task.
- Hybrid work model is a complex one to implement with several logistical hurdles. Adding Zero Trust at this time adds another layer of complexity.
- Legacy technology is holding back several organisations by hindering their digital transformation efforts. Typically, older legacy systems are not compatible with the Zero Trust model as they cannot offer the level of control, verification, or authentication that Zero Trust demands.
- Configuration challenges, especially with third-party tools/applications as not all of them provide means for deploying the principle of least privilege, which is the core of this new model.
It is not easy to implement, but it’s achievable. Organisations don’t have to apply all of the Zero Trust principles simultaneously. They can start implementing its architecture with small steps such as proper user verification mechanisms and grant your users only the privileges they truly need at the moment.
The benefits of implementing the new security framework go far beyond security. It ranges from improving visibility to increasing productivity and making better use of your IT resources. While it may not be a complete silver bullet, it gives a fair chance to organisations to contain security incidents before they become catastrophic breaches.
(This article is written by Neelesh Kripalani, CTO – Clover Infotech. The views expressed in this article are of the author.)