Zero Trust can help organizations implement a robust approach to protecting data and systems within evolving environments and address concerns, including the security of the rapidly expanding hybrid network perimeter and user accountability and access control concerns.
The concept of trust has always been a vulnerability, even before the increase in devices or remote working. More recently, the SolarWinds attack demonstrated how networks can be compromised to harvest sensitive data. Networks have always been exploited to obtain organizations’ valued data assets. However, a Zero Trust framework can better assist organizations in managing access controls at a granular level to improve security.
How Zero Trust works
The core of the Zero Trust approach is to “never trust” and “always verify.” Therefore, for any device, user, system, or location, the strategy would always be to authenticate and authorize, apply the least-privilege principle (limiting access to data and resources), and continuously monitor and adapt the strategy necessary to maintain visibility and security.
Nothing should be trusted, and everything should be verified. The model’s effectiveness depends on identity and access management, endpoint control management, microsegmentation of networks (uses software-defined barriers requiring verification of the user, location, and device), continuous validation, and successful security monitoring.
By implementing and refining controls, access to the network and applications can be appropriately restricted. Limiting movement through the network and utilizing continuous validation can mitigate the risk of intrusion.
The foundation of successful Zero Trust implementation
Successful Zero Trust implementation relies on several fundamental concepts. Not only to build a robust foundation but also to enable the process to be sustainable and ensure that the security is embedded within the organization. The organization needs to identify its most critical assets, monitor traffic flows, and enforce granular access policies.
- Locate, identify, and document what needs to be protected considering regulatory requirements and data assets of critical value to the organization. Consider what is the organization’s most sensitive information to define the “protection surface.” Where the whole network is the attack surface, the protection surface is the portions that contain the critical resources and data. Also, identify users and devices and any authentication protocols.
- Map the connections, traffic flow, and devices, including all the connections throughout the network (applications being used, related data sets, connections where data is transmitted) so that the security controls can be identified and implemented where required. It is important to identify how the data flows through the network and the devices accessing the network to protect by refining the security controls to validate approved traffic. This is also important so that boundaries between the zones and segments can be applied as required.
- Microsegmentation involves utilizing tools such as firewalls, deep packet inspection tools, intrusion prevention, and data loss prevention to microsegment the protection surface — that is the protection surface that was identified in point 1.
- Zero Trust access policies rely on the understanding of point 1. Once the protection surface is known, the policies can be developed, implemented, and enforced accordingly. Without comprehensive knowledge of the protection surface, the process of denying and approving traffic flow/access can’t be effectively decided. Policies will need to be designed to enable privileged user access and safe application communications.
- Traffic monitoring and inspection of logs for malicious activity will enable the protection of resources. Deep packet inspection tools and network security monitoring tools can monitor and block traffic as required. Continual refinement is needed to ensure that the best security and visibility of all the resources is maintained. Ensuring that all logs are captured and delivered to a centralized location can support the required monitoring efforts.
- Ensure that employees are trained and aware of the changes to understand the model and the controls in place to support Zero Trust. Also, it is important to know how the changes support data security and how it contributes to the organization’s requirement to comply with security and privacy standards and regulations.
Zero Trust framework for people, workloads, devices, networks, and data
People
It’s often acknowledged regarding security that people are the weakest link. Therefore, the Zero Trust strategy must be aligned with the people within the organization. Identity and access management is a critical component to achieving this. Applying the least privilege principle for all people (customers, employees, and third parties) requiring access to the network or resources is vital to ensure that no person has more privileges than is necessary to facilitate their function.
Workloads
Organizations are increasingly sharing the responsibility of securing their workloads with third-party service providers, primarily as hybrid and cloud options are increasingly used. The organization must implement a security structure for complete coverage across the multiplicity of environments being used. The security coverage should be routinely monitored and managed to ensure it is appropriately maintained.
Devices
Organizations must isolate, secure, and control every device connected to their network, significantly as connected devices have increased and are introducing further vulnerabilities. Ways to isolate IoT devices from other IT devices or networks and secure IoT devices should be considered. In addition, the potential risk from users’ personal devices should also be appropriately managed and mitigated.
Network
Use segmentation to isolate network assets and restrict the network traffic. Thereby security is built around critical resources instead of the entire networks. A data-centric approach to security is implemented. By introducing small segments, the attack surface within the network is reduced as only authorized and verified access to those segments (and the data held within) would be allowed.
Data
It is essential to identify the critical and valued data assets to protect them appropriately. Moreover, understanding the risk and threat posed to those data assets should be determined to implement adequate controls. The organization should understand how the data flows, who requires access to the data (when and why), the data’s purpose and lifecycle, and the repercussions should the data being compromised. By understanding the risk as well as the priorities, the data can be appropriately secured.
A Zero Trust ecosystem can help address evolving security challenges
As security threats and vulnerabilities continue to rise, a Zero Trust ecosystem is more capable of fighting challenges than legacy perimeter-based security alternatives. Organizations are increasingly adopting hybrid environments, and employees are no longer bound to legacy perimeters. Implementing a Zero Trust model can facilitate the security of data in these challenging times, especially as organizations develop their working practices to accommodate the remote working culture, which has led to an increase in the endpoints that can access organizations’ data and the reduced control that organizations have over their resources.
The shift in how organizations and employees function requires a change in the organizations’ security approach. The Zero Trust approach, while leveraging appropriate tools and technology and with a data-centric security focal point, in conjunction with assessing the organization’s way of functioning and objectives, can provide this necessary security change for these evolving and dangerous times.
Featured image: Shutterstock
