The way we think about cybersecurity is changing rapidly. The onslaught of ransomware and security concerns of remote work are all creating new pain points for companies looking to preserve a modicum of protection around their most valuable systems, devices, and data.
While virtual private networks (VPNs) and other standard network security technologies have fended off many attacks during the past few decades, these protections are slipping increasingly into obsolescence.
Luckily, there are new technologies and strategies gaining a foothold that’ll fill in the gaps and provide more comprehensive protections from breaches and attacks. One of these concepts gaining steam in recent years is zero trust.
- Zero trust isn’t a specific product, it’s a way of thinking about and constructing your security architecture, it operates on the idea that no one user, device, service, or program is trusted inherently.
- Dealing with the outdated nature of a centralized network perimeter that handles all of the processing and storage of valuable materials means that data, devices, and assets are more likely to be exposed as they pass from internal servers to outside cloud servers.
- The journey to a zero trust security strategy is a long one that requires you to reassess the entire defense surface of your business, from your networks to your data.
What Is Zero Trust Security?
Zero trust isn’t a specific product, it’s a way of thinking about and constructing your security architecture. The concept of zero trust operates on the idea that no one user, device, service, or program is trusted inherently.
Zero trust security gives the least privileged access necessary while simultaneously requiring continuous authentication and verification to access that asset/data/system.
Think of zero trust like a hotel. When you check into a hotel you provide identification to prove you have a reservation and are given an access key to your room. That access key can only access your room and perhaps a fitness room or pool.
That key doesn’t allow you to enter other hotel rooms or storage closets. You’re given the least privileged access necessary throughout the hotel.
Zero trust goes even further. Where a hotel allows you to wander about the building to the different floors, a zero trust infrastructure wouldn’t allow access outside of the very specific area you’re accessing without further authentication.
“Zero trust” as a term was coined by Stephen Marsh and popularized by Forrester analyst John Kindervag. When introduced, it was used as a network-specific term to define this security strategy in terms of network access. It has since been expanded to encompass all kinds of access, including data and devices.
What Is the Purpose of Zero Trust Security?
The way we all use the internet, whether for work or for play, has shifted monumentally over the last decade. The rise of cloud computing has changed the game and opened the doors for all kinds of new industries and companies to spring up at a record pace, especially the “as a service” models:
- Software as a service (SaaS):Hosted software solutions and services that are normally licensed on a subscription basis. Some SaaS is free, such as basic Gmail, and money is made instead by serving ads through the software instead of charging a subscription fee. Some examples include Salesforce, Dropbox, and G Suite.
- Infrastructure as a service (IaaS): A complete hosted infrastructure like routers, servers, and firewalls in the cloud and provide access to networking features, computing hardware for desktops and servers, storage space, and internet access all as a service ― one where you pay for what you use. Users configure the servers and the network while the IaaS provider takes care of the data center and all of the hardware that everything runs on. The examples include Amazon Web Services (AWS), Microsoft Azure, and Rackspace.
- Platform as a service (PaaS): Everything needed for setting up a web application in the cloud is provided as a hosted service. This allows software companies and software developers to build applications without having to worry about anything else. Their servers, storage, operating system, and databases are all maintained by the provider. SaaS applications can be built on PaaS systems that, in turn, can be built on IaaS systems. Some examples are Heroku, Cloud Foundry, and AppEngine.
No longer do we have to store music on our hard drives, it’s streamed to us via SaaS applications like Spotify and Apple Music.
It’s not necessary to store application or software data on your computer anymore. That information is stored in data servers that we access at our leisure.
Everything from photo storage to document writing to application development is done in the cloud giving us the ability to work and play from anywhere with an internet connection.
The Security Issues of Cloud Computing
So, what does all of this have to do with zero trust? Now that much of the data we store, applications we use, and tasks we perform are no longer handled and contained at the local area network level, outdated security measures are losing their potency.
Dealing with the outdated nature of a centralized network perimeter that handles all of the processing and storage of valuable materials means that data, devices, and assets are more likely to be exposed as they pass from internal servers to outside cloud servers.
The perimeter of traditional network security (as pictured above) is eroding away quickly. Most traditional network firewalls can’t decipher or inspect application-level traffic, which means that users may be accessing and exfiltrating data that you can’t see or make judgment calls on from within your perimeter.
Zero trust is a foundational strategy behind the concept of perimeterless security, which follows users no matter where they go, which network they access, or which devices they use.
What Are the Three Principles of Zero Trust?
There are three distinct principles that guide zero trust security models.
- Grant the least number of privileges as needed
- Always require continuous verification
- Always monitor
Zero Trust Principle #1: Grant the Least Number of Privileges as Needed
Zero trust relies on users being granted the least number of privileges needed to complete a specific task. That means that if a user needs access to a project tracking board, zero trust security would dictate that they’re only granted access to that board and nothing else. Not the settings of the board, not other project boards, and no administrative privileges. This access is also granted on a time-sensitive case-by-case basis so users aren’t given unlimited access to an asset until the end of time.
Zero Trust Principle #2: Always Require Continuous Verification
A zero trust security model dictates that nobody is above scrutiny. There’s no inherent trust given to any user and they’ll always be asked to authenticate their access to any asset, data set, software tool, and so on. This authentication is also regularly reverified.
Zero Trust Principle #3: Always Monitor
To ensure compliant uses of assets, zero trust requires real-time visibility and inspection into the actions, contexts, changes, movements, and behavior patterns of systems and users. This visibility provides the transparency needed for a zero trust strategy to function correctly.
How Do You Implement Zero Trust?
- Identify all aspects of your network
- Identify all of the applications and services that you use
- Identify everyone who accesses your network, data, and assets
- Establish network baselines
- Implement new cloud-based security tools
- Set your security policies
- Monitor and rework your infrastructure as needed
The journey to a zero trust security strategy is a long one that requires you to reassess the entire defense surface of your business, from your networks to your data.
Once you establish a zero trust strategy it isn’t a “set-it-and-forget-it” solution, either. Zero trust requires consistent reassessment of devices, users, assets, workflows, data, and privileges.
Luckily, the general process for zero trust implementation is repeatable.
Here are the seven steps for implementing zero trust.
1. Identify all aspects of your network
Start by identifying all aspects of your network, physical and virtual.This includes:
- Demilitarized zones
- Wireless access points
- Virtual networks
- Security cameras
Once you’ve listed all of the devices, you’ll map out your network to get the full picture of what’s accessed by your users and what you’re looking to defend.
2. Identify All of the Applications and Services that You Use
You’ll want to catalog all of the applications that are accessed with your network. This includes cloud applications and installed software, including:
- Antivirus/antimalware software
- Work suite software like G Suite and Microsoft 365
- Cloud storage like G Drive and Dropbox
- Project management software like Asana, Trello, and Basecamp
- Meeting/collaboration software like Zoom, FaceTime, and Slack
- Virtual firewalls
3. Identify Everyone Who Accesses Your Network, Data, and Assets
Next, list and categorize everyone who has access to any internal assets of your company including employees, freelancers and contractors, and executives. Categorize your personnel by job functions and levels of authorization.
4. Establish Network Baselines
How does your network function day-to-day? You’ll want to map out common processes that take place on your network to establish a behavior baseline that your security team and software can draw inferences from.
This includes the flows of traffic, who accesses the network, when networks are typically accessed, how the network typically is used, and what kinds of data enters and leaves the network.
5. Implement New Cloud-based Security Tools
Zero trust operates on what’s known as a perimeterless security infrastructure. This means that in many cases, your standard network perimeter won’t deliver the same zero trust security strategy that you’re looking for.
This requires a retooling of the way you handle your security, including solutions such as:
- Identity management software (IMS): Manages access and authentications of users attempting to use your network, assets, and data.
- Secure web gateway (SWG): Inspects traffic at the application level to flag potential (intentional or unintentional) misuse or exfiltration of company assets and data
- Unified portal: Creates a funnel for accessing approved applications for users to complete workflows, store data, and access data.
- Multifactor authentication (MFA): A feature of identity management software that uses multiple stages of authentication to validate the identities of users.
- Cloud access security broker (CASB): Enforces zero trust policies set by administrators at the application level to prevent misuse of assets.
- Zero trust network access (ZTNA): An application or set of applications using the principles of zero trust to determine who’s allowed to access the network, when, why, and how with consistent verification.
- Endpoint detection and response (EDR): Monitors for suspicious behavior on endpoints and enables automated protocols for dealing with such behavior.
- User/entity behavior analytics (UEBA): Gathers insights on user behaviors that are analyzed by tools and security administrators to better detect malicious actions.
These tools provide the transparency and enforcement capabilities needed to establish a solid zero trust strategy.
6. Set Your Security Policies
Now that you have your organization mapped, applications accounted for, personnel categorized, and tools implemented, it’s time to establish the policies that govern your zero trust infrastructure.
These policies include:
- Who can access what and when
- The authentication needed to access those assets
- What can enter or leave your infrastructure
- How data/applications/assets can be used
- Which behaviors to look out for
- How enforcement is carried out
These policies are then implemented within their respective cloud tools and carried out whenever they’re needed.
7. Monitor and Rework Your Infrastructure as Needed
Any security infrastructure needs fine-tuning as new issues and concerns arise. Be sure to keep an eye on your UEBA solutions for any unusual activities and follow up on security concerns to structure your zero trust architecture better.
Need Additional Insight Into Your Cybersecurity Strategy?
Upgrading your security strategy to include new or upgraded cybersecurity software is a difficult endeavor. Even adapting your cybersecurity to account for cloud computing has so many moving parts to consider.
Whether you’re looking to adopt a zero-trust strategy or you’re looking to upgrade your network perimeter to make room for newer technologies like next-generation firewalls without deploying complex systems or hiring cybersecurity experts, VPNs are a relatively simple approach to enhance your security posture.