The way we think about cybersecurity is changing. Ransomware and remote work security concerns are all creating new pain points for companies looking to preserve a modicum of protection around their most valuable systems, devices, and data.
While virtual private networks (VPNs) and other network security technologies have fended off many attacks, these protections are slipping into obsolescence. New technologies and strategies will provide more comprehensive protection from breaches and attacks. One of these is called zero trust.
This is a comprehensive rundown of everything you need to know to point your business toward a zero-trust future.
- Zero trust is based on the idea that nothing is completely secure.
- It means giving the least privileged access necessary — nothing more.
- For zero trust to work, access privileges have to be continuously reauthorized.
What Is Zero-Trust Security?
Zero trust isn’t a specific product; it’s a way of thinking about and constructing your security architecture. The concept of zero trust operates on the idea that no one user, device, service, or program is inherently secure.
Zero-trust security gives the least privileged access necessary while requiring continuous authentication and verification to access that asset, data, or system.
Think of zero trust like a hotel. When you check into a hotel, you provide identification to prove you have a reservation and are given a key to your room. That key can only access your room and perhaps the fitness center or pool.
That key doesn’t allow you to enter other rooms or storage closets. You’re given the least access necessary for your stay.
Zero trust goes even further. Where a hotel allows you to wander about the building’s floors, a zero-trust infrastructure wouldn’t allow access outside of the specific area you’re allowed in without further authentication.
How the ‘As-a-Service’ Business Model Fits In
The way people use the internet, whether for work or play, has shifted over the last decade. The rise of cloud computing has opened the doors for all kinds of new industries and companies to spring up, especially the “as a service” models:
- Software as a Service (SaaS): Hosted software and services licensed on a subscription basis. Some SaaS is free, such as basic Gmail, and money is made by serving ads instead of charging a subscription fee. Some examples include Salesforce, Dropbox, and G Suite.
- Infrastructure as a Service (IaaS): Includes hosted infrastructure like cloud routers, servers, and firewalls. Suppliers provide access to networking features, computing hardware for desktops and servers, storage space, and the internet. Users configure the servers and the network while the IaaS provider takes care of the data center and all the hardware that runs everything. Examples include Amazon Web Services (AWS), Microsoft Azure, and Rackspace.
- Platform as a Service (PaaS): Everything needed for setting up a cloud web application is provided.
Security issues with cloud computing
So, what does this have to do with zero trust? Now that much of the data you store, applications you use, and tasks you perform are no longer handled and contained at the local area network level, older security measures are losing their effectiveness.
Data, devices, and assets are more likely to be exposed as they pass from outdated internal servers to external cloud servers.
The perimeter of traditional network security is eroding. Most traditional network firewalls can’t decipher or inspect application-level traffic, which means that users may be accessing and exfiltrating data that you can’t see within your perimeter.
Zero trust is a foundational strategy behind the concept of perimeter-less security, which follows users no matter where they go, which network they access, or which devices they use.
What Are the Three Principles of Zero Trust?
Three distinct principles guide zero-trust security models:
- Grant the least number of privileges as needed.
- Always require continuous verification.
- Always monitor.
Zero-trust principle No. 1: Grant the least number of privileges needed
Zero trust relies on users being granted the fewest privileges needed to complete a task. That means that if users need access to a project tracking board, zero-trust security would dictate that they’re only granted access to that board. Not the board’s settings, not other project boards, and no administrative privileges. This access is also granted on a time-sensitive case-by-case basis so users aren’t given unlimited, perpetual access to assets.
Zero-trust principle No. 2: Always require continuous verification
A zero-trust security model dictates that nobody is above scrutiny. There’s no inherent trust given to any users and they’ll always be asked to authenticate access to any asset, data set, or software tool. Authentication is also regularly reverified.
Zero-trust principle No. 3: Always monitor
To ensure compliant use of assets, zero trust requires real-time visibility and inspection into the actions, contexts, changes, movements, and behavior patterns of systems and users. This visibility provides the transparency needed for a zero-trust strategy to function.
How Do You Implement Zero Trust?
- Identify all aspects of your network.
- Identify all of the applications and services that you use.
- Identify everyone who accesses your network, data, and assets.
- Establish network baselines.
- Implement new cloud-based security tools.
- Set your security policies.
- Monitor and rework your infrastructure as needed.
The journey to a zero-trust security strategy is a long one. It requires you to reassess the entire defense surface of your business, from your networks to your data.
Once you establish a zero-trust strategy, it isn’t a “set-it-and-forget-it” solution, either. Zero trust requires a constant reassessment of devices, users, assets, workflows, data, and privileges.
Luckily, the general process for zero trust implementation is repeatable.
Here are the seven steps for implementing zero trust.
1. Identify all aspects of your network
Start by identifying all aspects of your network — physical and virtual.This includes:
- Demilitarized zones
- Wireless access points
- Virtual networks
- Security cameras
Once you’ve listed all of the devices, you’ll map out your network to get the full picture of what’s accessed by your users and what you’re looking to defend.
2. Identify all of the applications and services that you use
You’ll want to catalog all of the applications that are accessed with your network. This includes cloud applications and installed software, including:
- Antivirus/anti-malware software
- Work software like G Suite and Microsoft 365
- Cloud storage like G Drive and Dropbox
- Project management software like Asana, Trello, and Basecamp
- Meeting/collaboration software like Zoom, FaceTime, and Slack
- Virtual firewalls
3. Identify everyone who accesses your network, data, and assets
Next, list and categorize everyone who has access to any internal assets of your company including employees, freelancers and contractors, and executives. Categorize your personnel by job functions and authorization levels.
4. Establish network baselines
How does your network function day-to-day? You’ll want to map out common processes that take place on your network to establish a behavior baseline that your security team and software can draw inferences.
This includes traffic flows, who accesses the network, when networks are typically accessed, how the network is used, and what kinds of data enters and leaves the network.
5. Implement new cloud-based security tools
Zero trust operates on what’s known as a perimeterless security infrastructure. This means that your standard network perimeter won’t deliver the zero-trust security strategy that you’re looking for.
This requires a retooling of the way you handle your security, including solutions such as:
- Identity management software (IMS): Handles access and authentications of users attempting to use your network, assets, and data.
- Secure web gateway (SWG): Inspects traffic at the application level to flag potential (intentional or unintentional) misuse or exfiltration of company assets and data.
- Unified portal: Creates a funnel for accessing approved applications for users to complete workflows, and store and access data.
- Multifactor authentication (MFA): An identity management software feature that uses multiple stages of authentication to validate the identities of users.
- Cloud access security broker (CASB): Enforces zero-trust policies set by administrators at the application level to prevent misuse of assets.
- Zero trust network access (ZTNA): An application or set of applications using zero trust principles to determine who’s allowed to access the network, and when, why, and how with consistent verification.
- Endpoint detection and response (EDR): Monitors suspicious behavior and enables automated protocols for dealing with it.
- User/entity behavior analytics (UEBA): Gathers insights on user behaviors that are analyzed by tools and security administrators to better detect malicious actions.
These tools provide the transparency and enforcement capabilities needed to establish a solid zero-trust strategy.
6. Set your security policies
Now that you have your organization mapped, applications accounted for, personnel categorized, and tools implemented, it’s time to establish the policies that govern your zero-trust infrastructure.
These policies include:
- Who can access what and when
- The authentication needed to access those assets
- What can enter or leave your infrastructure
- How data/applications/assets can be used
- Which behaviors to look out for
- How enforcement is carried out
7. Monitor and rework your infrastructure as needed
Any security infrastructure needs fine-tuning as new issues and concerns arise. Be sure to keep an eye on your UEBA solutions for any unusual activities and follow up on security concerns to structure your zero-trust architecture better.
Need Additional Insight Into Your Cybersecurity Strategy?
Upgrading your security strategy to include new or upgraded cybersecurity software is difficult. Even adapting it for cloud computing has so many moving parts to consider.
Whether you’re looking to adopt a zero trust strategy or you’re looking to upgrade your network perimeter to make room for newer technologies like next-generation firewalls, Digital.com has the right guides, reviews, and expertise you need to make the right security choices for your small business.
Frequently Asked Questions About Zero-Trust Architecture
Is zero-trust architecture good for business?
Yes it is. Because zero trust allows the safe sharing of information with customers, it fosters confidence between your employees and important clients.
What is a benefit of zero-trust architecture?
You always know what users are doing on your business’s network.
What is the biggest challenge with zero-trust architecture?
Zero trust can be tough to implement. The need to authorize every device and user, as well as applications, can mean that supporters will face strong pushback.