In today’s hyper-connected world, implementing a zero trust security framework is the ultimate security goal for many organizations.
A zero trust framework sits at the heart of operating models for a growing number of businesses, as cloud-based applications, remote working and a proliferation of devices increase the cyber risks companies face.
A recent survey cited cyberattacks and data breaches as the top risk among North American businesses. Implementing a zero trust architecture can make all the difference in shoring up your cybersecurity strategy against a wide range of threats.
What Is a Zero Trust Framework?
At its most simple, a zero trust framework is exactly that: it extends zero trust to all users within a system. This framework requires that all users inside and outside the organization must be authorized, authenticated and continuously validated. How an organization completes this process can vary, but the goal is always to ensure that only verified users have access to company systems.
Though zero trust is a priority for most organizations, gaining consensus on a definition can be challenging. The UK’s National Cyber Security Centre notes, “Zero trust means many different things to many different people.” How an organization builds its zero trust framework might depend on its security objectives, but most incorporate a “least privileged access ethos.” The principle of least privilege ensures employees have access to only the resources they need to do their job and nothing more.
Why Is Zero Trust Important?
Zero trust is the first line of defense against entities that may wish the organization harm. Under zero trust, users are treated as hostile until proven otherwise. This creates a secure environment within the company’s system, no matter where employees login or which devices they use.
While zero trust does not mean zero breach, it does limit how widespread those breaches are. This saves companies money by making clean-up faster and easier, and ultimately reducing the amount of valuable time and data lost to a breach.
Effective cybersecurity can also be part of regulations, which means organizations need to implement protections in order to remain compliant; zero trust is the most effective way to ensure compliance.
NIST SP 800-207 and Zero Trust Architecture
The National Institute of Standards and Technology (NIST) released NIST SP 800-207, a set of guidelines that helps organizations define zero trust and zero trust architecture. Not only does this publication describe what zero trust is, it also helps establish a systematic approach to implementation.
NIST states on their website, "Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources."
Ultimately, NIST SP 800-207 is a set of principles - rather than a detailed framework - that can help to steer your organization to more enhanced cybersecurity protocols. We discuss the concepts and principles of zero trust architecture below.
What Are the Three Main Concepts of Zero Trust?
Creating a zero trust environment may sound daunting, but it’s quite simple. Secure systems should include three zero trust components: verify users, validate devices and limit access. When implemented effectively, these become second nature to a system’s security.
1. Validate Users
When systems verify users, they’re making sure that users are who they say they are. Though single-sign on (SSO) is still the gold standard for many organizations, it also creates vulnerabilities. Employees only have to remember one password to access multiple platforms, which can create extensive damage if those access-laden credentials are compromised.
However, when paired with multi-factor authentication (MFA), SSO can provide convenient-yet-secure access to company systems. MFA layers SSO with additional verification through tools like authentication apps, texts or phone calls. This can still become burdensome for employees, so the best systems will utilize machine learning to flag when a user’s behavior deviates from the norm and prompt them for another round of verification.
2. Validate Devices
Most devices have some access protections, whether that’s a password, a passcode or even a fingerprint. But this should still be layered with MFA for the device to ensure that the device is secure enough to access the system.
Ideally, device passwords should be MFA-supported but should also include some level of device management, meaning the system should check that the device has the proper security protocols, like a firewall. This could involve validating whether the device is connected to a secure network (e.g., logging on at home or from an unsecured public network) or verifying that the device is using a secure browser.
Even with MFA and device management, system access shouldn’t be a free-for-all. All users don’t need access to all parts of the system. Intelligently limiting access means granting entry to the systems employees need to be productive while restricting access to the systems they may not need.
This requires understanding what level of access an employee needs to do their job and ensuring that their device and accounts are correctly configured. Organizations also need to be able to shift access if the employee changes roles or revoke access if they leave the organization.
Zero Trust Principles
To implement a zero trust framework, we need an understanding of zero trust principles.
What are the core principles of zero trust security? Defining key assumptions around zero trust is vital in your plan toward achieving a zero trust architecture.
- Understand the zero trust network. The first and most fundamental principle of zero trust is the need to get your arms around your network. The cloud, the Internet of Things, the proliferation of devices and the prevalence of hybrid and remote working extend and muddy your network perimeter — your potential “attack surface.” Get to know your architecture, which means all users, applications and devices.
- Assess your zero trust workloads. You’ll also need a clear picture of the workloads you put through your devices and applications, particularly the workload you entrust to the cloud, including assets like virtual machines and containers, which have specific security requirements and can invite cybercriminals. Identifying your vulnerabilities is one of the first stages of an effective cybersecurity strategy, particularly in a zero trust framework.
- Build a complete picture of key data. Similarly, having a comprehensive picture of your data will be helpful. Implementing zero trust requires identifying the data you need to protect and map the data flow within your network. You can then pinpoint data access requirements, giving no more access than necessary. Getting a complete picture of critical data is a core zero trust principle.
- Get acquainted with people and access. Zero trust demands that you control access to your data and services; defining how your people — and which people — enter your network is a fundamental zero trust security principle. Compromised credentials account for 20% of data breaches; implementing safeguards like multi-factor authentication and other best practice access protocols are essential
- Understand what devices are in scope. The principles of zero trust security require a complete picture of all the devices connected to your network. All these devices are viewed as untrustworthy under zero trust; therefore, you need to build a robust inventory of relevant devices and their users to determine access requirements. Defining the universe of devices in scope also enables you to swiftly identify and isolate a compromised device.
- Authenticate, authenticate, authenticate. A zero trust approach assumes that users, devices and services cannot be trusted. Robust authentication is a core zero trust principle that must be implemented at every step to protect your network.
Seven Pillars of Zero Trust
Zero trust involves more than just the user or their device. There are seven pillars organizations need to consider to ensure their zero trust architecture is effective. Without all of them, organizations may have security gaps that could leave them susceptible to costly breaches.
- User: Zero trust involves identifying and authenticating every user. This also includes the access controls, which govern how a user connects to the network.
- Device: All devices that access the system must follow proper cybersecurity protocols. This involves verifying that the device is trustworthy and protected.
- Network: This pillar ensures unauthorized entities cannot access sensitive information. Zero trust security governs network access and otherwise controls network flows.
- Infrastructure: Zero trust infrastructures include systems that are protected against unauthorized access and any vulnerability to breaches.
- Application: This brings user, device and data security at the individual application level. Zero trust security individualizes each step to prevent unauthorized access, data collection or tampering within applications.
- Data: This involves keeping data secure, which includes categorizing and classifying data so it’s only viewable by those whose job roles require access.
- Orchestration & Automation: Effective zero trust frameworks implement orchestrated responses, which allows all security functions to deploy in tandem. Automation is also critical to prevent any connection delays.
How to Implement Zero Trust Security
The theory of zero trust is well known, but simply understanding effective security isn’t enough to protect all of an organization’s systems and data. This can be even more complicated because the actual network can be hard to define, given the rapidly-evolving demands on cybersecurity and the need to account for many devices, cloud-based applications and even workplaces.
The road map to zero trust security starts with defining what exactly needs to be protected, tracking the current flow of information, then implementing a zero trust security architecture and policies that meet the organization's unique needs. More information on implementing zero trust security can be found in our article How to Implement Zero Trust: A Step-by-Step Roadmap.
Strengthen Your Cybersecurity With Zero Trust
In a landscape where cyber-risks evolve and refine constantly, there is no such thing as being over-vigilant. Zero trust security is, in many ways, the ultimate example of this; trusting nothing and ensuring the highest level of authentication and security is applied at every level.
As cyber threats multiply and criminals become more skilled, organizations need to stay a step ahead. Applying zero trust principles will help to fortify your network.
To keep pace with the ever-advancing governance, risk and compliance threats you face, you can sign up to the GRC newsletter from Diligent, which will keep you abreast of the latest GRC thinking, and ensure you’re well-positioned to face the latest threats.