Zero Trust is the name for an approach to IT security that assumes there is no trusted network perimeter, and that every network transaction must be authenticated before it can transpire.
Zero trust is based on the principle of ‘never trust, always verify’, and relies on other network security methodologies such as network segmentation and stringent access controls. A zero trust network defines a ‘protect surface’ which comprises critical data, assets, application and services, sometimes referred to as DAAS. The protect surface is usually considerably smaller than the entire attack surface, since only critical assets are included.
Zero trust security has replaced old assumptions that resources within the enterprise network perimeter should be trusted, and sees trust as a vulnerability, since users on a ‘trusted’ network had the ability to move throughout the network or cause the exfiltration of any and all data they are granted access to.
In a zero trust architecture, no attempts are made to create a trusted network. Instead, the concept of trust is eliminated entirely. Once the protect surface is determined, how network traffic traverses the surface, learning which users are accessing protected assets, and cataloging the applications used and the methods of connectivity become the linchpins to creating and enforcing secure access polices for protected data. When those dependencies are understood it is possible to put controls in place close to the protect surface to create a microperimeter, typically by use of a next-generation firewall (NGFW) called a segmentation gateway that only allows known traffic from legitimate users and applications. The NGFW offers visibility into traffic and enforces access control based on the Kipling Method, defining access policy based on who, what, when, where, why, and how. This helps determine what traffic can pass through the microperimeter, keeping unauthorized users and applications out, and keeping sensitive data in.
Since workforces are dispersed and remote, zero trust does not depend on any particular location. Assets and users can reside anywhere – on-premises, in one or more clouds, or on the edge, whether in employee homes or as IoT devices.
Zero trust was the brainchild of John Kindervag, a Forrester Research VP and principal analyst. In 2010, he presented the model for the concept when he realized that existing security models relied on the outdated assumption that everything within the enterprise network should be trusted. Acceptance of the zero trust model accelerated in 2013 when Google announced their implementation of a zero trust security policy in their own network. By 2019, Gartner had listed zero trust as a core component of secure access service edge solutions.
Although often perceived as complex and expensive to achieve, zero trust uses existing network architecture, rather than a forklift upgrade. There are no zero trust products per se, rather there are products that are compatible with a zero trust architecture and environment – and products that are not.
A zero trust architecture can be simple to deploy and maintain using the five-step methodology outlined by Forrester back in 2010.
Identify the protect surface including sensitive data and applications. Forrester recommends a simple three-class model using categories of public, internal, and confidential. Data requiring protection can then be segmented into microperimeters, which can be linked together to yield a broader zero trust network.
Map the transaction flows of all sensitive data to learn how data moves between people, applications, and external connections to business partners and customers. Then dependencies of network and system objects can be exposed and protected. This exercise can yield data flow optimizations that can improve overall performance and security
Define a Zero Trust architecture for each microperimeter based on how the data and transactions flow throughout the enterprise (and external partners). This can be achieved with software defined networks (SDNs) and security protocols using physical or virtual NGFWs.
Create a Zero Trust policy once the network design is done. Many organizations utilize the Kipling Method, which addresses the who, what, when, where, why, and how of your policies and network. This enables a granular layer 7 enforcement policy so only known and authorized applications or users are granted access to the protect surface. Assume all personal devices, whether company owned or BYOD, are unsafe.
Automate, Monitor, and maintain to determine where any anomalous traffic is flowing by monitoring surrounding activity. Figure out where the anomalous activity is occurring and monitor all the surrounding activity. Automate the inspection and analysis of log traffic so data can flow without impacting operations.
“Never trust, always verify”. The core principle of zero trust is to discard the outdated belief that anything within the network is safe. There is no safe perimeter anymore due to the changes in the nature of the workforce, the adoption of microservices-based applications that may have components virtually anywhere, and the increasingly collaborative nature of business processes. Remote employees are no longer behind the firewall, even VPN connected employees. And there is no device that is safe. No smartphone, no desktop, period.
Zero trust is not a technology or product. It is a way of securing business-critical assets from prying eyes and malware attacks. Zero trust is enabled by products like NGFW, multifactor authentication, and the principles of micro segmentation and least privilege.
There is no single approach or technology for zero trust. The architecture will depend on the size of the protect surface and the resultant micro segmentation, and architects must consider the impact that zero trust policies will have on the user experience for affected applications, databases, and other resources.
Zero trust may require an enterprise to reevaluate how to secure every asset, since enforcement effectively moves from what was the network perimeter to the individual systems and applications in the protect surface. Instead of determining where a request is coming from, and whether that network is secure, zero trust attempts to authenticate the particular user and device, ensuring they are who and what they claim to be. This should include the ability to assign trust to a device based on other authentications provided, for example so that a ‘known’ smartphone need not require a token if the proper user id and password are given.
Zero trust can be a challenge, as it will limit access and may ruffle feathers of those who had casual access to applications that were not needed to perform their job functions. A proper education and training on the need and benefits of a zero trust network should play a large role in the initial rollout and for the onboarding of new users.
The global Coronavirus pandemic has greatly increased the number of employees working from home, and many analysts believe that even once the threat is passed that many organizations will continue to promote work from home (WFH) for employees who need not be physically present to perform their job functions.
With the number of users accessing systems remotely increasing, it is also likely that cyberattacks on remote workers and devices, and through remote workers to corporate systems will increase as well.
As a result, enterprise networks are at increasing risk of cybercrime and ransomware due to the largely remote workforce.
Given the increased numbers of employees working from home, it’s likely that attacks on and through remote workers will continue to increase. Cybercriminals are ready and willing to exploit the larger base of work from home targets, which puts corporate networks and data at an even higher level of risk than normal. Many organizations have adopted or will adopt a zero trust security model, whose purpose is the authentication of every user – and the devices they employ for access – while reducing the permissions for each user to the absolute minimum required to get their business transacted.
This reduces the onus on employees for much of the security stack, since zero trust assumes employees are inherently insecure until proven otherwise. Even the smallest of organizations can begin adopting zero trust security policies, for example by insisting on multifactor authentication for every user, whether internal or external.
Many organizations struggling with growing remote workforces do this via the use of a web-based gateway front end through which all access of the protect surface must pass, regardless of where it originated. Such a gateway could perform the authentication tasks, and even ensure that devices and OSs have the latest security patches applied before granting access.
Since WFH employees typically rely on two or more devices to perform work functions, it is extremely important for zero trust security to be completely device and network agnostic. Since remote work is here to stay, the ability for zero trust to enable secure connections over new and unknown devices will continue to be a factor in its continued growth.