Never trust, always verify – Zero Trust security

“In three years… Zero Trust will be cited as one of the big-time frameworks in cyber security.”- Chase Cunningham, Principal Analyst at Forrester.

As a technology professional, you are all that stands between hackers and your valuable proprietary data. Cybercriminals are itching to get their hands on your firm’s information, and they cost companies $6 trillion in 2020, up from $3 trillion in 2015. With this knowledge in mind, you’ve set up firewalls, implemented 2-factor authentication, and conducted monthly safety audits to ensure your company’s security is not compromised. But have you invested in today’s most robust security framework, Zero Trust?

What is Zero Trust anyway?

“If I have 20 calls, 17 are about Zero Trust.” says Chase Cunningham, a Principal Analyst at Forrester. “And in three years, I think Zero Trust will be cited as one of the big-time frameworks in cyber security.”

In addition to high corporate demand, various industry guidelines including Forrester eXtended, Gartner’s CARTA, and NIST 800-207 note Zero Trust as the optimal way to address security challenges. This is especially true in the ever more popular cloud-first, work-from-anywhere company structure.

Zero Trust is a security framework requiring all users, whether inside or outside your organization, to be authenticated, authorized, and continuously validated. This allows for security configuration to happen before granting or keeping access to applications or data.

In the traditional security model, once they are in a network, users are free to move about it and access any information on it. The ability to log in to the network depends on the value of the assets directly on the other end of the login. However, if malicious attackers gain access to any point in the network, even weak points, they can move laterally to access all data in the network. The point of infiltration of an attack is not necessarily the target.

This traditional model mistakenly assumes that everything inside an organization’s network can be trusted. However, the most severe data breaches occur because in the traditional model, cybercriminals freely move laterally once inside corporate firewalls. In contrast, Zero Trust assumes that there is no established network edge. Networks can be local, in the cloud, or a combination or hybrid with assets anywhere; even employees can be in any location.

With Zero Trust, one-time validation does not suffice, because threats and user attributes are all subject to change. It requires firms to continuously track and validate users and their devices. As they begin to acknowledge that traditional security models aren’t sufficient, technology professionals are turning to Zero Trust. They recognize it as one of the most functional ways for organizations to control access to their networks, apps, and data.

Why is Zero Trust needed at corporations today?

The “trust but verify” method became outdated with the cloud migration of business transformation initiatives. Firewall rules and block by packet analysis have become insufficient. Instead, accounts that pass authentication protocols at a network perimeter device should continue to be assessed at each subsequent session or endpoint.

Due in part to trends in corporate technology which make it harder to establish, track, and maintain secure perimeters, this continuous assessment is vital. Some of these trends include:

• Increasing the number of endpoints within networks
• Expanding infrastructure to cloud-based apps and servers
• Added service accounts on microsites and locally hosted machines, VM, or via SaaS.

Your company has likely traded on a corporate data center serving a contained network of systems for applications both on-premises and in the cloud. Workers and clients access apps from different devices in various locations. A borderless security strategy is vital for organizations with a global and remote workforce. By segmenting the network by identity, groups, and function, as well as controlling user access, Zero Trust security enables organizations to contain breaches and reduce damage.

What tools are used in Zero Trust?

“You’re going to decide strategically that this [Zero Trust] helps me, and you’ll start buying technology to put in place that allows you to achieve that goal,” Cunningham says.

Zero Trust requires micro-segmentation and granular perimeter enforcement based on data such as users and user location. This determines whether to trust a user, machine, or application requesting access to an asset.

To do this, Zero Trust uses a number of security tools and techniques such as:

• multi factor authentication
• identity and access management (IAM)
• identity protection
• next-generation endpoint security technology to verify the user’s identity
• system security
• encryption
• securing email
• verifying the hygiene of assets and endpoints before they connect to applications
• orchestration
• analytics
• scoring and file system permissions
• governance policies such as giving users the least amount of access they need to accomplish a specific task

These tools provide real-time visibility into user credentials and attributes such as:

• user identity and type of credential (human, programmatic)
• number and privileges of each credential on each device
• normal connections for the credential and device (behavior patterns)
• endpoint hardware type and function
• geo location
• firmware versions
• authentication protocol and risk
• operating system versions and patch levels
• applications installed on endpoint
• security or incident detections including suspicious activity and attack recognition

Steps to implement Zero Trust

Achieving Zero Trust is not a simple process. Zero trust is especially tricky to implement with legacy systems as they often fail to effectively transition to this new model. The enterprises in which it is easiest to implement Zero Trust are those moving to the cloud and green field environments. Despite varying levels of difficulty in implementation, Zero Trust works regardless of your company’s assets or current suite of technologies.

Here is the tried and true method to implement Zero Trust at your firm

1. Map your company’s assets, transaction flows, network structure, and privileges

• Find out where sensitive data, assets, applications, and services (DAAS) live and who needs to access it
• Examine the linking and compatibility in security access controls between various DAAS components
• Note the number of service accounts and where they must connect
• Note differences in security protocols segmented by device types, identity, or group functions
• Define the attack surface
• Identify and audit every active credential
• Remove accounts which haven’t been accessed for more than 30 days
• Review privileges for risk and impact

2. Incorporate preventative techniques

• Implement multi factor authentication (MFA)
• Use least-privilege access, where your organization grants the lowest level of access possible to each user or device
• Utilize microsegmentation by dividing perimeters into small zones to maintain separate access to every part of the network. This can be achieved through devices and functions, or by identity and controlling groups and users. If a breach occurs, the cybercriminal is unable to access information outside the microsegment

3. Establish real-time monitoring

Identity challenges must happen in real-time as they occur at the domain controller, rather than simply logged and passed to an SIEM.

• Discover where anomalous activity is occurring and monitor all surrounding activity
• Continuously inspect, analyze, and log all traffic and data
• Escalate and store authentication logs for anomalous or suspicious traffic and activity
• Create an action plan for critical resource behavior anomalies

4. Create a Zero Trust mindset throughout your organization

While technology plays an important part in protecting your organization, digital capabilities alone will not prevent breaches. Companies must embrace a holistic security mindset that includes diverse endpoint monitoring, detection, and response capabilities.  In order to achieve this mindset, you must make sure all your employees are well-versed in Zero Trust principles. The only way to successfully do this is to invest in employee training.

As you can see, Zero Trust might be a bit more complex than it sounds, requiring numerous steps and tools to work properly. But when it does, it can be a great asset for reducing the number of breaches and limiting potential damage. Due to the rising popularity of clouds and remote work options, Zero Trust’s reputation as a security model has grown rapidly. With thoughtful planning, you can implement Zero Trust into other security frameworks at your organization to help you advance business security.