What is zero trust?
Zero trust is an IT security framework that requires all identities (people, devices, or any other entity designated as a user) to be authenticated, authorized, and continuously verified, whether the user is inside or outside the enterprise’s network, prior to and while accessing data and applications. The organization’s network may be local, in the cloud, or hybrid, and its users might be located anywhere in the world.
Conventional IT network security trusts all identities once they are inside the network, leaving the enterprise vulnerable in today’s cyber environment of:
- remote, hybrid, and non-employee (contractors and other third parties) access
- diverse data, application, and network devices and locations
- migration to the cloud
- data breaches and ransomware attacks
Once a malicious insider is inside the network, they have easy lateral access to resources. With zero trust, even users inside the network are not trusted and are being continually verified to ensure they should still have access to the applications and data as originally granted.
Zero trust presumes that the enterprise is always endangered by internal and external threats. It enables an intentional and methodical approach to mitigating those threats. Because it trusts no one, even users with existing access to organizational resources, the Zero Trust model provides foundational security for the modern enterprise.
Zero trust and NIST
The National Institute of Standards and Technology (NIST) Special Publication 800-207 on zero trust architecture “provide[s] a road map to migrate and deploy zero trust security concepts to an enterprise environment (p. iii).” It offers a standard to which organizations can align but “is not intended to be a single deployment plan for [zero trust architecture] (p. iii).”
At the time of this writing, NIST Special Publication 1800-35 is available in draft form and open to comments. This publication is intended to support readers who are generating strategies for transitioning to zero trust architecture. Sections of the guide are designed to appeal to various organizational roles, from IT leadership to managers and specialists.
NIST standards are ever-evolving, partially based on feedback from professionals who follow their manuals. They are vendor-neutral and expansive, though not meant to be comprehensive as they cannot address every use case. NIST zero trust standards can be used to support any organization, not just government agencies.
The NIST National Cybersecurity Center of Excellence (NCCoE)’s goal is to alleviate difficulties around understanding zero trust and implementing zero trust architecture for typical business cases. Aspects of zero trust the NCCoE focuses on include:
- Transitioning from the traditional security approach on network perimeters, which provided access to anyone inside, to limited, changeable, risk-based access control, no matter where resources are located
- Understanding and managing challenges associated with executing on a zero trust architecture, such as evaluating organizational priorities for investments and assessing the impact on user experience
- Realizing benefits to the enterprise from implementing zero trust, including supporting remote teams, mitigating insider threats and data breaches, and enhancing visibility
How zero trust works
The underlying model of zero trust is straightforward: Trust no one. As mentioned above, it is a fundamental shift from the traditional model built around a network perimeter that assumes users are safe if they have the credentials to be granted access. The zero trust model considers all identities, including those inside the network, to be a threat.
Security that is enabled everywhere – on-premises, in a public cloud, or in a hybrid environment – is stronger when it is based on verifying identities.
With zero trust, applications and services can securely communicate across networks, and identities, whether those entities are humans, devices, or applications, can be granted access to the data and applications they need based on business policies. A zero trust architecture prevents unapproved access and lateral activity by applying access policies depending on context, including the:
- user’s role and location
- user’s device
- data being requested by the user
Implementing the zero trust framework offers a combination of sophisticated tools such as multi-factor authentication, identity security, endpoint security, and dynamic cloud-based services to protect the enterprise’s users, data, and systems at every point of access.
Zero trust architecture
Zero trust architecture is a general framework that safeguards the enterprise’s most significant resources. Since all connections and endpoints are assumed to be threats, a zero trust architecture:
- Manages and restricts network access
- Makes applications and data inaccessible by default
- Validates and authorizes every connection, based on whether granting access conforms with the enterprise’s security policies
- Terminates each connection to allow evaluation of files prior to delivery instead of utilizing an inspection-upon-delivery approach like that with firewalls, which can result in late detection of infected files
- Records, reviews, and monitors all organizational network traffic, utilizing context from as many data sources as available
- Validates and secures network assets
A zero trust architecture relies on least-privilege access, which limits user access only to what is required for their job function. For example, an employee who works in marketing does not necessarily need access to sensitive customer data in the enterprise’s customer relationship management (CRM) software.
Zero trust use cases
Zero trust, a recommended model for years, is being evolved and formalized due to increased cyber threats and the growing need for the enterprise to enable secure digital transformation. Significant use cases for zero trust include:
- addressing organizational concerns such as regulatory compliance and associated audit challenges, difficulty in maintaining cyber insurance, security operations center (SOC) issues, and/or muti-factor authentication effects on users
- reducing organizational risk for enterprises that lack robust authentication and authorization protocols, have poor visibility into the network and how resources communicate, or suffer from overprovisioned software and services
- safeguarding infrastructure models that are multi-identity, cloud, multi-cloud, or hybrid and/or include SaaS applications, legacy systems, or unmanaged devices
- quickly and securely onboarding and offboarding new employees, as well as seamlessly grant and revoke access when users change roles
- securely supporting remote work, as well as non-employees like contractors and other third parties using computers that are not managed by organizational IT teams
- addressing existing threats, such as data breaches, ransomware, insider threats, shadow IT, or supply chain attacks
- creating boundaries around sensitive information such as data backups, credit card information, and personal data with zero trust microsegmentation, which not only enables proper categorization of data types, but offers better visibility and management during audits, or if a data breach occurs
Core principles of the zero trust model
Continuous monitoring and validation
A key concept in zero trust is that applications cannot be assumed to be trustworthy and continuous monitoring at runtime is required to validate their behavior. Continuous validation means that the enterprise must constantly authenticate access for all resources; “trusted” credentials, zones, and devices do not exist.
Continuously validating such extensive resources requires risk-based conditional access to ensure the workflow is only disrupted when risk levels change, enabling that continual verification without compromising user experience. Also, since users, information, and workloads frequently move, the enterprise must deploy a scalable dynamic policy model that incorporates risk, compliance, and IT considerations.
Microsegmentation
Microsegmentation is the process of separating security perimeters into smaller sectors, creating distinct access to each network zone. A user or application granted access to one zone will be unable to access any others without receiving additional permissions.
Preventing lateral movement
An important aspect of zero trust is preventing lateral movement, which occurs when a cyber attacker repositions within a network after gaining entry to it. It can be challenging to identify even if the entry point is detected, since the cyber attacker will already have progressed to infiltrating other areas in the network.
By microsegmenting access to the network, zero trust keeps cyber attackers from laterally moving to other microsegments.
Pinned into a particular zone, the attacker is easier to locate, and the offending user, application, or device can be isolated so that access to additional zones is impossible.
Device access control
To limit the organization’s network attack surface, zero trust calls for rigorous management of device access to:
- document the number of devices attempting to access the network
- confirm that each device is authorized
- ensure that devices have not been compromised
Principle of least privilege access
Least-privilege grants users only as much access as required via judicious administration of user permissions, reducing each user’s exposure to vulnerable network segments to the absolute minimum. Along with microsegmentation, least-privilege access principles are utilized to minimize lateral movement.
Least privilege access limits user access through just-in-time (JIT) provisioning, just-enough-administration (JEA), risk-based adaptive policies, and data protection to facilitate secure information and superior efficiencies. Monitoring access under least-privilege constraints provides analytics and reporting that enable the enterprise to identify and react to inconsistencies immediately.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is also a core principle of the zero trust model. MFA combines two or more security mechanisms for accessing IT resources.
MFA is similar to two-factor authentication (2FA), which requires a password plus a secondary mechanism such as a security token, an authenticator application on a mobile device, or a fingerprint scan. The primary difference between the two is that MFA may require more than one secondary mechanism of verifying identity to increase the level of security.
Implementing zero trust
To execute a zero trust architecture, the enterprise must:
- commit to zero trust and devise a well-organized strategy and roadmap
- document the IT infrastructure and information resources
- analyze the organization’s vulnerabilities, including potential attack paths
- select and implement security tools to accomplish the required business results
- align security teams on priorities, policies for assigning attributes and privileges, and policy enforcement
- consider data encryption, email security, and validating resources and endpoints before they connect to applications
- examine and validate traffic between parts of the environment
- connect data across each security domain
Connections to secure include:
- User and user segments
- Accounts
- Data
- Devices and device segments
- Applications
- Workloads
- Networks and network segments
As the enterprise transitions to a zero trust architecture, microsegmentation, rather than traditional network segmentation, safeguards information, workflow, and services. This enables security regardless of network location, whether resources are in a data center or in distributed hybrid and multi-cloud environments. Additional components for implementing a zero trust architecture solution include overlay networks, software-defined perimeters (SDP), policy-based access controls (PBAC), and identity governance.
Implementing a zero trust architecture may appear to be somewhat obstructive, but it can enable visibility into and greater understanding of an ever-evolving attack surface, as well as enhance user experience, decrease security complexity, and reduce operational overhead.
Automating context collection and response enables fast, high-quality decision-making based on data compiled from sources like human and non-human users, workloads, endpoints (physical devices), networks, identity providers, security and event management (SIEM), single sign-on (SSO), threat intelligence, and data.
Why zero trust is important
Zero trust offers a security architecture for the modern enterprise that is amenable to and reflective of today’s cyber environment and the need to protect users, data, and systems at every point of access. Zero trust supports the hybrid workplace by ensuring that users have access to the resources they need, when they need them, on their preferred devices, while enabling the organization to keep security up-to-date and adapt when new threats are detected and as digital transformations occur.
In addition to the updated security model zero trust offers, it supports the enterprise’s evolving business needs, such as:
- customer preferences and expectations for innovative digital experiences
- resources accessed by increasing numbers of devices that are outside the IT team’s control
- managing time spent by IT teams on manual tasks due to outdated security solutions, evolving cyber threats, and escalating global regulations
- providing visibility and insights for leadership teams regarding security policies and threat response
Benefits of zero trust
Benefits to the enterprise of successfully implementing zero trust include:
- highly effective cloud security, which is vital due to the level of cloud, endpoint, and data sprawl in the modern IT ecosystem, with increased visibility and efficiencies for security teams
- decreasing the organization’s attack surface and limiting the severity and associated recovery expenses when an attack does happen by confining the breach to a single microsegment
- improved network performance because of decreased subnet traffic, streamlined logging and monitoring, and enhanced capability to focus on network errors
- reducing the impact of user credential theft and phishing attacks due to MFA requirements and mitigating threats that typically circumvent conventional perimeter-based safeguards
- lowering the risk associated with devices, including Internet of Things (IoT) devices that may be challenging to safeguard and update, by authenticating all access requests
A brief history of zero trust
John Kindervag, a Forrester Research analyst, introduced the term “zero trust” in 2010 during a presentation on the model. NIST Special Publication 800-207, discussed above, was published in 2018.
In 2019, Gartner included zero trust in their secure access service edge (SASE) solutions, and the National Cyber Security Centre (NCSC) in the United Kingdom advised that network architects consider a zero trust model for new IT deployments, especially when the deployment involves cloud services.
As also mentioned above, NIST Special Publication 1800-35 is available in draft form and open to comments as of this writing as zero trust continues to evolve to meet the needs of various use cases and industries.
What is Zero Trust Network Access (ZTNA)?
Zero Trust Network Access (ZTNA) is the primary technology that empowers the enterprise to employ the zero trust security model. ZTNA establishes one-to-one encrypted connections between devices and the resources they require based on specified access control policies, preventing access by default, and only permitting access to services once unequivocally granted. Users are authenticated via an encrypted tunnel before ZTNA provides secure access.
Getting started with zero trust
Zero trust architecture, technology, and processes should be based on the enterprise’s strategic objectives: What must the organization safeguard, and from whom? Once this is determined and zero trust is successfully implemented, the enterprise will reap the benefits of a more streamlined network infrastructure, an enhanced user experience, and robust cyber defenses.
All organizations experience challenges depending on industry, maturity, existing security strategy, and business objectives. An identity-based zero trust model adds control and oversight into user access and movement across your IT infrastructure. Schedule a demo to learn how SailPoint can accelerate your enterprise journey into zero trust.
