What is zero trust?
Zero trust is an IT security framework originated by Forrester in 2010. The zero trust model introduced a new approach to security that overturned the long-standing castle-and-moat model, which has lost efficacy with the explosion of mobile, remote, and cloud computing and the resulting porous perimeters. The zero trust model is predicated on the assumption that there is no longer a network edge, as networks can be local, cloud, or hybrid with resources and users widely distributed.
The premise of the zero trust model is that no user—human or non-human, from inside or outside a network perimeter—should be trusted until they meet access requirements. Access should be based on least privilege (i.e., the minimum access required for only as long as it is needed).
Following the principle of least privilege, the zero trust model denies access to all digital resources by default, with access granted on an as-needed basis with the minimum necessary to perform jobs or complete specific tasks.
When access is granted to applications, data, services, and systems, it is granular and siloed to the greatest extent possible.
Within the zero trust model, trust is established based on context, such as a user’s identity and location, the security rating of the access point, or the application or service that is requesting access. Users must be authenticated and authorized before being granted access. They must also be continuously validated against policies, security configuration, and security health.
Zero trust and NIST 800-207
The first version of NIST (National Institute of Standards and Technology) Special Publication (SP) 800-207 was announced on August 11, 2020. Designed for federal cybersecurity policies and programs, NIST 800-207 also provides a vendor-neutral, comprehensive zero trust model and a roadmap to implementing a zero trust architecture (ZTA).
NIST 800-207 offers guidance for designing and implementing a zero trust model, including outlining the core components of a ZTA. There are seven tenets of a zero trust model:
- Access to individual enterprise resources is granted on a per-session basis:
- Access should only be granted for the least privileges needed to complete the task
- Authentication and authorization to one resource should not automatically grant access to a different resource
- Trust in the requester is evaluated before access is granted
- Access to resources is determined by dynamic policy:
- Apply least privilege principles to restrict accessibility
- Define what resources it has, who its members are, and what access to resources those members need
- Request asset state, such as:
- Device characteristics (e.g., software versions installed, network location, time/date of request, previously observed behavior, and installed credentials)
- Behavioral attributes (e.g., automated subject analytics, device analytics, and measured deviations from observed usage patterns)
- Set of access rules based on attributes that an organization assigns to a subject, data asset, or application
- All communication is secured regardless of network location:
- All access requests must meet the same security requirements, regardless of whether requests are from internal or external users
- All communication should:
- Assume that network location alone does not imply trust
- Be conducted in the most secure manner available based
- Protect confidentiality and integrity
- Provide source authentication
- All data sources and computing services are considered resources:
- A network of multiple classes of devices
- A network with small-footprint devices (e.g., Internet of Things, or IoT) that send data to aggregators and storage
- Bring Your Own Device (BYOD) (e.g., mobile phones, tablets, and laptops)
- Systems sending instructions to actuators and other functions
- X as a service (XaaS), such as software as a service (SaaS) and infrastructure as a service (IaaS)
- All resource authentication and authorization steps are dynamic and strictly enforced before access is allowed:
- There is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication
- An enterprise implementing a zero trust model is expected to have Identity, Credential, and Access Management (ICAM) as well as asset management systems in place; this should include continuous monitoring with possible reauthentication and reauthorization occurring throughout user transactions
- Authorization and authentication processes should be defined and enforced by policies (e.g., time-based, new resource requested, resource modification, anomalous subject activity detected) that strive to balance security, availability, usability, and cost-efficiency
- Information is continuously gathered about the current state of assets, network infrastructure, and communications to improve security posture:
- Collect data about asset security posture, network traffic, and access requests
- Analyze data
- Leverage data analytics insights to improve policy creation and enforcement
- Use analytics to provide context for access requests
- The integrity and security posture of all owned and associated assets are monitored and measured:
- Treat assets discovered to be subverted, have known vulnerabilities, and/or not managed by the enterprise differently
- Establish continuous diagnostics and mitigation to monitor the state of devices and applications
- Evaluate the security posture of the asset when considering a resource request
- Monitor the application of patches and updates
- Use an alerting and reporting system to provide actionable data about the state of enterprise resources
How zero trust works
The zero trust model works by combining a number of security technologies, such as authentication, identity management, file access controls, and endpoint security to verify and authenticate user identities continuously. Key functions that drive the working of a zero trust model include:
Discover all users and what they access
- Classify resources based on risk
- Establish access policies for resources
- Segregate users based on role and function
- Understand all users, data, and IT resources
Ensure real-time visibility into users’ identity attributes
- Applications installed on endpoints
- Behavior patterns
- Credential privileges on each device
- Endpoint hardware type and function
- Firmware versions
- Operating system versions and patch levels
- User identity and type of credential
- User location
Monitor access and enforce policies
- Enforce policies quickly and consistently
- Monitor and authenticate all access requests against policies
- Validate the context of users’ access
Develop and implement an incident response and resolution
- Adjust network segmentation as required after an issue is detected or an incident occurs
- Prepare for and execute targeted action in response to an incident
- Quarantine suspicious users
- Revoke access for individual users or devices that exhibit anomalous behavior
Analyze and improve
- Evaluate and adjust policies and authorization parameters
- Execute remediation tactics to reinforce protection
- Implement updates to improve security based on analytics
Zero trust use cases
Use cases for the zero trust model include:
- Gain access control over cloud and container environments
- Implement network microsegmentation
- Increase protection against identity-centric attacks, such as:
- Meet security standards to maintain cyber insurance
- Minimize business and organizational risk
- Need additional protection not provided with VPN deployments used to secure remote access
- Protect an infrastructure deployment model that includes:
- Legacy systems
- Multi-cloud and hybrid-cloud environments
- SaaS applications
- Unmanaged devices
- Reduce the risk of a data breach
- Secure access by third parties working inside a corporate network
- Support compliance initiatives to adhere to government, industry, and corporate requirements
- Thwart malware and other cyber attack vectors
Zero trust model core principles
The following are the core principles of the zero trust model, several of which are drawn from NIST 800-207. Note that references to users include people, devices, systems, and applications.
Attack surface minimization
A zero trust model uses strict access control to minimize the network attack surface. Users can only access the minimum resources they need to do their jobs.
Following NIST 800-207, the zero trust model directs the gathering and analysis of data for verification. Among the types of data recommended to authenticate users and establish trust are:
- Application Program Interfaces (APIs)
- Data classification
- Device health
- Endpoints that are used to access data
- Threat intelligence
- User credentials, including single sign-on (SSO) credentials
- User location
- Workloads and services
Elimination of open connections
With the zero trust model, every open connection should be terminated. This allows for real-time traffic inspection, including encrypted traffic, before it reaches its destination to stop the propagation of malware and ransomware.
Explicit and continuous verification
The requirement for explicit and continuous verification is the source of the zero trust mantra—never trust, always verify.
The zero trust model requirement eliminates trusted zones, credentials, and devices by requiring continuous verification—no users should be automatically trusted.
Three key elements must be in place to support this part of the zero trust model:
- Dynamic policy model deployment processes that can be deployed quickly and dynamically to address changes in workloads, data, and users
- Logins and connections should be set to time out periodically once established, forcing users to be continuously verified
- Risk-based conditional access that enables continual verification without impacting user experience by only interrupting workflows if risk levels change
Granular context-based policies
With a zero trust model, dynamic, adaptive policies are used to reassess users’ access as the context changes continually. These policies are implemented to verify access requests and rights based on a variety of contextual criteria, such as:
- Application being requested
- Type of content
- User identity
Lateral movement prevention
The zero trust model is designed to prevent authorized users from moving within a network after gaining access. This is referred to as lateral movement. Several elements of the zero trust model enable the mitigation of lateral movement, including microsegmentation, monitoring, and continuous verification.
Least privilege access
The enforcement of least privilege access is foundational to the zero trust model. This approach to controlling the exposure of resources grants users only as much access as they need to do their jobs. In essence, least privilege provides access strictly on an as-needed basis.
In the zero trust model, microsegmentation breaks security parameters into smaller regions on separate parts of a network, according to data classification, to restrict users’ access to constrained areas. If a user access one area, they cannon access another area without revalidation and authorization.
Monitoring and alerting
The zero trust model requires continuous monitoring with alerts when anomalies are detected. Monitoring provides the visibility needed to determine if policies are working and if there are any vulnerabilities.
Time is of the utmost importance when issues are detected, which is why automation is a necessity to implement the zero trust model effectively. Among the areas that require attention are user behavior, data movements, network changes, and data alterations.
Implementing zero trust
Three key phases for implementing a zero trust model are:
- Visualization of connections between all resources
- Gain visibility into vulnerabilities and risks
- See all entities, including endpoints, identities, and workloads
- Understand all resources and associated access points to assess risks
- View potential attack paths and at-risk resources
- Mitigation of risks and impact of a successful attack
- Detect and stop threats
- Establish processes and identify tools to automate threat detection and response
- Help prioritize issue response
- Prevent lateral movement
- Reduce the impact of attacks that could result in a data breach
- Extend zero trust processes and protocols to all areas of IT infrastructure
- Implement testing to ensure the efficacy and usability of systems and processes
- Use analytics to identify vulnerabilities and areas for optimization
The steps to implement a zero trust model, which are also referred to as the seven pillars of a zero trust model, are:
- Automation and orchestration
Leverage automation and management tools to implement and enforce the zero trust model
- Data security
Isolate sensitive data from everyone except those who need access
- Device security
Identify and validate user-controlled and autonomous devices attempting to connect to the network
- Network security
Microsegment and isolate sensitive resources
- Workforce security
Identify and validate the user attempting to connect to the network
- Visibility and analytics
Use technology and artificial intelligence (AI) to automate processes, such as anomaly detection and configuration control, and end-to-end visibility
- Workload security
Identify and validate applications, digital processes, and public and private IT resources
CISA’s zero trust maturity model
The Cybersecurity and Infrastructure Security Agency’s (CISA) developed the Zero Trust Maturity Model (ZTMM) to guide all federal agencies and all organizations that work with them toward a zero trust model for security.
The CISA zero trust model has five pillars based on the foundations of zero trust:
- Applications and workloads
Secure all applications and workloads (i.e., on-premises, in the cloud, or hybrid)
Secure all data, whether at rest or in transit, using encryption and access controls
Secure all devices that connect to an organization’s network
Authenticate and authorize users before granting access to resources
Secure all network traffic, regardless of the user’s location or resource, and implement network segmentation and microsegmentation.
In the CISA zero trust model, identity has four states of maturity defined:
Identity authenticated with static access for entity identity
Identity authenticated with validation of multiple entity attributes
Identity authenticated using phishing-resistant attributes
Identity is continuously validated (i.e., not just when access is initially granted)
The CISA zero trust model also identifies essential capabilities:
- Visibility and analytics to optimize policy decisions and help security teams take proactive defensive actions before incidents occur
- Automation and orchestration are enabled with tools and workflows that support security response functions
- Governance to enable accountability in managing and mitigating security risks
The zero trust model optimizes existing security controls
Implementing a zero trust model requires rethinking and reconfiguring systems to apply the core principles. It also entails adopting complementary systems that help address the disintegration of traditional enterprise perimeters, with most enterprises’ resources spread across private data centers and multiple clouds with even more hosted applications and storage.
Many organizations that have deployed a zero trust model have seen significant enhancements to overall security and a reduction in data breach and unauthorized access incidents.
You might also be interested in:
How mature is your identity security strategy?
Discover the 5 horizons of identity security.