Organizations are increasingly creating zero trust policies to augment their digital security postures. According to Infosecurity Magazine, 15% of organizations say they implemented a zero trust policy by the end of 2019. An additional 59% of participants revealed their intention to create a policy of their own within the next 12 months.
To understand why so many organizations are flocking to zero trust, it’s important to first dive into the benefits of a zero trust policy. Take a look at how it helps organizations respond to their evolving digital security challenges. Only then is it possible to weigh the strengths and weaknesses of zero trust security so that organizations can build an effective zero trust strategy that meets their security and business requirements.
What is Zero Trust?
Zero trust is an approach to digital security that lives by the law of limiting access to sensitive data. Zero trust does this by not trusting any user, device or account by default. This approach requires a security team verify and authorize every connection into and throughout the business.
In this framing, zero trust responds to the evolution of digital security challenges beyond what the traditional perimeter security model can provide. This older idea of security rests on the assumption that threats come from outside the network and that all internal users, devices and applications can be trusted. Subsequently, organizations can simply deploy firewalls, virtual private networks (VPNs) and network access controls (NACs) in order to keep computer criminals outside the network while gifting internal users unrestrained access to the network.
The times have changed, however. Many organizations have undergone processes of digital transformation in which they’ve migrated some of their assets to cloud infrastructure that lies outside IT’s immediate control. They’ve also extended remote access to suppliers, contractors, vendors and full-time employees as they’ve sought to strengthen their flexibility and adaptability for tomorrow’s business challenges.
The advent of COVID-19 is an example of this. Many organizations responded to the pandemic by mandating that their employees begin working from home to observe social distancing. Without access to their in-office resources, these newly remote employees had no choice but to use their home networks and devices to get their work done. This shift forced organizations to migrate even more workloads to the cloud to accommodate all of these remote connections, a move that introduced more one-to-one network interactions requiring verification.
Weighing Zero Trust’s Strengths and Weaknesses
The central benefit of zero trust lies in its philosophy of building trust from the ground up. The security team is essentially responsible for authorizing which connections to the business while disallowing all others. This approach enables security professionals to reduce the organization’s attack surface by gaining visibility over everything that’s connected to the organization as well as removing distrusted access points. It also entails using additional digital security controls to provide context and limit what that connection can access, as well as authenticate the integrity of that connection on an ongoing basis.
However, zero trust security does come with its fair share of challenges. Many of these obstacles result from the same developments that helped to diminish the relevance of the perimeter security model. Organizations can’t simply define trust in an inside/outside binary with respect to the network. Threatpost recommends extending their understanding of trust. Here are five different pillars: devices, users, network access, applications and data.
It’s worth some time exploring how trust relates to each of these pillars below:
- Devices: Security teams can’t protect what they don’t know about. With that said, they need to have the means of building an inventory of all hardware and software in their environments. Additionally, they must have capabilities in place that allow them to monitor and control all approved devices based upon the organization’s security policies. They can then use this awareness to distrust unapproved devices.
- Users: A set of credentials provides one means of authenticating users. But, malicious actors can compromise a username and password and thereby impersonate a user by authenticating themselves onto protected systems. Therefore, organizations must implement more secure user authentication and identification methods that use context and other security measures to help further verify the individual behind a login attempt.
- Network Access: Once a user gains access to a system, they should not receive the same type of unlimited freedom to move around that’s granted by the perimeter security model. Otherwise, they could choose to access sensitive assets and thereby jeopardize the organization’s data. To reduce the risks associated with insider threats and other digital attacks, organizations need to limit what users can access. They should specifically restrict users’ access to only those network assets that they need to fulfill their work duties.
- Applications: Organizations must make sure that users can access an application that’s necessary for their work from any of their approved devices. This process ties back into the first point about building an inventory of known hardware and software. To be effective, this program should take into account the temporary connections that could result from contractors, vendors and other third parties.
- Data: Finally, organizations need to make sure data remains protected. This step enables them to not only ensure the integrity of their data so that the workforce as a whole is working with the correct information. It also requires security teams to implement solutions to prevent threat actors from taking that correct data outside of the network and misusing it for malicious purposes.
How to Build a Zero Trust Network
Organizations can begin to build a zero trust strategy by first figuring out how much zero trust they need. The reality is that it’s impossible to achieve 100% zero trust throughout an organization. IT architecture changes; new users, applications and resources are added every day; business goals evolve. Zero trust should focus on stopping what you can, so you can focus your security efforts on more complex issues, without sidelining business.
Organizations should be strategic about their security efforts. Foster zero trust not at the attack surface but at the protect surface — that is, the organization’s most valuable data, applications, assets and services. Customers’ credit card details, protected health information, intellectual property, industrial assets, medical equipment and IoT devices tend to fall into this category.
Organizations must achieve an understanding of how traffic moves throughout their networks if they hope to build a zero trust network that provides a sufficient level of protection. Subsequently, their security teams need to document how specific data resources interact with one another and other assets. Completing this step will yield context. From there, security teams can begin to create new security policies and modify existing strategies to accommodate zero trust.
At this stage in the process, organizations can build the architecture for the zero trust network. They should start by using next-generation firewalls to implement micro-segmentation. This will allow them to isolate and arrange their network segments. It will also help to limit the ability of attackers to abuse east/west traffic for the purpose of moving laterally across the entire network, though it won’t necessarily stop them from gaining entry into the network in the first place via north/south traffic. With those segments created, organizations can then begin implementing the necessary security controls to enforce zero trust.
Help Net Security states there are six security controls in particular that organizations should deploy at this stage: multi-factor authentication (MFA), device verification, principle of least privilege, network monitoring and attribute-based controls. More information on how these security measures work is available below.
- MFA: A compromised set of credentials could grant a malicious actor the ability to authenticate themselves as a trusted user. They could then abuse what privileges belong to that user to move around the network and access sensitive assets. In response, organizations should seek to implement MFA for the purpose of adding another factor into the user verification process. In implementing MFA for zero trust, organizations should consider deploying MFA for all remote access points within the zero trust strategy as well as using a MFA solution that comes with support for biometrics and/or behavioral analytics.
- Device verification: Organizations cannot inherently trust every device a trusted user accesses. Even though the user might be trusted, some of their devices might pose a security risk. That’s why it’s crucial for security teams to verify all devices individually, as well as to provide ongoing tracking of an approved asset’s status.
- Principle of least privilege: Not every user requires access to the organization’s financial records. Nor should every user be able to review the organization’s intellectual property without prior authorization. Acknowledging these realities, organizations should enforce the principle of least privilege by restricting users’ network access to those assets that are essential for their job functions.
- Network monitoring: Sometimes unexpected activity occurs within the network. Such behavior could be benign in nature. But, there’s a chance it could be a sign of malicious activity. That’s why organizations need to achieve network visibility by recording and analyzing network traffic. Security teams should also use tools like behavior analytics to correlate anomalous user behavior with known threat indicators.
- Attribute-based controls: It’s important for organizations to have a means of blocking suspicious events in real time. That’s where attribute-based controls come in. By creating security policies based upon attributes associated with users, resources, devices, etc. security teams can essentially create policy-based access in which network connectivity is enforced and automated.
- Community involvement: As organizations continue to fine-tune their zero trust security controls, they should make a point of working with all users and departments to create security policies that take their requirements and preferences into consideration. This should be a process, not a delineated course of action. Organizations should constantly be revising security policies to address developments in the threat landscape as well as the evolving security needs of the business and its workforce. As part of this ongoing process, organizations should also educate all users about these security measures using a security awareness training program.
With these fundamental controls in place, organizations can move on with finalizing their zero trust governance model. This requires that they use monitoring solutions and automated capabilities so that they can respond to incidents as soon as possible. It also requires that they continually measure, review and improve upon their zero trust network as the organization’s needs change and as the network continues to evolve.
Evolving With the Times
Gone are the days when organizations could simply trust whatever exists within the network. Zero trust comes with its fair share of challenges. But organizations do not have to implement this principle’s many facets all at once in order to begin realizing its benefits. As with any security measure, it comes down to how each organization prioritizes and implements their zero trust strategy, as well as how they advance that strategy over time and in a way that best supports its business growth.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...