Zero Trust is a model that is based on the idea that nothing should be trusted without verification.
In traditional networks, security is based on perimeter defenses, a concept that can be best described with the metaphor of a medieval castle. It is hard to gain access from the outside, but everyone inside is trusted.
The problem with this perimeter defense approach is that once attackers have overcome the initial boundary of the network, they can freely act on all systems. This is intensified by today’s world of complex interconnected networks, cloud-based environments, working from home (WFH), and bring your own device (BYOD).
Consequently, the concept of barricading your castle with a single (fire)wall alone is an inadequate security model.
Enter zero trust; a new way of thinking, driven by the assumption that threats are everywhere. Let’s take a look at some of the guiding principles.
The zero trust model extends identity controls to all processes, systems, and people regardless of their group membership or by the location in the network.
Networks are therefore segmented into small zones and a person or program can’t access the resources in such a zone without prior authorization.
The resulting micro perimeter allows granular authentication that is tailored to an individual user/process/system combination.
Principle Of Least Privilege
Authentication within a zero-trust philosophy is based on the Principle of Least Privilege (PoLP). Meaning, people and processes receive only the amount of access rights they need to carry out their duty.
The framework of policies and technologies for enabling this appropriate access to resources is called Identity and Access Management (IAM) and in conjunction with PoLP, it minimizes the exposure of services to malicious login attempts with valid accounts.
In zero-trust security, knowledge of a password is not enough evidence for authentication. Multi-factor authentication is the recommended method in which a user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism.
2FA as a subset of multi-factor authentication confirms identities by combining two different factors: something they know and something they have.
Utilizing MFA dramatically improves the security of the authentication process and prevents attacks with well-known or easy to brute-force passwords.
Data in public networks is by default encrypted in today’s world. Zero-trust additionally requires the consistent usage of transport layer security (TLS) in internal networks and the cryptographic protection of data in storage.
Encryption algorithms and secure key sizes have to be assessed regular whether they remain sate of the art. But this effort is quickly compensated by the liberating knowledge that an attacker will have a harder time to move inside the network.
Behavioral analytics, efficient incident response, and forensics are important building blocks to support a zero-trust environment. The ability to develop such a cohesive overview requires observability for all services and events.
Usually, logging and metrics come to mind first, but observability involves other processes like monitoring, tracing, analytics, and alerting. Good observability enables the organization to compile meaningful information from all systems.
Zero Trust can only function within the framework of an overall security concept. It is not an off-the-shelf product or tool but rather a vendor-neutral principle for approaching security in an organization.
It requires a cultural shift and flexible solutions to change the paradigms by which organizations secure their resources.