In a time where network surveillance is ubiquitous, we find ourselves having a hard time knowing who to trust. Can we trust that our internet traffic will be safe from eavesdropping? Certainly not! What about that provider you leased your fiber from? Or that contracted technician who was in your datacenter yesterday working on the cabling? The assumption that systems and traffic within a data center can be trusted is flawed. Modern networks and usage patterns no longer echo those that made perimeter defense make sense many years ago. As a result, moving freely within a “secure” infrastructure is frequently trivial once a single host or link there has been compromised.
Zero Trust Security Methodology
Zero trust security is a security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. Zero Trust model is not dependent on any single technology or method rather it is a holistic approach incorporating several different principles and technologies. A 2014 Google whitepaper on BeyondCorp advised enterprises to “assume that an internal network is as fraught with danger as the public Internet.”
Zero trust security means that no one is trusted by default from inside or outside the network and verification is required from everyone trying to gain access to resources on the network. This added layer of security has been shown to prevent data breaches. A recent IBM-sponsored study demonstrated that the average cost of a single data breach is $3.92 million. Considering that figure, it should come as no surprise that many organizations are now eager to adopt a zero-trust security policy.
The Main Principles and Fundamentals behind zero trust security
The viewpoint behind a zero-trust network is to assume that there are attackers both within and outside of the network, so no users or machines should be automatically trusted. Another principle of zero-trust security is least-privilege access which gives users only as much access as they need like an army general gives his soldiers information on a need-to-know basis. This minimizes each user’s exposure to sensitive parts of the network.
Five Fundamentals of a zero-trust network:
Ø The network is always assumed to be hostile.
Ø External and internal threats exist on the network at all times.
Ø Network locality is not sufficient for deciding trust in a network.
Ø Every device, user, and network flow is authenticated and authorized.
Ø Policies must be dynamic and calculated from as many sources of data as possible.
Active security initiatives for organizations with this Security Model
When considering options beyond the perimeter model, one must have a firm understanding of what is trusted and what isn’t. The level of trust defines a lower limit on the robustness of the security protocols required. Unfortunately, it is rare for robustness to exceed what is required, so it is wise to trust as little as possible. Once trust is built into a system, it can be very hard to remove. A zero-trust network is just as it sounds. It is a network that is completely untrusted. Lucky for us, we interact with such a network very frequently: the internet.
The top four below security initiatives currently underway in organizations are all related to zero trust network access:
- Identity and Access Management (72%),
- Data Loss Prevention (DLP) (51%),
- BYOD/ mobile security (50%),
- Securing access to private apps running on public cloud (i.e. Microsoft Azure), Amazon Web Services, Google Cloud Platform (47%).
As per the Report by zscaler, 78% IT teams are looking forward to embracing zero trust policy. 19% say they have no plans to do it, while 3% are not aware of this policy. Over three-fourths (78%) of enterprises are looking to adopt zero trust, almost half of enterprise IT security teams lack confidence in their ability to provide zero trust with current security technology. It is recommended to follow the correct measures while implementing the Zero Trust Policy in the organization. Implementing a False Policy will lead to a No-Benefit state even after applying all the features.
Adoption of Zero Trust
Zero Trust is a journey and it is not a destination. There is no magic bullet available in the market which will fulfill a best in class Zero trust architecture. Zero trust is a combination of processes and technology. Incremental planning should be adopted to implement zero trust principles, process changes and technology solutions that protect its resources. A major deciding factor on how organizations migrate their legacy architecture on Zero trust Architecture would be based on the maturity of its current cybersecurity posture and operations. At a high level, the following approach can be used:
1- Establish a baseline process, by identifying the enterprise subjects and assets which has the coverage over key business processes and risks.
2- Formulate a policy at different levels for the access policy on Zero trust.
3- Perform candidate capability Gap assessment and identify its solutions.
Benefits of Zero trust
When asked about the benefits of zero trust, two-thirds of IT security professionals (66%) say they are most excited about zero trust’s ability to deliver least privilege access to protect private apps. This is followed by apps no longer being exposed to unauthorized users or the Internet (55%), and the ability to ditch virtual private networks entirely, since access depends solely on device and user credentials, regardless of a user’s network location (44%). Here are four strengths of Zero Trust Model to be embraced by every organization:
- Strong user identification and access policies
- Segmentation of data and resources
- Strong data security in storage and transfer
- Security orchestration
Challenges of Zero Trust
The Downside to this has to be considered when planning to incorporate Zero Trust. The process entails weaning employees off VPNs, replacing several device inventories with one central system, and overhauling HR by analyzing each person’s job function.
Few downsides of Zero Trust are listed down as below:
- User Uniqueness (in office and remote)
- Device Uniqueness (mobile, IoT, biotech)
- Category of Applications available (CMSes, intranet, design platforms)
- Multiple ways to access and store data (drive, cloud, edge)
