The complexity of the modern cybersecurity landscape is calling for new defense approaches. Learn about zero trust, its main principles, and its mechanisms
The complexity of the modern cyber environment prompts searching for new security guidelines. In today’s cyber world, the lines between organizations’ internal and external environments are blurred and require new approaches to cybersecurity. Hence, the outdated assumption that everything inside an organization’s network should be implicitly trusted does not work anymore. Contemporary cyber environments require tighter rules e.g., “never trust, always verify,” used in the zero trust security approach.
Keep reading to find out more about how zero trust approach shifted the general approach to cybersecurity and how it helps businesses stay safe.
Zero Trust is not a technology but a strategic cybersecurity approach that secures an organization by eliminating implicit trust and validating every stage of digital interaction. Instead of assuming everything behind the corporate perimeter is safe, zero trust considers threats inside and outside of the traditional boundaries, presupposes data breaches, and verifies each access request as though it originates from an open network. In other words, zero trust security means that no one is trusted by default, and verification is required from everyone and everything trying to gain access to resources on the network. This added layer of security has been shown to prevent data breaches more effectively
Until recently, it was believed that everyone inside the network might be trusted by default, while those outside were assumed to be potentially hostile. However, this traditional approach is no longer valid with increasing reliance on mobile devices, work-from-home, and the rising number and severity of sophisticated cyberattacks on supply chains and critical infrastructure. Some of these attacks are described in detail in our post Supply Chain Attack and Cyber Security. The vulnerability of traditional security systems is also exacerbated because companies no longer keep their data in a single place. Information is often spread across cloud vendors and on-prem systems, making it more challenging to have tight security control over the entire digital landscape. The problem is that once attackers gain access to the network, they get the keys to the kingdom. Based on these factors, the general approach to cybersecurity revolutionized from “trust but verify” to “never trust, always verify.”
Zero trust is beneficial for businesses of any size and complexity. This is not surprising since reducing risks and preventing breaches is the primary cybersecurity goal. However, not all businesses have enough resources, experience, or knowledge to carry out a successful zero trust strategy. At the same time, those possessing the necessary resources often have other priorities and cannot allocate sufficient efforts in implementing the new security strategy in a large and complex environment. Disregarding the size of the business, all businesses should not ignore the new threat landscape and implement zero trust architecture to protect their data and prevent breaches.
The core guidelines and components of zero trust are highlighted by NIST SP 800-207 “Zero Trust Architecture.” Specifically, the Special Publication provides recommendations on maintaining and protecting data using zero trust systems when enterprise networks include cloud-based assets and remote users. In short, the strategic approach shifts focus away from protecting the network perimeter and prohibits access until the access request, identification of the requestor, and requested resource are validated.
There is no official obligation for organizations to implement zero trust practices so far, however, there are signs of this becoming a requirement for federal agencies and critical infrastructure in the nearest future. The May 2021 “Executive Order on Improving the Nation’s Cybersecurity” urges agencies to plan and move toward implementing advanced zero trust architectures. In addition to this, the Cybersecurity and Infrastructure Security Agency (CISA) recently released a draft publication, Applying Zero Trust Principles to Enterprise Mobility, which aims to support federal agencies and other organizations in their transition toward zero trust for secure mobility.
Integrating zero trust principles may be complicated for all business environments. To address this challenge, businesses should look for the best way to organize, guide, and simplify these principles in their own circumstances. Below is the list of operating capabilities, necessary for adopting the approach for all businesses:
“Never trust, always verify” – Treat every user, device, application/workload, and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required using dynamic security policies.
Assume breach – Consciously operate and defend resources with the assumption that an adversary already has presence within the environment. Deny by default and heavily scrutinize all users, devices, data flows, and requests for access. Log, inspect, and continuously monitor all configuration changes, resource accesses, and network traffic for suspicious activity.
Verify explicitly – Access to all resources should be conducted consistently and securely using multiple attributes (dynamic and static) to derive confidence levels for contextual access decisions to resources.
While applying zero trust approach is not obligatory, organizations now can inspect its main principles to understand the essence of this security approach better.
Zero trust assumes organizations are vulnerable to an attack both from inside and outside. Hence, no users or machines should be trusted by default. The approach verifies user identity and privileges, along with device identity, on a continuous basis. One of the effective validation controls is timing out logins and connections periodically, forcing users and devices to be continuously re-verified.
Another effective zero trust security principle is the least privilege access. In other words, to minimize each user’s exposure to sensitive information, users should have only as much access as they need to perform their job duties. Implementing the least privilege involves careful management of user permissions.
In addition to user access controls, zero trust also requires strict controls on device access. It means constant monitoring of how many devices are trying to access the network, ensuring that every device is authorized, and making sure the devices have not been compromised. Proper implementation of these procedures can substantially minimize the attack surface.
To achieve its primary goal, zero trust approach implements micro-segmentation – the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network. For instance, a network with data placed in a single data center may be segmented into multiple separate security zones. At the same time, a person or program with access to one of those zones will not be able to access any of the other zones unless separately authorized.
An important principle of zero trust is eliminating lateral movement – the ability of an attacker to move within a network after gaining access to that network. The main issue with lateral movement is that it can be difficult to detect. Even if the attacker’s entry point is discovered, the attacker may have gone on to compromise other parts of the network. The prevention of lateral movement may be achieved owing to network segmentation and constant validation mechanisms. Under such circumstances, an attacker cannot move smoothly within the network. Once the attacker’s presence is detected, the compromised device or user account can be cut off from further access.
As part of zero trust security principles, multi-factor authentication (MFA) means requiring more than one piece of evidence to authenticate a user. A commonly applied MFA is the 2-factor authorization used on modern online platforms. In addition to entering a password, users must also enter a code sent to another device, such as a mobile phone, thus providing two pieces of evidence that they are who they claim to be.
To conclude, zero trust proposes a new approach to cybersecurity which is simply referred as “never trust – always verify”. To be more specific, it requires continuous monitoring and validation, last privilege access, microsegmentaion, and strict authorization mechanisms. All these principles make zero trust a successful instrument for securing an organization by eliminating implicit trust and validating every stage of digital interaction.
To stay updated on the recent cybersecurity-related topics, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist!