Let’s start with what Zero Trust IS. You could consider it a security model, a strategy, a framework or a philosophy – let’s just say it’s a coordinated set of security methodologies designed to achieve the goal of “never trust, always verify”. The idea dates back to 2010 when it was first developed by John Kindervag at Forrester Research.
OK, great! What does “never trust, always verify” mean in the real world? To understand why this is even an issue, we need to look at how cybersecurity is configured in “traditional” organizations.
In olden times (before say 2010-to-2015-ish), organizations had a perimeter. This means there was an office network with a pretty well-defined “inside” and “outside”. If you had a firewall to protect the perimeter against outside threats, plus a VPN for securing outside connections, and antivirus on every computer in case anything got through, you were good. OK yes, this is a simplification – you would follow other security best practices too – but there was always this inside-outside mentality, and connections inside the network were largely trusted. (Think of this as the castle-and-moat model.)
But nowadays, there is no perimeter. Some organizations don’t even have an office. How did we get here…??
- Everyone can work remotely: The Covid pandemic forced, and technology enabled, a massive shift to remote work over the last 5 years
- Everything can be in the cloud: Online/SaaS applications, and public cloud infrastructure, have matured to the point where businesses don’t need any physical servers. Today, many organizations, especially smaller and newer businesses, have no on-premise servers at all.
So if your people and your servers are not in the office, and all your stuff is connecting to all your other stuff across a giant internet spider web, what is your perimeter? The perimeter becomes each individual user identity, and each individual connection to each resource, wherever or whatever it may be. THIS is the mindset that Zero Trust introduces. (Think of this as the guard-at-every-door, everyone-wears-a-suit-of-armor model.)
And this is why adoption of Zero Trust has really taken off over the last 5+ years. An entire new industry of Zero Trust tools and technologies has emerged. One recent report estimates that 81% of organizations have now fully or partially implemented a Zero Trust model, and in 2021, the Biden administration mandated that all US Federal agencies meet a certain level of Zero Trust maturity by 2024.
So what do you really need to know about Zero Trust? Here are some of the basic principles and associated technologies.
- Assume breach
This is a logical extension of the “never trust, always verify” principle. “Assume breach” leads to an approach that assumes the bad guys are already “in”. Because they are. There are no locks on the gates to the public internet. So if your people are mingling in the same cyber-space as the bad guys, how do you configure things so that your people can access your stuff but no one else can? - All communications and access requests are secured
Every connection needs to be authenticated and encrypted, and all access to every resource needs to be controlled on a per-session basis.
- ZTNA vs. VPN
Yes, we are now officially characterizing VPN as an old-fashioned, “legacy” technology. ZTNA (Zero Trust Network Access) is a newer technology that provides much more granular control over each individual access request to each individual resource wherever it is – inside or outside your network. - Microsegmentation
This is related to the ZTNA concept, though it can be packaged as a separate technology (called ZTS, or Zero Trust Segmentation). The idea of microsegmentation is that it aims to replace “legacy” methods of internal network segmentation that use firewalls, switches, and routers. Instead of creating broad network segments (divided by office, department, building, etc), microsegmentation creates highly granular, individual “segments” for every communication request to every application or resource within a network. - Using best practices for account management
- Least privilege: this is the big one, and it’s not a new concept, but a Zero Trust relies heavily on the practice of giving every connection to every resource only the level of access permissions it needs, and nothing more.
- Adaptive access: this means access requests are managed based on context, such as a user’s location, the time of day, the computer they are accessing from, the state of that computer, the user’s baseline behavior pattern, and so forth.
- PAM: This stands for Privileged Account Management, which refers to administrator access, which has its own separate set of best practices due to the elevated privileges that system administrators must have to do their jobs.
- MFA: Zero Trust Architecture relies heavily on a variety of Multi Factor Authentication methods
- Strong passwords or elimination of passwords: beyond requiring strong passwords, it’s becoming more common in the Zero Trust world to eliminate user passwords altogether in favor of biometrics or digital certificates.
- Log, audit, and automate as much as possible! (Self-explanatory)
Zero Trust architecture does continue to rely on other traditional security controls as well, like endpoint protection (antivirus) and patch management. And it’s important to note that there is no single product or system that provides all of the above! Although there is now a large ecosystem of tools to choose from, implementing Zero Trust requires not only making a substantial shift from the traditional security mindset, but a mix of new tools, methods, and technologies too.
This is the part where I mention I can help 🙂 If your company is considering integrating Zero Trust principles into its cybersecurity stance, but you’re not sure where to start, please reach out.
Finally, if you’re interested in learning more, here are a couple of additional resources:
NIST SP 800-207 (Zero Trust Architecture) – NIST’s Zero Trust guidelines, first published in 2020
CISA Zero Trust Maturity Model – updated in 2022
No comments:
Post a Comment