Zero trust security helps protect networks from attacks, working on the basis of never trust, always verify. Here’s everything you need to know.
Zero trust is an approach to cyber security that operates on the principle of denying access by default. This means that strict identity verification and authorisation is required for every person and device that is attempting to access a network, application or software, regardless of whether they are inside or outside of the network.
Effectively, zero trust security means authorisation is required to enter the network, and then continuously throughout the network, rather than once on the perimeter.
Think of it as visiting a huge storage facility with hundreds of rooms containing different items.
Rather than just showing ID at the door to get into the facility, a zero trust approach means you also need to verify who you are and why you need access at every door – with some doors not being visible at all.
Traditionally, IT security has often worked on the basis that everything and everyone within an organisation network should be implicitly trusted, and has focused on keeping people out at the perimeter. Firewalls are often heavily relied upon, depending on the organisation’s cyber security maturity.
These models were created when on-premises networks were commonplace and there was a more traditional ‘perimeter’ to guard. While from there, more mature organisations have implemented internal controls and data segmentation, for others, the perimeter may have been the extent of protection.
The perimeter approach, however, doesn’t account for user credentials being compromised, such as falling into the wrong hands or passwords being hacked. It also doesn’t account for people within an organisation not being trustworthy. Insider threats, for example, are increasingly common and increasingly difficult to stop.
The traditional cyber security models also have potential weaknesses when protecting a network that comprises multiple clouds and data centres.
Zero trust models, which were first referred to in academia in the 1990s, have been increasingly used since John Kindervag, a principal analyst at Forrester Research, coined the phrase “never trust, always verify” in 2010.
Since then, an increasing number of organisations have established a zero trust approach, with Gartner Research showing more than 60% of organisations will embrace a zero trust solution as their security foundation by 2025. In 2021, an executive order from the White House called on executive agencies to implement zero trust models.
Before hybrid working became the norm, few users required remote access. However, with hybrid working becoming the norm, remote access at scale has become paramount.
VPNs (virtual private networks) have been used to grant off-site users remote access to a network, however, this can present its own risks.
In addition, increases in the scale, frequency, sophistication, and severity of cyber attacks, the risk of insider threats, and the continual challenge of human error mean a different approach to cyber security is required.
The National Institute of Standards and Technology (NIST) in the US defines the key zero trust principles as follows:
Networks today are comprised of multiple classes of devices, software as a service (SaaS) platforms and applications, and all need to be accounted for. This list of devices needs to include personally owned devices, if they can access enterprise-owned resources.
Network location alone does not imply trust. Access requests from assets located on enterprise-owned network infrastructure must meet the same security requirements as access requests and communication from any other non-enterprise-owned network.
Trust is evaluated before access is granted, and access should only be granted with the least privileges needed to complete the task. Authentication and authorisation to one resource will not automatically grant access to a different resource.
These rules and attributes are based on the needs of the business and the acceptable level of risk, and can vary based on the sensitivity of the resource/data. Least privilege principles are applied to restrict both visibility and accessibility.
The criteria used to establish trust include the observable state of client identity, application/service, the requesting asset and other behavioural and environmental attributes.
User account (or service identity) and any associated attributes assigned by the enterprise that can be used to identify the account or artefacts in order to authenticate automated tasks.
Device characteristics such as software versions installed, network location, time/date of request, previously observed behaviour, and installed credentials.
Automated subject analytics, device analytics, and measured deviations from observed usage patterns.
For example, requestor network location, time, reported active attacks, etc.
No asset is inherently trusted. An enterprise implementing a zero trust architecture should establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications and should apply patches/fixes as needed. Assets that are discovered to be subverted, have known vulnerabilities, and/or are not managed by the enterprise may be treated differently (including denial of all connections to enterprise resources) than devices owned by or associated with the enterprise that are deemed to be in their most secure state.
This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.
An enterprise should collect data about asset security posture, network traffic and access requests, process that data, and use any insight gained to improve policy creation and enforcement.
Effectively, zero trust security requires each user and device to be verified and continually re-verified, regardless of who they are and where they are accessing the network from. All traffic is considered a threat until it’s verified.
Strict, individual user permissions are carefully monitored and granted, only allowing users access to information and data they absolutely need to access.
Multi-factor authentication (MFA) and conditional access policies are hugely important parts of a zero trust model, creating layered defences and preventing lateral movement.
An employee may be attempting to access their employer’s CRM. They’re overseas and using an unfamiliar device. After inputting their username, password, and MFA token, the system would recognise an unfamiliar device and location, and undertake further tests to verify identity.
Depending on the parameters set, such as unfamiliar devices, locations, and time of access, access may be denied. If access is permitted, it would only be in line with the user permissions for that specific user.
Deciding to undertake a zero trust journey is a significant undertaking for any organisation, both from a technology and cultural perspective, and it involves several key steps.
Conduct an initial assessment in which you Identify the data, assets, applications and services that you need to protect – the ‘protect surface’. Understanding your most valuable assets will help an organisation prioritise its assets, and define what it is you’re protecting.
In order to transition to a zero trust solution, it’s essential to understand the costs of new technology involved, the staffing required and the business cost of training staff and any productivity impact.
To build an effective zero trust network, it’s vital to understand how users, devices, and applications interact so critical data flows can be secured while business functions are supported.
Plan a zero trust network
Get clear on how your zero trust network is best designed. This should include microsegmentation – in which your network is sectioned off into small, secure zones – and least privileged access, meaning users only have access to perform their current task.
Define the criteria for making access decisions. This will include who (identity), what (data/resources/applications), where (locations), when (time constraints), how (under specified conditions) and why (purpose).
Multi-factor authentication should be used across the organisation, while security policies should be automated using SOAR tools (security orchestration, automation, and response) to apply rules and policies.
Identify a pilot scheme to test zero trust security implementation, and use learnings to roll out the initiative more widely across prioritised assets.
Zero trust security is a big change in the way employees access networks, so training and education are critical components in successfully implementing a zero trust network.
Continual monitoring of your zero trust network is important to understand usage, and any behaviour that may indicate a security threat. Your zero trust policies will need to evolve as business needs change and new threats emerge.
Zero trust security can be highly effective in reducing cybercrime as it can minimise and restrict unauthorised access. However, it’s important to remember that this is not a silver bullet,and no approach to cyber security is foolproof. Zero trust networks rely on monitoring, education and continual evolution.
The key ways zero trust models help combat cyber threats include:
Strict access controls and microsegmentation means that attackers’ lateral movement within a network can be limited as they need to authenticate and receive authorisation at every point
MFA is a key part of zero trust security, meaning that even if passwords are stolen, biometric authentication or a security token is required to access the network. Hardware-based tokens are more secure than soft tokens such as one-time passwords sent via email or text message.
By operating on the principle of least privilege, zero trust security restricts the potential access an attacker can gain.
Zero trust security architecture is flexible, meaning organisations can respond quickly to new threats.
By encrypting data transmissions and controlling data access, data breaches can be reduced. Even if an attacker does access the network, critical and more sensitive data is safeguarded, requiring further credentials and permissions.
By treating users inside and outside the network in the same way, insider threats can be reduced, as even the most trusted insiders need to undergo strict verification.
As well as the cyber security outcomes discussed above, a zero trust framework can also help organisations gain valuable insights from across their business and network, understanding user pathways, security threats and weaknesses.
Threats can be identified early and contained thanks to the granular approach of microsegmentation, which also enables a simpler logging and monitoring process.
In addition, enhanced network performance may be experienced due to reduced subnet traffic.
Businesses are rightly held to high standards when it comes to data protection, privacy and compliance, and a zero trust solution can help organisations meet compliance requirements.
With strict access controls and data encryption, organisations can safeguard sensitive information and make it far more challenging for a bad actor to access.
Microsegmentation, meanwhile, can isolate sensitive environments – for example, payment details – while continuous monitoring can lead to early identification and containment of unauthorised access.
In addition, zero trust solutions create detailed access logs, and frameworks align with the risk management processes required by ISO 27001.
While implementing a zero trust network has numerous advantages, it’s important to be aware of the challenges that may lie ahead.
Zero trust is a philosophy and strategy, not a single piece of technology – because of this, adoption can be complex.
The traditional approach of assumed trust once in the network is fundamental in many IT environments, meaning a full transition in one go is difficult, while a staggered approach may leave gaps. As discussed, it’s smart to prioritise the protection of valuable assets, and strategically implement a zero trust model with that in mind.
This can create technical and workflow issues, with mainframes and older software not capable of handling dynamic access. The decision to go with a zero trust approach may mean new technology platforms are needed to replace legacy systems.
There’s a fine line between restricting access and slowing productivity. By thoroughly identifying access permissions, this can be navigated; however, productivity may slow in the early stages of adoption.
Source-to-pay (S2P) is an end-to-end process in procurement that encompasses the activities associated with sourcing products from suppliers.
Reading a check may appear straightforward at first glance, but the various elements that comprise a check play a crucial role in …
A hedging strategy is a risk management strategy to avoid large financial statement losses due to investment fluctuations. Hedges work like an …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
