Zero Trust Security: What to Know and Where to Start
Once cybercriminals have gained access to your company’s systems, they can lurk there for weeks or even months, stealing and compromising data or waiting for an employee to activate malware. For example, in the Colonial Pipeline ransomware attack, suspicious activity persisted for a week before the ransom note appeared.
Today, proliferating endpoints in IT environments, coupled with user errors, make it easier for bad actors to infiltrate company systems. The Zero Trust approach to security tackles these problems by focusing on preventing access. Zero Trust security is a philosophy that guides your company as it transforms security tools into a comprehensive strategy.
Knowing the basics of Zero Trust and how to get started with implementation will put your organization on the road to preventing breaches.
Principles of Zero Trust
Zero Trust can be summarized as never trust, always verify. This philosophy has several main tenets.
When your organization takes a Zero Trust approach to security, you think of every place where you make access control decisions at the perimeter. This could be at the local network level, in a home office, in the cloud, or in the data itself for microservices. The perimeter can be anywhere, and access can be attempted by a person, device, or service.
Zero Trust does not equal lack of trust. Instead, Zero Trust is about not inherently giving trust but testing for trustworthiness and monitoring for trustworthiness over time. The network no longer infers trust, so you can’t rely on it as the primary reason for making someone trustworthy.
Trust is neither binary nor permanent. It’s neither on nor off. From a risk management perspective, you look at the riskiness of an asset on a scale. Controls are also based on the sensitivity of an asset a user is trying to access.
Trust is also not treated as permanent. For example, in a healthcare setting, a user may be able to access a medical record but may need a higher level of authentication to prescribe a medication. If you come into the transaction using a device that has been compromised, you may be denied access.
Zero Trust replaces implicit trust with adaptive trust. Authentication and authorization become adaptive under a Zero Trust philosophy. These principles are more what Zero Trust is about than any IT solution, such as multifactor authentication, network segmentation, or SASE.
Zero Trust Myths
- No perimeter is needed.
Some companies think you don’t need a perimeter anymore because it infers trust. However, a big part of Zero Trust still relies on the network and network segmentation.
- It’s focused only on authorization and authentication.
Zero Trust experts do spend a lot of time talking about authentication and least levels of privilege, but there is more to it, including network segmentation, policy management, continuous monitoring, and incidence response based on data generated by the architecture.
- It will be expensive.
The U.S. government recently issued an executive order to adopt Zero Trust by 2024 without any budget allocation. However, Zero Trust can be incorporated into the lifecycle of your IT stack. It’s really a journey and a philosophy that you are going to incorporate into the technology and security solutions you already have or the things you buy next.
- It solves all compliance issues.
Don’t trust salespeople when they tell you that. Zero Trust is the basis for a lot of compliance, but there is more to staying compliant than Zero Trust.
Implementing Zero Trust
NIST recently came out with its recommendations for Zero Trust architecture. The architecture includes a data-security baseline, data analytics, and endpoint security, which primarily includes devices.
The architecture centers on the policy engines and the policy access points. What is different about the Zero Trust architecture is the impact of policy and how that affects the real-time decision making around authentication and authorization.
Other things need to be included, such as threat intelligence, activity logs, SIEM, and identity management, but the basis is that a subject is trying to access an asset, and you manage that through policy.
Simplifying the Approach to Zero Trust
Zero Trust architecture can be complicated, but Cisco has found a way to simplify it by breaking it down into 3 parts as policy points to consider:
Ensure only the right users and secure devices can access applications.
Secure all connections within your apps and across multicloud.
Secure all user and device connections across your network, including IoT.
Based on these use cases, how you approach Zero Trust can be a little bit different. Dividing the approach into 3 parts makes thinking about how to deploy Zero Trust architecture easier.
For companies that don’t have a big on-premises footprint, sometimes starting with workforce or workloads might be more useful. If you have a lot more on-premises or a hybrid environment, sometimes starting with workplace is the thing to do.
Cisco recommends 5 steps to implementing Zero Trust access for workforce that can happen concurrently and have corresponding steps for the other 2 use cases. As you follow these steps, keep in mind what you already have in place and build from there.
- Verify: Establish trust in user identity. This is where MFA comes into play.
- Discover: Evaluate the trustworthiness of the user device. This could be done using endpoint detection and response or Cisco Duo for evaluation of the device’s configuration.
- Contextualize: Enforce access policies on the user-device combination. You need to make sure you have governance at the organizational level.
- Enforce: Enable secure connections to all applications. Make it as easy and frictionless for users to access the things they need to get to through single sign-on or secure gateways.
- Optimize: Examine user-device activities to detect anomalies. If you have policies in place, you can automate detection and enable response and recovery. Continue to evolve, improve, define, and refine.
Optimizing the Zero Trust Approach to Security
The goal is to get to the point where your company can evolve its Zero Trust security, but to get there, you must first implement the approach across the organization.
As a Gold Certified Cisco Partner and a managed security provider, Right! Systems can help your company simplify its approach to Zero Trust. We offer the security architecture, methodology, and solutions needed to adopt a Zero Trust philosophy throughout your business. Our security solutions include MFA, SSO, and MDR.