Table of Contents
What is Zero Trust Security: Introduction
Zero Trust is a much-used cybersecurity buzzword today, and it is certainly something worth knowing about when it comes to network security. In this FAQ article, we answer questions that you may have about Zero Trust security including what it is, why it is important, and what you should do with it.
What is Zero Trust & What You Need to Know About It
In today’s networks, we must never trust and always verify. That is what Zero Trust security is about. Here are some definitions plus what you need to know about this “never trust, always verify” security architecture.
What is zero trust and why is IT important?
What happened to our network perimeters?
Historically, networks were considered either trusted or untrusted. Trusted networks were typically your local network within your organization where you and your co-workers worked together. Untrusted networks were typically the public network, or internet.
A level of trust was assumed on the inside or trusted network, but the outside or internet network was not trusted. A firewall (security appliance) would sit between the two networks policing what can or cannot get through.
In todays’ world, there is often no single employee network, and co-workers are all over the globe. There is no longer a trusted network, and everything must be considered untrusted.
In todays’ world, there is often no single employee network, and co-workers are all over the globe. There is no longer a trusted network, and everything must be considered untrusted. Networks perimeters are a thing of the past. And with the cloud, network and system infrastructure is no longer in one place either.
Is zero trust a long term security solution?
Zero Trust is a long-term solution for our new way of working. It is the solution for “perimeterless” networks. Implementing zero trust elements is how networks are secured beyond on-premises security measures.
Is zero trust possible?
Zero trust is achieved by not trusting any device, network, or user. It is not convenient, but it is possible.
All things accessing the network or data are not trusted and are continually verified. This is not to say you will never be compromised again, but a properly designed and implemented zero trust architecture is your best defense, and it is very effective.
Does Zero Trust replace VPN?
VPNs allow authorized users encrypted access to networks and data, and it is typically assumed that the VPN user is trusted and can freely access the network once connected. An infected VPN user could legitimately access the network and expose the network to the infection because they are trusted.
Zero trust networks restrict all users all the time. Zero trust architecture can be used to replace VPNs. It is also possible to use them together. Use the VPN to grant an encrypted connection, then implement zero trust technologies to authenticate and authorization of each session over the VPN, and to continually check the communications and sessions throughout the duration of the connection.
What does Zero Trust security in the cloud mean?
Most companies now use the cloud as part of their network, including hardware or infrastructure as a service. Again, the network perimeter has disappeared. Not only are the employees decentralized, data and infrastructure are also decentralized. So, the cloud also cannot be considered a trusted network either and it is important to apply zero trust security there also. Good cloud providers have zero trust security features included.
History
Here is some history of zero trust.
How long has zero trust been around?
The concept of zero trust has been present in cybersecurity since before the term “zero trust” was coined. The term zero trust related to networks dates to the mid-1990s, but the term really came into more prevalent use around 2009 when it became very evident that organizations shouldn’t trust anything inside or outside their perimeters. Then there was a bigger push for zero trust in 2020 when masses of workers started working from home during the COVID pandemic.
Who invented or created zero trust?
According to Wikipedia, the term “zero trust” was coined in April of 1994 by Stephen Paul Marsh in his doctoral thesis on computer security at the University of Stirling. It is also recorded that in 2010, John Kindervag, an analyst at Forrester Research, coined the term “zero trust,” which centered around the idea that an organization should trust anything but must verify everything that tries to connect to its network.
How it Works
To learn more about how zero trust works, read on.
How does the zero-trust network model work?
Zero trust gets rid of the idea that there is a network edge and an area that can be trusted. Trust is never granted implicitly but must be continually evaluated. Security components are architected into the network to ensure these things.
What architectural components are necessary for creating a Zero Trust network?
There are 2 main architectural components in zero-trust architecture, the Policy Decision component and the Policy Enforcement component. The Policy Decision component is further made of the Policy Engine and the Policy Administrator. The Policy Engine is responsible for the ultimate decision to grant access to a resource for a given user, and the Policy Administrator is responsible for establishing and/or shutting down the communications path between a subject and a resource. Finally, Policy Enforcement is responsible for enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource.
What are the Core Principles or Pillars of the Zero Trust Model?
There are several key principles identified for the zero-trust architecture model. They are broken down into several pillars, depending on who you ask, but they all tend to include the following:
- Identity: People or services. When an identity attempts to access a resource, verify with strong authentication, and ensure access is compliant and typical. Follow least privilege access principles.
- Endpoints: Computers, IoT devices, smartphones, cloud servers, etc. Monitor and enforce device health and compliance for secure access.
- Data: What is ultimately being protected. Data should remain safe even if it leaves the controlled environment. Classify, label, and encrypt data, and restrict access based on those attributes.
- Apps: Applications and APIs. This is the interface by which data is consumed. Apply controls and technologies to discover rouge instances, ensure appropriate in-app permissions, secure access based on real-time analytics, monitor for abnormal behavior, control user actions, and validate secure configuration options.
- Infrastructure: On-premises or cloud. To harden defense, assess for versioning, configuration, and just-in-time access. Use data analytics to detect abnormal behavior and attacks, and automatically flag and block risky behavior and take protective actions.
- Network: All data is ultimately accessed over network infrastructure. Use network controls to enhance visibility and help prevent attackers from moving laterally across the network. Segment networks, even in-network micro-segmentation, and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics.
Each pillar includes general details regarding visibility/analytics, automation/orchestration, and governance.
What are three principles or main concepts of Zero Trust security?
The three zero trust principles are:
- Verify explicitly & continuous: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
- Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
How it is Set Up
Here are more details on how zero trust architecture is setup and how to get started.
Where do I start with zero trust?
Businesses need to invest time and financial resources to implement zero trust. A zero-trust model requires defining who can access which areas of their networks and create appropriate network segmentation—this requires careful planning and collaboration. Use a team to put this together.
How do you set up a zero trust?
Define the objectives including your policies and processes. Be sure to start with the idea of trusting nothing and verifying everything and define what you need to protect.
Dust off your password policy and ramp it up to something much more meaningful and useful. Well-defined polices and processes are critical for managing standards as well as the lifecycle of identities and access. Also, for revalidating access to ensure least privilege and compliance.
If these are not in place, the zero-trust solution will be vulnerable. It could grant access to an employee who has left the company a month ago but still has valid credentials.
How do you implement a Zero Trust Model?
Once you have built your team, defined the objectives, established your policies, identified what you are protecting, and identified attack pathways, start by implementing the initial steps of your plan. This could likely be setting up MFA (multi-factor authentication) for all network and data access. Make sure nothing is being accessed by a single factor (password) that could be hacked.
Then continue to add the steps of your plan, being thorough and methodical, testing along the way. Rome was not built in a day, nor will your zero-trust security architecture.
Why do we need it?
Now, let discuss why zero-trust is needed.
Why do we need zero trust security?
Zero-trust is needed to protect your data. Data is today’s gold for companies. And threats to your data continue to increase and become more sophisticated.
Zero trust improves security significantly and can now be deployed more easily, seamlessly and cost effectively as part of an end-to-end cloud architecture, particularly for customers of Microsoft solutions such as:
- Microsoft 365
- Azure Active Directory (Azure AD)
- Microsoft 365 Defender and more
Why is there no trust network access?
Zero trust network access, or ZTNA, does not grant implicit trust to any node or user on the network at any time. Nothing or no-one is trusted. All are assumed to be bad and must be verified. The reason for this no trust network access is that threats can come from anyone, even those who you would think trustworthy. For example, if you give implicit access to your trusted employees, who is to say they have not been unknowingly compromised already? So, all access is verified and continually checked to ensure safety and protection of your data.
Why zero trust Network access (ZTNA) may be a better choice than traditional VPNs?
ZTNA is a better choice than VPN because it restricts access for all traffic that attempts to access the network, and it restricts or verifies connections to anything on the network at any time. A VPN will provide an encrypted connection to the network, then assumes you are safe to be there and anything from the connected device is allowed.
VPN only opens the door for unknown threats from the VPN user. ZTNA keeps the door closed, only opening cracks to a specific areas when needed, and only for the time needed.
Pros & Cons of Zero Trust
Here are some pros and cons of zero trust.
What are two benefits of a zero-trust architecture?
The two big benefits of zero-trust architecture are:
- It reduces business and organizational risks from both internal and external threats.
- In the event of a breach, it reduces the time and cost of responding to and cleaning up after a breach.
What are the advantages of Zero Trust security?
Some advantages of zero trust security are:
- It reduces the attack surface, or the points where an unauthorized user can try to enter, which decreases the severity of an attack.
- It provides better remote workforce security.
- It is better suited for cloud networks.
- It provides better visibility into all user access.
- It limits the possibility of data exfiltration.
What are the disadvantages of zero trust?
Some disadvantages of zero trust security are:
- Zero trust networks can take time and effort to setup. And transitioning a network to zero trust architecture can be difficult while needing to keep things functioning during the transition. It also requires a shift in mindset for IT and security teams as well as the users to some extent.
- Companies that rely heavily on in-house servers may have more difficulty transitioning to zero trust.
- There are more and different types of users and access devices. Not just employee connections are the concern, but perhaps also vendor and customer access. And the various types of devices used to access creates more complexity too.
- Dependence on the policy decision point. Zero trust architecture strongly relies on a policy administrator and a policy engine. Without their approval, no connection can be established. Because of this, the performance of the entire network will depend on the proper configuration and maintenance of these two components.
Why should I implement zero trust?
Ultimately, zero trust should be implemented to protect your data. It allows complex but needed access from the various users, and they are all treated as untrusted and are constantly verified.
Zero Trust Products & Miscellaneous
Here are some zero trust products and other related information.
What are some zero trust products?
As defined by the National Institute of Standards and Technology (NIST), Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources. So, zero trust is not something you get when you purchase a single product or solution, but there are many companies that provide products and solutions to get you to a zero-trust architecture, and typically incrementally implemented.
Some security and cloud solutions companies that incorporate zero trust security in their products are Microsoft, Fortinet, Check Point, and Threat Locker.
How many NIST tenets of Zero Trust are there?
There are 7 NIST tenets of zero trust:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
Learn more about NIST Compliance standards »
What is the capability of a Zero-Trust segmentation platform?
With the core principle of “never trust, always verify,” zero trust is designed to protect today’s cloud heavy network environments by using strong authentication means, leverage network segmentation, prevent network lateral movement, provide threat prevention at every level, and simplify granular, “least access”, “just-in-time”, and “just-enough-access” policies.
What is zero trust security in Azure?
Microsoft uses zero trust security in their Azure cloud platform, which is based on the principle of never trusting and always verifying. This security approach protects them and their users by managing and granting access based on the continual verification of identities, devices, and services.
Which is a principle of Zero Trust Access NSE?
The core principle of zero trust access is Continuous authentication of users and devices, in other words, “never trust, always verify”.
Summary
Zero trust security has been thrust into our world because of the deep need. Today’s complex networks, decentralized workforces, and cloud scattered data have driven the need. The zero-trust architecture meets the security need and allows business data to flow securely.
Contact IntegriCom About Zero Trust
At IntegriCom, we provide reliable technology services for small and medium sized businesses, including network and data security. Please reach out to us if you have any questions about zero trust security or need help gaining the peace of mind you need in securing your company’s data.
Contact Us or call 678-507-0700