We often highlight an important philosophy, a particular mindset that should be taken when dealing with security. Organizations shouldn't sit around wondering whether or not they'll fall victim to a cyber attack or data breach. Instead, it's important to actually anticipate one. Don't ponder the "if" but ask yourself "when."
Information is power, and malicious actors and cyber criminals are interested in your data. And if we're following the statistics mentioned as well as the current state of cybersecurity, organizations need to take more charge in protecting their data. Not only are outsiders a danger, but insider threats have free reign. Organizations should trust no one.
"Trust but verify" and the perimeter security approach no longer cut it in the modern security environment. The time has come for better, more effective concepts and strategies.
In with "Zero Trust."
In recent years, a large number of organizations have turned to the Zero Trust security approach, and the old castle-and-moat concept is getting pushed aside to make room for a "never trust, always verify" mindset that Zero Trust model holds at its core.
- What is Zero Trust security?
- What does Zero Trust focus on?
- And what are some of the technologies behind Zero Trust?
- Best practices for implementing the Zero Trust model
What is Zero Trust security?
Created by John Kindervag while working at Forrester Research, Zero Trust was coined once traditional security models demonstrated they were no longer enough for the ever-evolving cyber threat landscape. In the traditional castle-and-moat model, the perimeter was defined and everything inside was trusted, while outsiders had a hard time getting in.
But since we're all aware that there is no such thing as absolute security, what will happen if an attacker does get into the network? If everyone inside is trusted by default, there's no way to predict how much damage attackers can do if they're able to access any part of the network.
What makes the traditional approach appear even more outdated is that today, a "perimeter" is no longer strictly defined. Organizations aren't storing data in one data center with a contained network. Now, they store their data both on-premises and in the cloud, and that data is accessed through numerous different devices and locations.
Data-driven protection and data-centric security architecture are the foundations of the Zero Trust security model, which tells us that we cannot trust anything either outside or inside of the network—and that anyone who tries to access your network needs to be verified in advance.
What does Zero Trust focus on?
There are a few main trust components to the Zero Trust network:
Data: As we said above, Zero Trust starts with data, and is a data-driven security model. In order to protect their data, organizations need to have visibility into it as well as their assets and who can access them, must classify it to designate which data is considered sensitive, and assign the least amount of privileges as possible. Monitoring data and data access will allow the organization to better understand network threats and respond to them more effectively, without relying solely on risk management.
Users: Unfortunately, humans remain the weakest link in cybersecurity. Even without malicious intent, human error can be made by anyone and at any time. That's why it's important to strictly monitor, limit and verify each user who tries to access the organization's resources, both inside and outside of the network. Deploy solutions that will help secure and verify each user, and strive to eradicate any possibility of human error with strong password policies, 2FA and MFA, and the like.
Network: Micro-segmentation and access and network restrictions will help stop attackers from gaining access to the network, hamper their lateral movement if they're inside the network, and defeat their ability to exfiltrate data. Ensuring that users aren't trusted even if they're inside the network, and employing real-time threat detection, firewalls and strong access policies are the pillars of Zero Trust network.
Devices: Over the past few years, the number of devices used to access company networks has increased exponentially. Laptops, smartphones, tablets and smart TVs, coupled with the BYOD trend, have only increased the attack surface and provided malicious attackers with more attack vectors and entry points than ever. Organizations need to have visibility into devices that try to access their networks, and establish trust before granting access.
Workload: Workloads are an interesting target for attackers, and securing them by identifying and controlling access to applications and workloads will allow for better control and protection.
Visibility and analytics: You can't protect what you can't see. Every activity in the networks needs to be visible, monitored, logged, and then analyzed in order to identify anomalous behaviors and detect and mitigate threats.
Automation and orchestration: As Zero Trust model is no single technology or process, it employs a wide variety of different technologies, methods, and of course, tools. Security automation tools automate security tasks and allow for policy adherence, improved incident response, detect threats in real-time, and much more. Orchestration is there to make sure all the disparate solutions are integrated into the existing organization's IT environments.
And what are some of the technologies behind Zero Trust?
In the Zero Trust security model, organizations take advantage of micro-segmentation, access control environments, and rely on different technologies and processes. "Micro-segmentation" refers to a security technique that allows security teams to create granular secure zones in the data center and define security controls for each individual zone. It works to prevent lateral exploration and movement in the network, and allows for better control over the entire network.
In addition to micro-segmentation is least-privilege access. "Least privilege" is a principle based on allowing users only the amount of access needed for them to fulfill their role in the organization. This helps organizations reduce the risk of attackers wreaking havoc on internal networks by compromising low-level users, applications or devices.
Among the technologies that form the core of Zero Trust architecture are multi-factor authentication, access control identity, access management, and as mentioned above, security automation and orchestration. Let's explore them:
2FA and MFA: Multi-factor authentication, or MFA, are additional IT security layers in the form of authentication factors and requirements that need to be fulfilled before users can access their accounts, creating barriers for crackers trying to gain unauthorized access to those accounts. This can require users, after inputting their passwords, to verify their identity with a one-time SMS code, a fingerprint, retina scan, and/or even user location.
From all this, we can clearly deduce why MFA is so inherent to Zero Trust—it comes from a place of distrust towards users trying to access the network, and provides additional steps for users to verify their identity, gain trust, and finally access.
Access control (AC): Access control is a selective restriction of access to data. It's made up of authentication, which we just went over, and authorization, which determines whether a user should be given access to data and the ability to perform specific actions they attempt. In plain English, AC is about who or what can access organizations' resources, and is used to enforce least-privilege access policies.
Identity and access management (IAM): While often used interchangeably, AC and IAM are two separate practices, with AC being a subset of IAM. IAM is supported by four key areas: identity administration, identity infrastructure, access management and auditing.
IAM is fundamentally about defining and managing roles and access privileges of individual users, and is led with the "one digital identity per individual" philosophy. Each user has a digital identity that is established and maintained, but also monitored and audited so it can be modified accordingly, whether by giving it more privileges, or limiting some.
Security automation and orchestration: Besides being one of the focus areas of Zero Trust security, security automation and orchestration is another driving technology behind it. Just last week we went over security automation in detail, and touched on security orchestration.
Security automation is the automatic execution of security tasks that don't involve human intervention, which leaves more time for security teams to spend on proactive, strategic activities. Automation simplifies security operations and reduces the time needed to detect and respond to threats. Monitoring every security event to ensure Zero Trust just wouldn't be possible without automation tools to reduce the possibility of human error and do away with the tedium of such a repetitive task. We recommend you check out our post dedicated to this concept for some of the best security automation tools available.
Security orchestration helps organizations connect the numerous tools and solutions, allowing for easier sharing of data between them and ensures they are all seamlessly integrated into the organization's infrastructure.
Best practices for implementing the Zero Trust model
While many organizations have already fully implemented the Zero Trust model into their IT environment, or at least have begun to, hey—it's never too late to start!
There are already solutions available that offer MFA, IAM, AC, or a combination thereof, but it's really not just about employing these technologies and tools. Zero Trust doesn't happen overnight; it's a continuous strategy that first needs to be set, then followed with the use of appropriate technologies.
Besides the technologies we went over, there are some strategic approaches to adopting Zero Trust architecture:
1. Authenticate, verify, and repeat
Paranoia might not always be a good thing, but a healthy dose of caution is always important. Start from a place where every attempted access to a network is considered a malicious one, and subject them to a number of authentication methods; also, each time access to a different asset or resource is attempted, re-authenticate users. This can be done with a set of access controls, perimeter security, network access controls, the good old MFA, and other methods.
2. Data visibility and classification
To protect something, you must understand it, and it's no different with data. Understanding where your data lives and the sensitivity of that data will help inform better access controls and authorization. Also, allow only specific users access to it, those with administrative roles and similar, maintaining the least-privilege method.
3. Monitor all data-related activity
Monitor and log all activity related to your data, along with any user activity in the network. By using security automation tools that will do this for you, your analysts can use this data later on to correlate it, examine it, recognize any suspicious behaviour in real time, and catch threats from both internal and external sources before they escalate to a data breach.
4. Think of the user
The growing number of authentication methods and security access controls needed to verify users can be both time-consuming and outright boring. And having any kind of strategy in place that seems inordinately unfavorable even to some users simply won't do.
When implementing Zero Trust network, think of the end user and choose a solution and strategy that will make the experience as "pain-free" as possible, to ensure both compliance and effectiveness.
Continuing with security basics, this week we introduced, or re-introduced, you to Zero Trust. Adding it to the list of security must-haves, organizations need to start implementing this strategy to protect that which is most valuable to them: their data. And data isn't the most valuable asset to organizations alone—cyber criminals share this "passion" too.
By outlining the appropriate steps needed for protecting an organization's data, we have gone over some key principles of Zero Trust and best practices to steer you in the right direction. As it's as broad a concept as most of those in security are, we've only scratched the surface of the Zero Trust model. We're bound to revisit this topic in the future, to take a deeper dive into a world where no one deserves our trust.
And cybersecurity is exactly that type of a world.