With mobile computing, software-as-a-service (SaaS), and now remote working moving the focus of IT security away from the traditional perimeter, this article looks at what a Zero Trust approach is and how it can help.
More Complex Demands
The belief among many IT security experts is that a traditional perimeter-based security approach may no longer be enough to cope with the more complex IT security requirements that a widening scope of computing and threats have brought. Additional authentication strategies are now needed.
The term ‘Zero Trust’ in relation to IT security was first used back in 2010 in a report by analyst firm Forrester when it was noted that there had been a big increase in the number of enterprises using the public cloud and that the security ‘perimeter’ was changing.
The Zero Trust approach to IT Security (as highlighted by James Walsh of Fieldfisher) has the following characteristics:
- It is a data-centric model i.e., protecting data from both internal and external threats rather than just relying on the old ‘castle and moat’ style perimeter security (address and location layer).
- It works on the understanding that although as many precautions are being taken as possible, the modern reality that is not a case of “if” an attacker gets through, but “when”.
- Rather than the old “trust, but verify” approach, the Zero Trust approach is “never trust, always verify” i.e., trust is never granted implicitly but must be continually evaluated / all network traffic and nodes are considered untrustworthy until proven otherwise. This means that any device must pass authentication and security policy checks to access any corporate resources. It also means controlling this access only to the extent required.
- Zero Trust is not simply an approach. For it to work effectively, it requires compatible and connected policies, practices, software, and hardware that can create a whole, secure Zero Trust ecosystem.
In managing the device, user, and trust level, the Zero Trust approach uses:
- Managing the monitoring and compliance of all endpoint devices (understanding the threats), including BYOD, through unified endpoint management.
- Having one single sign-on point (SSO) where a single version of a user ID meets a single-entry point where the user credentials must be fully validated before accessing the business systems, as well as logging access in and out of the system.
- Multifactor authentication (MFA) being used to establish a user’s credentials and using a single factor is no longer an option. MFA could include a security key, biometrics, a trusted device, and more.
Some of the main benefits of Zero Trust include:
- Administrators can get an accurate inventory of infrastructure (i.e. which users, data, apps, and services are present) in the corporate infrastructure. This contributes to performance planning as well as security.
- The monitoring and alerting gives a better ability to quickly detect and respond to cybersecurity threats. Examples of tools used for monitoring in a Zero Trust framework include security information and event management systems (SIEM) for centralised logging capabilities and IT infrastructure threat detection and response tools.
- Improved user experience thanks to (for example) single sign-on (SSO) limiting the number of passwords needed and requiring a user to authenticate only once to gain access to everything they need.
- Reducing the potential for gaps in the security infrastructure thanks to a universal security policy that is created once and then implemented from end to end throughout the organisation.
- Making it easier and more flexible to move apps, data and services because with Zero Trust, app and data security policies are centrally managed and automation tools migrate the policies where they are required.
Components of a Zero Trust System
An example of the components of what is required for a Zero Trust network, in this case, NIST (US Government), include:
- A policy engine (PE) and policy administrator (PA) at the centre (in tandem or as part of the same software) to decide whether machines or web traffic are safe and granting or revoking access. The PE uses external data sources to help make its decisions.
The policy engine uses external data sources data that can include:
- Continuous diagnostic and mitigation (CDM) systems – providing information about (for example) the current security state, updating of a device’s OS and security software and more.
- Industry (and organisational) compliance checks.
- Threat intelligence feeds, e.g. about blacklists and malware.
- Activity logs that could flag up a potential risk.
- Data access policies for each individual and asset.
- Public key infrastructure (PKI) to validate certificates.
- Security information and event management (SIEM) systems. These provide security-related data that can also be used to improve the whole Zero Trust system.
- Other Zero Trust frameworks can use adaptations existing technologies, e.g. device sandboxing, a device/agent gateway model, micro-segmentation, and more.
Challenges to Implementing Zero Trust
As with any big change in a company/organisation, moving over to Zero Trust has its challenges which include:
- Any legacy apps, tools and resources that are currently part of network and enterprise operations but aren’t easy to integrate with a Zero Trust system.
- Regulations are currently running behind the implementation of many Zero Trust systems and these will need to change.
- Achieving visibility and control in a network is a big challenge and many organisations don’t have a comprehensive view and are, therefore, still vulnerable through unpatched devices or users with too many privileges. In the shorter term, a hybrid approach to Zero Trust is likely to lead the way to full implementation.
Examples of Zero Trust (ZT) security models in action include:
- The US federal government now operates a Zero Trust model.
- Cloud service provider Akamai Technologies (US) – to let employees securely access internal applications but keep end-user devices off the corporate network entirely.
Resources and Links
Here are some links to a few useful resources and guides for Zero Trust IT security:
A Zero Trust security cheat sheet: https://www.techrepublic.com/article/zero-trust-security-a-cheat-sheet/.
How to implement Zero Trust with real-life examples: https://searchsecurity.techtarget.com/feature/How-to-implement-zero-trust-security-from-people-who-did-it.
It is clear that mobile computing, the pace of technological change, the digital transformation and massive increase in remote-working (fuelled by the pandemic), not to mention soaring cyber-crime figures have highlighted the need for a data-centred approach and a move away from the ‘moat and castle’ view of IT security. Another good reason to opt for the Zero Trust approach is as a way of having a much better chance of avoiding the cost of a breach. Not surprisingly, Zero Trust entered the European security market in 2019 and IT and Security Risk professionals as well as many businesses and organisations are now seeing it as the natural and practical way forward.