Most of us are familiar with the security method of using Two Factor Authentication (2FA). You probably use 2FA when receiving a unique one-time code from an SMS or authenticator app to access an account. But even 2FA has reached its limit to protect users from the evolution of cybersecurity threats.
The zero-trust security model is a framework that, as it describes, provides no one individual with complete trust to access all internal systems. It is the evolution of cybersecurity to protect users, businesses, and government agencies against increasingly more sophisticated threats.
This article will explain a zero trust framework and how it works. In more detail, the main topics discussed are the following:
- What is a zero trust framework
- Why is zero trust important
- How to deploy a zero trust framework
- A list of industry-standard zero trust resources
What is a zero trust security model?
At its core, a zero-trust network trusts no one with complete access to all systems and then builds implicit trust from that point forward. Inherently no one person can have full, unmitigated access to a network without several continual forms of verification and authentication. By maintaining zero trust in your users, you lessen the possibility of a compromised account accessing all of your data and information.
In the traditional security models, businesses maintain an implicit level of trust that is often taken for granted. For example, employees who have been within a company for a long time gradually maintain access to more permissions, which can be a massive point of failure if their primary account becomes compromised.
In an ideal world, a business is continually checking or validating the permissions of each of its users. Alternatively, the zero trust framework can take the security principle to another extreme in which, inherently, nobody is trusted in your company's internal and external environments.
Zero trust network access
In a zero trust network, no one is provided unmitigated access to all systems, accounts, or hardware. End-users, managers, executives, and even devices cannot be trusted to maintain permissions to systems without periodically being verified and authenticated.
All users must be continually vetted and authenticated to access what is needed. Traditionally, Multifactor Authentication (MFA) is required to ensure an acceptable level of security is maintained. At least three layers (preferably even more) are used to verify the device or the end-user in question.
A key distinction with the zero trust framework is its complete blanket of security across all access points in an organization. The zero trust framework encompasses every server, workstation, and asset within the IT infrastructure.
Why is zero trust important?
Zero trust is essential because it offers several advantages over other older frameworks that businesses and government agencies use. The three primary benefits are:
- It facilitates the use of centralized monitoring
- The ability for quick scalability
- A compromise in the system becomes close to impossible
Facilitating the use of centralized monitoring
When security tools and technologies are used without prior planning, it can be difficult for the security team to track their exposure to threats. This can make it increasingly challenging to triage and escalate the real cyber attacks.
One example is the Security Incident and Event Management software application. With this, false positives can be filtered out using Machine Learning (ML), and legitimate alerts can be presented in real-time through a centralized dashboard.
This allows the IT Security team to be far more proactive and significantly reduce the response times to addressing issues.
The ability for quick scalability
Many companies are now investing more heavily into cloud-based architecture, like AWS or Azure. The zero-trust framework allows the seamless transfer of apps, digital assets, and confidential data over the cloud.
As a team grows or employees move internally to different departments, the zero trust framework can quickly adapt to the evolving security protocols for each individual. This makes it simpler and more secure when adding and removing the individual from each siloed system.
Compromises in the zero-trust framework are next to impossible
Before the pandemic, many businesses used a perimeter security approach to protecting their digital assets. Meaning that there was only one line of defense separating the internal environment from the external environment.
As a result, a cyber attacker could access all IT infrastructure with one compromised account. However, with the zero trust security model, and the implementation of multiple security layers, it becomes much more challenging for a cyber attacker to gain access to the whole network.
Secondly, even if they gain access to one account, each system and permissions are siloed to the extent that the attacker has only a limited range of access.
How do you deploy a zero trust?
To fully deploy the zero trust framework for your business, there are five key components to keep in mind, which are:
- Determine what systems need to be protected
- Determine how your data flows
- Create a tentative model
- Creating the policies
- Daily monitoring
Let's examine these five steps needed to start the zero trust framework deployment process in more detail. It’s important to note that the following procedure should be done in separate phases to get the buy-in from your employees.
Determine what needs to be protected
One of the fundamental concepts behind the zero trust framework is that your entire IT and network infrastructure has to be siloed out into different segments.
Although the overall goal is to have 100% coverage of your systems, this may not be feasible, depending upon your security requirements. For this reason, the security team must carefully map out what needs to be protected and how it can be further siloed.
It is also important to remember that this will not be a static analysis. Instead, it will be dynamic and it should be scalable. For example, if your IT/network infrastructure grows or shrinks over time, the zero trust model you deploy has to follow.
You need to take a micro view of each system because each layer of separation will require its own needs and attention. This kind of approach is also known as “DAAS”, Data, Software Applications, Digital Assets and Services.
Determine how your data flows
With the zero trust framework, you have to carefully map out how your data flows from within your infrastructure. You need to make sure that there will still be a transparent and seamless flow of the data. In other words, you don’t want users blocked off at one point and unable to access data or services they need.
This kind of analysis lets your security team implement zero trust protocols that do not hinder core business functions or individuals.
Create a tentative model
Once you have determined what needs to be protected and how best the flow of communications will be between silos, the next step is to formulate a working zero trust model. It’s important to keep in mind that there is no one size fits all approach at this stage. You need to create the model according to your own security needs.
For example, one essential item to consider at this stage is the type of authentication mechanisms needed and where they should be implemented.
With this methodology, Multifactor Authentication (MFA) is an absolute must. You should fully implement at least three or more tools to confirm a user's identity. When deciding on which tool to implement, remember that the tools must also be unique. An easy way to think of this process is, for example:
- Something you know - a password
- Something you have - an RSA token
- Something you are - a biometric, like a fingerprint or facial scan
The end-user has to present all three pieces before being granted access to the shared resource. Each segment in the zero trust framework should not repeat the same authentication sequencing from the previous layer.
It’s also important to note that if you can implement even more than three authentication mechanisms, it will provide an even greater level of security.
Creating the policies
Another critical element of the zero trust framework is creating the security policy that establishes the foundation. It should, at a minimum, consist of the following to enforce another layer of security:
- Which end-users should be accessing what resources
- An audit log of the resources and applications that are being logged into
- The time of the day when shared resources can be accessed
- Implementing the next-generation firewall to allow even more advanced filtering and blocking of malicious data packets
Daily Monitoring
Once you have a working model of your own zero trust framework, you should now deploy it. But do not do all of this at once; instead, use a gradual approach.
For example, rather than deploying all of the authentication mechanisms for each segment, do them one at a time. If any unforeseen issues come up, they can be worked out in a much more efficient and manageable fashion. Also, this will produce less friction for the users who have to adopt this new system.
Zero Trust Vendors
Across the tech industry, many of the largest companies have their standard for a zero trust framework. Below is a list of resources I have compiled to help you navigate some of the best resources regarding zero trust used by big tech.
- Cloudflare zero trust - A great wiki on zero trust and all of its related topics
- Gartner zero trust - they have a great podcast on implementing zero trust
- Microsoft zero trust - Microsoft white paper on how they approach zero trust
- Okta zero trust - a getting started with zero trust whitepaper
- Google zero trust - known as BeyondCorp.
- NSA zero trust - last year, the NSA released their whitepaper on zero trust
- Forrester zero trust - link to their blog for further reading
- Cisco zero trust - enterprise resources that do require a signup
- Zscaler zero trust - another enterprise solution that requires a signup
The fundamentals of how to implement zero trust
In this article, I deep dived into zero trust and its advantages to an organization. I also touched on the most efficient way to deploy a zero trust framework inside your organization and what to keep in mind.
It’s important to remember the central tenet of zero trust is that no one in your organization can be trusted with unmitigated access. Not because the person is untrustworthy but because with unlimited access comes the risk of an attacker using their information to harm.
Remember the critical steps to deploying the zero trust framework are:
- Determine what system needs to be protected
- Determine how your data flows
- Create a tentative model
- Creating the policies
- Daily monitoring
And when deciding on how you are going to authenticate and validate your users try to at least follow the three simple steps:
- Something you know - a password
- Something you have - an RSA token
- Something you are - a biometric, like a fingerprint or facial scan
Remember to gradually rollout zero trust and make sure all users are on board with the process. The potential trade-off can be enormous. The loss of assets if someone were to compromise your network would be an exponentially higher cost for the organization than any mild friction implementing the zero trust framework.
