Thanks to a continuous onslaught of nation-state cyberattacks, exploited vulnerabilities and ransomware, the term Zero Trust has been thrust into the mainstream, but the term isn’t new.
In fact, it’s about a decade old, but the ideas and concepts behind the term are even older.
However, there isn’t one Zero Trust solution or any one piece of software or hardware that defines it. Rather, it’s an IT security model and a concept that helps harden IT networks and prevents the bad guys from doing damage even if they successfully infiltrate your network.
What is Zero Trust?
Zero Trust is based on the idea that IT networks are inherently insecure and that the network has already been compromised. Users and devices – regardless of identity or legitimacy – are not to be trusted by default.
“Therefore, you need to build trust from the ground up,” says Brian Foster, vice president of product at cybersecurity firm ReliaQuest.
The concept was initially developed as a response to devices and networks being hacked by bad actors, who then moved laterally with ease because of a false sense of security, Foster says.
Essentially, a Zero Trust architecture makes it extremely hard for any user or device to do things they aren’t supposed to do since users – both legitimate and malicious – are treated with the same level of scrutiny.
Now, the concept is being adopted by organizations everywhere, including at the highest levels of the U.S. government.
According to Microsoft, Zero Trust is now the top security priority, and 90% of security decision makers are in the process of implementing the concept across their IT environments.
The benefits of Zero Trust are clear: it provides stronger overall security and leads to better cybersecurity hygiene by focusing on role-based access, risk-based identity assignment and micro-segmentation within a network, says Charles Griffiths, head of IT operations at U.K.-based AAG IT Services.
How do you implement it?
Adopting a Zero Trust architecture takes several key steps, many of which most IT admins should already be doing, including control over identities, devices, applications data, infrastructure and networks, according to Griffiths.
“Zero Trust is not a single product or appliance to buy, but an ideology of security. It involves pulling the traditional perimeter back and combining traditional network access controls with user behavior analytics (UBA) and micro-segmentation,” he says.
Identity management is a fundamental part of a Zero Trust architecture since they are the basis of verifying users before they can access systems. Griffiths suggests implementing multi-factor authentication across the entire organization to help ensure any and all activity is legitimate and authentic.
In addition to a strong password policy and multi-factor authentication via a mobile phone, smart card, security key or app, continuous authentication confirms identity in real time and helps prevent attacks that have been successful in the past because it doesn’t rely on static data, Griffiths says.
Instead of using passwords, which security experts say are becoming less secure as hacking methods evolve, Griffiths says organizations can use hardware-based authentication keys to provide a convenient method of authentication that can also be used as a USB HID device or NFC.
By segmenting networks and implementing network controls, administrators can better manage traffic for each department and application. Micro-segmentation allows for finer levels of granular controls within the firewall or perimeter to limit access, protect against DDOS attacks and more.
Secure every device
Today, every employees has at least one person device they bring to work, and that device may be connected to the organization’s network. If those devices aren’t scrutinized like company-issued devices, you open yourself up to compromise. Every device should be viewed as a potential threat and should have limited access to sensitive resources.
Be specific with user roles
Roles and access should be as granular as possible, Griffiths says, and each role should have clear definitions on what they are allowed to do.
Monitor traffic everywhere with Zero Trust
Traditional IT architecture allows for monitoring of user traffic coming in and out of the network, but remote work is now forcing organizations to monitor traffic on user devices wherever they are, says Michael Wilson, chief technical officer at managed security services provider Nuspire.
Wilson equates Zero Trust to moving from castles to high-tech body armor. They can work together, but are oftentimes at odds.
While we will always have castles, we should no longer implicitly trust anyone inside the castle just because they are in it,” Wilson said. “These services/systems have to be rearchitected to no longer assume trust because someone is on the network or at a specific location. This is why having a strong identify program and technology to support it is a prerequisite to a true Zero Trust approach.