Given the significant cost associated with data breaches these days, now might be a good time for organizations to seriously explore the Zero Trust model of cybersecurity.
What is it?
As can be seen in NIST Special Publication 800-207: Zero Trust Architecture, Zero Trust describes an evolving set of cybersecurity paradigms that transfer defences from static, network-based perimeters to become more focused on users, assets, and resources. And a Zero Trust Architecture uses Zero Trust principles to plan industrial and enterprise infrastructures and workflows—it is designed to prevent data breaches and limit internal lateral movement.
One of the main assumptions of Zero Trust is that there is no implicit trust granted to assets or user accounts based solely on their physical or network location, or based on asset ownership. This means that it does not matter whether we are talking about a local area network or the Internet, and whether it is an asset owned by an enterprise or an individual. Enterprises have become quite complex, where one enterprise alone may operate several internal networks, remote offices with their own local infrastructure, remote or mobile individuals, and cloud services.
Zero Trust may begin with data and service protection, and can be expanded to include all enterprise assets such as devices, infrastructure components, applications, as well as virtual and cloud components. It can also be augmented to include subjects such as end users, applications, and other non-human entities.
With Zero Trust, enterprises assume that there is no implicit trust and continually analyze and evaluate the risks to their assets and business functions. Subsequently, they mitigate those risks using various forms of protections including minimizing access to resources to only those subjects and assets that have been identified as needing access, and continually authenticating and authorizing the identity and security posture of each access request.
It is important to note that Zero Trust is fluid and requires using a set of guiding principles for workflow, system design, and operations to improve the security posture of any classification or sensitivity level. It is necessary for organizations to use comprehensive information security and resiliency practices, some of which include continuous monitoring, network and system activity logging, and creating, maintaining, and enforcing data access policies.
A note on privacy—it is clear that Zero Trust requires the inspection and logging of traffic, and some of the traffic may contain private information. Consequently, organizations have to identify and address any possible risks associated with intercepting, scanning, and logging network traffic; this may involve informing users, obtaining consent by using strategies such as having a login page or banner, and educating enterprise users.
Why would an organization want to use it?
With things such as increased remote or hybrid working during the pandemic, Bring Your Own Device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary, it is important to reduce uncertainties as much as is possible to protect an organization’s cybersecurity posture. This can be achieved by using authentication, authorization, encryption, and shrinking implicit trust zones.
- Protect customer data, including sensitive data
- Decrease data breach detection times and prevent further damage
- Increase traffic visibility to discover weak spots, inefficiencies, and new insights
- Create a safer environment and optimize the end-user experience through the use of Zero Trust policies
- Optimize a move to the cloud using a model that is more suited to modern environments
How can an organization start to implement it?
It is important to remember that using Zero Trust principles is a continual journey. It may be beneficial to start with one small system to use as a test case, and then go from there.
There are several steps that an organization can take to get started:
- Identify assets
- Verify devices and users
- Map workflows
- Define and automate policies
- Test, monitor, and maintain
Organizations can use a number of best practices for implementing Zero Trust:
- Identify sensitive data when prioritizing the data
- Limit and control access by establishing limits to users, devices, applications, and processes seeking access to the identified data
- Detect threats using continuous monitoring
- Ensure that there is authenticated access to all resources, keeping in mind that multi-factor authentication is the foundation of Zero Trust security
- Use least privilege-controlled access, where the goal is to eliminate unauthorized access to data and services and networks allow access rights only when absolutely necessary
- Inspect and log all activities using data security analytics, and create user account baselines to help identify abnormal behaviours that could constitute malicious activity
Indeed, this may be a pivotal moment to embrace the Zero-Trust model. While “never trust, always verify” and “assume breach” may seem complicated and onerous, it can go a long way at preventing data breaches and cyberattacks, or at least minimizing the damage caused by one.