The old saying, usually found in mom and pop stores, reads, “In God we trust. All others pay cash.” It’s cute, but real. This attitude is also now becoming a dominant way of approaching cybersecurity. It’s called “zero trust security.”
What is Zero Trust Security?
To understand the concept, it’s first necessary to grasp the role of trust in the broader cybersecurity context. Trust in computing is like trust in real life. Like the mom and pop store owner who doesn’t trust you to pay later, a network or digital asset should not trust everyone who wants to access it.
In cybersecurity, trust generally means letting users who are known, and therefore trusted, have access to the network or a digital asset, e.g. server, database, application, etc. Every corporate network on earth deploys systems to ensure that only trusted users can get in. Typically, the user has to authenticate him or herself by submitting a username and password pair at login. The system, usually relying on an Identity and Access Management (IAM) system like Microsoft Active Directory, checks to see if these log in credentials match those of a trusted user.
Organizations assign varying levels of trust to different users, often by role. For example, an accounting staff member is trusted to access the accounting software, but not the HR system. This is a pretty good approach to cybersecurity, but it has some significant weaknesses. For one thing, hackers can steal login credentials and then impersonate trusted users.
Also, the dominant “castle and moat” theory of security, where untrusted people are outside the system and only trusted users are let inside, makes internal assets vulnerable to lateral penetration. This technique is also known as “verify then trust.” The problem here, is that a verified user may not turn out to be trustworthy once he or she is inside the network. Even with good intentions, managers of security for data, applications and internal networks may make it easy for a malicious actor to move laterally across the network and enjoy unauthorized access to sensitive information.
Zero trust is the solution to these problems. As its name suggests, zero trust security is about trusting absolutely no one. Zero trust comprises a security model that requires identity verification and access authorization for everyone and anyone both inside or outside the network. With zero trust, the organization will not automatically trust anything inside or outside its perimeter.
How does Zero Trust Work?
Implementing the zero trust model can take a variety of forms. In some cases, a security tool will enable zero trust for a specific asset. For instance, there are data security packages that allow you to establish zero trust certain parts of a database. When activated, no user can ever access that part of the database without permission. Other approaches to zero trust focus on network segmentation and more rigorous forms of authentication than the simple username/password pair.
Network micro segmentation is an effective way to enforce zero trust. It’s the practice of dividing a corporate network into zones, or segments, each of which require separate user authentication. This way, if a malicious actors gains access to one segment, he or she cannot easily move laterally to other segments. For example, a network could have a “general” segment which is open to the majority of users. This segment contains little sensitive data or application functionality. Another segment might be for financial management team members only, and so forth.
Utilizing Multi-Factor Authorization (MFA) adds another layer to the zero trust model. MFA involves requiring a user to present at least one identifying factor in addition to the username/password pair in order to be admitted into the network. This might be a one-time use code that’s sent via text message to the user’s cell phone, a biometric identifier, and the like. While it is possible for a hacker to penetrate a system that uses MFA, the technology makes it quite a lot harder to do.
It is also possible to implement zero trust through a policy known as the “Least Privilege Access Model.” This model holds that each user should have the very minimum access rights and nothing more. For example, access is only given to complete a specific job (often within a specific time frame). There is no other network access allowed. Least privilege relies on having strong IAM systems, access enforcement and the like. The model works well with micro segmentation.
Building the Zero Trust Model
A number of tools on the market today can handle much of the technical implementation of a zero trust model. However, even when you have such tools, the hard part is usually figuring out how you want to set up your zero trust model and to whom it will apply. Interdepartmental discussions (arguments!) on this topic can be pretty heavy, so it pays to think about it carefully and put all of your people/organizational skills to work. It may be wise to start small with a simple network microsegmentation that lines up with roles that have already been defined in the IAM solution.
Overall, the process of building the zero trust model includes:
- Identify sensitive zones of network—this is an essential step in zero trust. Doing this right means mapping the business and its digital assets and then determining which assets belong in their own restricted segment. After that, you have to match these segments with users, typically by role.
- Assign roles and limit access—IAM systems come into play here, along with add-ons that define and enforce zero trust policies. Each role will be trusted for certain network segments and digital assets.
- Map transaction flows—Transactions often span multiple network segments and digital assets, e.g. from the ERP system to the finance system, to logistics and so forth. Zero trust has to accommodate users (and machines) who need to hop across all of these separate digital assets and separate network segments. Purpose-built tools can help with this process. They may be plug-ins to the enterprise resource planning (ERP) package, e.g. SAP.
- Build the zero trust architecture—In conceptual terms, the zero trust architecture provides a detailed view of the intersections between policy, people, network segments and digital assets: who is allowed to see/do what, in what places and so forth. In practical terms, the architecture may be something that’s generated through a zero trust security management tool.
- Establish rules and policies—The rules and policies follow from the zero trust architecture. They spell out the ways that each user will or will not be trusted for a given asset and so forth. Rules and policies form the basis for zero trust architecture.
- Monitor and Update—A zero trust security tool will generally offer the ability to monitor the status of zero trust access requests and sessions. Alternatively, other security monitoring tools, such as those that watch firewalls and network sessions, can be configured to show how well zero trust policies are working.
A number of companies have emerged with dedicated zero trust solutions. These include Palo Alto Networks, Centrify, Edgewise and others.
The Benefits and Downsides of Zero Trust Security
Zero trust security is a policy that reduces the likelihood of a data breach, which can result in a huge distraction and expense. The model overcomes limitations in firewalls. It’s also beneficial because it introduces a higher level of discipline and risk mitigation across multiple areas of the IT environment. If there is a security incident, the existence of zero trust tools should make the subsequent investigation go faster and reveal more accurate insights into went wrong, e.g. whose identity got compromised. In addition, zero trust provides a more secure network because of its emphasis on the verification of user credentials. Hackers are further deterred by encryption of assets once inside the network.
There is also a downside to zero trust, though. It can be difficult to implement, especially for companies with extensive legacy system environments. The zero trust model requires constant management. It creates overhead, with the need to assign someone (or multiple people) to oversee the task of deciding who can be trusted with what.
Virtually every aspect of cybersecurity is based on the concept of trust. Who can you trust? Who is abusing trust? What assets required restrictions on trusted access, and so forth. The zero trust model offers a solution that mitigates the widest range of trust-based risks. It assumes that no one can be trusted unless shown otherwise by means of verification and authentication. Done right, zero trust security can contribute to a stronger security posture and reduce the probability and impact of a data breach.