Zero Trust Architecture: Never Trust, Always Verify
Zero trust architecture has protected many companies from attacks. However, it’s not the best security for every network. How do you know if it’s right for you?
What is a zero trust approach? A zero trust approach is a security model that protects networks from attack by eliminating trust from the system. Without trust, every user has to be verified for all resources and data they want to access.
How Does Zero Trust Work?
Zero trust security is an approach to security in which no device, user, or agent is implicitly trusted with access to system resources. Access to system resources must only come through authentication and authorization using acceptable credentials.
Zero trust focuses on protecting critical data, assets, applications, and services (DAAS) using micro-perimeters and segmentation gateways. These security tools place security measures close to DAAS—concentrating the protection surface as much as possible.
Once you have the potential protection surface figured out, you can then determine the flows of data through that surface and behind that surface. You will better understand how data moves through your security services and within your own infrastructure.
Most importantly is the implementation of zero trust security. Enterprises can look at an important security document published by the National Institute of Standards and Technology (NIST), NIST Special Publication 800-207: Zero Trust Architecture. This document outlines a framework for understanding and implementing zero trust principles.
Some of the principles of zero trust architecture outlined in NIST 800-207 include the following:
- Consider All Services and Data Sources as Resources: Never take for granted any aspect of your system and its place in the security ecosystem. This includes software, cloud services, mobile devices, workstations, and data storage platforms.
- Secure All Communications Regardless of Network Location: Never consider any aspect of your internal network to be secure as it is, and implement protections at any point where a resource may connect or transmit.
- Limit Access on a Per-session Basis: To force users and devices to demonstrate their trustworthiness, you should eliminate multi-session access for any and all resources for both authentication and authorization purposes.
- Leverage Dynamic Policy Attributes for Access: Role-based access control (RBAC) is a popular way to determine who can access resources. Zero trust policies should also leverage attribute-based access controls (ABAC) to incorporate limitations based on device characteristics, time and date, or even behavioral attributes.
- Continually Monitor All Assets: NIST suggests that any asset, whether data, software, or hardware, must be regularly monitored to avoid cases where the asset has been unknowingly subverted.
- Strict Identity Access Management at All Times: Your system must enforce strict authentication and authorization controls before any access is ever granted.
- Assessment and Optimization: Continuous monitoring can, and should, contribute to optimizing access enforcement, security, and network privacy.
What Are Best Practices and Benefits of Zero Trust Architecture?
While you may have a basic grasp of the principles that make up a zero trust model, it is another thing entirely to implement this architecture. You must consider how those principles play out in your specific IT systems, within your specific infrastructure, and concerning your business goals.
Several steps go into implementing a zero trust architecture:
- Define protection surfaces close to DAAS to avoid overextending security resources. It might get confusing to think of what “close” means in this context. Access controls and security measures shouldn’t cover a broad, unnecessary set of technologies and resources. Instead, you should implement clear, limited, and targeted protection surfaces where needed. This approach allows you to control traffic and system access better and adjust perimeter security as needed.
- Trace data transactions and flows, including all movements of information across different parts of your infrastructure. Per NIST, you should never assume that information is secure in your network. Your zero trust architecture should have controls in place to track how data moves across your networks, particularly in relation to your protection surface.
- Develop security and zero trust policies around the “Kipling Method.” The Kipling Method, often attributed to a poem by Rudyard Kipling, defines a set of universal questions you can ask about your security infrastructure: Who? What? When? Where? Why? and How? By using this approach, you can build zero trust policies around an extensive list of roles, attributes, and other granular controls.
- Create continuous monitoring and maintenance plans and implement them. NIST 800-207 suggests that monitoring and optimization become a part of your zero trust architecture. Using data-driven audit logging and monitoring tools, you can implement zero trust principles even with existing resources. Never assume that an existing resource hasn’t been breached or compromised, and never assume that your resources remain secure against evolving threats.
To understand a full approach to implementing zero trust, look to NIST SP 800-207, which includes compliant, high-level architecture guidelines.
Of course, zero trust architecture has a number of benefits, primarily around security and compliance:
- Security: Zero trust principles close gaps in security, especially those related to authorization and authentication. Since no user, device, or resource is trusted implicitly, there are less attack surfaces for hackers to exploit. The vectors by which attacks like advanced persistent threats (APTs) can spread within a system are also limited.
- Compliance: Several federal and defense compliance standards recommend or require zero trust architecture. Furthermore, the recent Executive Order on cybersecurity calls for all federal agencies and contractors to move to zero trust security. Getting ahead by implementing these principles will go a long way to promoting your compliance posture.
How Do Organizations Implement Zero Trust Architecture?
Following the best practices discussed here and guidelines within NIST 800-207, it’s relatively straightforward to conceptualize a zero trust implementation. However, looking at zero trust from a system-wide perspective can make the task seem more daunting.
A good way to start conceptualizing zero trust in action within your system is to start with a single critical DAAS:
- Identify a DAAS within your infrastructure that should or will fall into zero trust security.
- Deploy the Kipling Method to develop zero trust policies:
- Who should access this resource?
- What are they accessing (software, data, etc.)?
- Where would they access it under normal and secure circumstances?
- When would they access it (only during work hours, under limited windows of time, etc.)?
- Why would they need to access it for legitimate business use?
- How must they access it (local workstations, mobile devices, etc.)?
- Build zero trust policies from these questions and develop a security and identity and access management (IAM) configuration from those policies. This configuration should address your security policies without compromising user experience or system usability.
- Implement policies through limited protection surfaces around assets, adhering to the decided security and IAM configurations.
Zero trust architecture is becoming a mainstay in many security circles, and this is only becoming more common. With the recent Executive Order on national cybersecurity standards now going into effect, the use of required zero trust principles is only going to become more pronounced.
If you want to learn more about zero trust architecture or other related security issues impacting businesses today, subscribe to our newsletter to stay up to date on cybersecurity, compliance, and IT topics.
The CISO Street Team is a group of experts and professionals working in enterprise IT security and management, providing insight into foundational questions of cybersecurity, information governance and compliance.
Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...
Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...
Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time. He’d always been good at school. He attended Boston College where his parents thought he might pursue...
About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...
Account takeover fraud may sound like a familiar term in cybersecurity, yet its prevention methods in the e-commerce domain are still nuanced. Retailers are historically concerned with payment fraud systems related to chargebacks. This happens when a customer makes a...
Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...
Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...
By the CISO Street Team Employee security awareness is paramount when protecting your company from security threats since staying secure goes beyond having a good IT department. What is employee security awareness? Employee security awareness is training your...
Threats to your business are everywhere: employees, vendors, and hackers. This is where supply chain security becomes critical to a robust security strategy. What is supply chain security? It is a term encompassing how a business's supply chain can reduce physical and...
The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...
Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...
Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...
An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...
Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...
The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability. In light of these increasing challenges, our cyber defenses...