The concept of Zero Trust and why you should consider implementing it

Introduction

Cyberattacks have increased in size, frequency and sophistication, causing on average $4.24mn in costs. The rise of cloud computing, the remote workforce following the Corona pandemic and legal frameworks like the GDPR have raised the stakes for organizations to protect their sensitive applications and data. The existing “castle-and-moat-paradigm” that trusts users inside the company perimeter has become obsolete.

Zero Trust Security is an omnipresent buzzword in the cybersecurity space. More and more companies are turning to this new security paradigm that has one central tenet: Trust nobody — practice zero trust. Does Zero Trust Security really promise to be the much-needed-answer to the constantly evolving and emerging cyber-threat landscape?

What is Zero Trust?

The Zero Trust approach has one central tenet: Nothing inside or outside the company perimeter should be trusted. As a result, every user has to authenticate themselves and their identity with every login every time before they are granted access to company resources, applications and data.

The Zero Trust Network or Zero Trust Architecture was originally developed by John Kindervag in 2010 during his tenure as vice-president of Forrester Research. It represents a shift from the prior “castle-and-moat-approach” in which the company-internal systems were protected with firewall as moat. In this outdated approach (not fit for the age of cloud computing and remote working), it was assumed that all users inside the company perimeter act responsibly and can be trusted.

As most organization’s IT security concepts and architectures are still based on this obsolete approach, many massive data breaches occur once a hacker/malicious actor had made it into the company perimeter. Zero Trust architecture puts an end to this. It effectively eliminates the concept of trust from the company perimeter.

Cloud computing and remote working has brought with it that security must be enforced not only at perimeter but beyond to data centers, cloud, web services and outsourced IT services instead of considering cyber security in silos.

The main components of Zero Trust

What then are the components that Zero Trust is made of? Most of these technologies and governance processes have been around for long and are now combined with the mission of ensuring the security of the enterprise IT environment.

The starting point is micro segmentation and definition of highly specific perimeters based on data like users, location and additional data points that evaluate whether a user can be trusted and granted access. Both the identity of the user endpoint and their security status must be determined. Users are only granted access based on governance policies that determine who can have access to what.

It is technologies like

  • Multifactor authentication
  • IAM (identity and access management)
  • Orchestration
  • Analytics
  • Encryption
  • Scoring
  • File system permissions
  • Governance policies (give users least amount of access they need to complete their tasks)

.

Where to start

How can companies implement a Zero Trust architecture and where should they start? Generally, organizations need to prepare for a gradual and long-term shift. Especially for large corporations it is going to be a gradual, multi-phase and multi-year-transition. The shift to Zero Trust should become part of the overall transition from legacy systems to the cloud. It should be driven by CISO and CIO to determine what part of the IT environment should be prioritized.

Aside from the technological changes and implementations, also the mindset of the staff has to change accordingly. The illusion currently is that the internal IT environment is safe and everything within it is trusted. Instead, security executives have to understand that the malicious actors are already in their IT environment.

In order to implement Zero Trust architecture, organizations must follow these 5 chronological steps.

Micro-segmentation (micro perimeter):

  1. Identify the protect surface — the protect surface defines what are the most essential, critical data, assets, applications and services in the company network.
  2. Document transaction flow — identify how traffic in the organization moves, who are the users, what applications do they use and how are they connecting?
  3. Build a Zero Trust architecture — creating a micro perimeter closely around the protect surface through a next-gen firewall that makes sure only known, permissioned traffic and legitimate applications can access the protect surface.
  4. Create Zero Trust policy — Leveraging the Kipling method, these policies answer the questions of who, what, when, where, why and how access to company resources are granted through allowing passing through defined micro perimeters.
  5. Monitor and maintain: Defined zero trust policies need to be monitored ongoingly, e.g. if new elements should be added to the protect surface or some interdependencies have not been taken into account yet.

.

Conclusion

Today’s cyberthreats call for a new security paradigm to protect sensitive data, applications and services in enterprise IT environments. The Zero Trust paradigm eliminates trust from the company perimeter, making it necessary for users to always identify and authenticate themselves before being granted access.

More and more organizations are adjusting their IT environment to reflect this approach and it is determined to become the dominant paradigm over the next 3–5 years. While Zero Trust doesn’t require the implementation of specific solutions, it requires the combined implementation of existing technologies around the definition of micro perimeters. The transition to the Zero Trust paradigm should be driven by CISO, CIO and executive board and must be accompanied by a mindset shift.