Zero Trust is a security model developed by renowned cybersecurity analyst John Kindervag. Today, Zero Trust is one of the more popular frameworks in cybersecurity for protecting critical systems and data. Systems operating under a Zero Trust framework trust access or transactions from no one — not even internal users behind the firewall-- and limit everyone’s access to data in order to minimize the blast radius of an attack.
Through an executive order, the president has instructed federal agencies and contractors to begin strengthening their cybersecurity defenses and implement a Zero Trust security model to protect critical infrastructure – and strongly recommends the private sector follow suit. This is due to the increase in cyber threats and attacks on vital defense and infrastructure.
At the center of Zero Trust is data — and for good reason. Organizations that have visibility into their data and the activity around it can detect suspicious behavior, even when other security controls have been compromised. Here’s everything you need to know about Zero Trust, benefits, and limitations, as well as how to implement Zero Trust in your organization.
What Is Zero Trust?
Traditional perimeter network security approaches focus on keeping attackers and cybersecurity threats out of the network. However, these architectures are still susceptible to users and devices inside the network. Traditional network security architecture leverages things like firewalls, email gateways, and access controls by building multiple layers of security around a network’s perimeter. However, these “verify, then trust” tactics automatically trust users inside a network by default.
But Zero Trust assumes the network will be compromised or that the perimeter will fail, challenging users and devices to prove that they’re not attackers. Zero Trust requires strict identity verification for every user and device when attempting to access resources on a network, even if it’s an employee, user, or device within the perimeter. Zero Trust limits a user’s access from inside a network, preventing an attacker who has accessed a network from enjoying lateral freedom throughout the network’s applications.
Zero Trust essentially treats every user, device, and access request with the same stringent access requirements. By trusting no one and verifying everyone, organizations reduce the risk of hacks and data breaches significantly.
How Zero Trust Security Works
Zero Trust security is a holistic approach that involves multiple technologies and processes. The goal of Zero Trust security is to protect organizations from advanced threats and data breaches while assisting in compliance with FISMA, HIPAA, PCI, GDPR, CCPA, and any other core data privacy or security laws.
At the heart of Zero Trust is data security. Data is what hackers are after. This includes data such as personally identifiable data (PII), protected health information (PHI), payment card information (PCI), intellectual property (IP), and other data that organizations consider valuable. While other security controls are important, Zero Trust makes data activity monitoring a priority.
Here are the focus areas for the Zero Trust framework that your organization should address to build the best Zero Trust security strategy.
- Zero Trust Data. A Zero Trust approach starts by protecting data first and then building additional security layers. If an attacker can breach your perimeter controls, exploit a misconfiguration, or bribe an insider, under Zero Trust, they would have extremely limited access to valuable data, and controls will be in place to detect and respond to abnormal data access before it becomes a breach.
- Zero Trust Networks. Attackers must be able to navigate your network to steal data but Zero Trust networks make that extremely difficult. By segmenting, isolating, and restricting your network with technology like next-gen firewalls, your Zero Trust network will be much more resistant to hackers and cybercriminals.
- Zero Trust People: Humans are likely the weakest link in your security strategy. Limit, monitor, and strictly enforce how users access resources on both internal and external networks. Trust but verify all user activity on your network. Monitor users to protect against infrequent but inevitable human mistakes. Whether it’s falling victim to phishing or a proactive malicious insider, Zero Trust of people is a critical concept.
- Zero Trust Workloads: Workload simply means the entire stack of applications and back-end software that enables customers to interface with your business. Unpatched customer-facing applications are a common attack vector to defend. Treat the entire stack -- from storage to the operating system to front-end web interface -- as a threat vector and protect it with Zero Trust compliant controls.
- Zero Trust Devices: The sheer number of devices that live on networks has exploded over recent years. Each device -- from smartphones and PCs to connected IoT devices -- represents a potential entry point that attackers might seek to exploit. To create a Zero Trust environment, security teams should isolate, secure, and have access to controlling every device on a network.
- Visibility and Analytics. In order to enforce Zero Trust principles, empower your security and incident response teams with complete visibility of your IT environment, including network and file activity. You can then employ analytics to make sense of it all. Advanced threat detection and user behavior analytics are key to staying on top of any potential threats in your network so that you can identify anomalous behavior in real-time.
- Automation and Orchestration: Automation helps keep all of your Zero Trust security systems up and running and consistently enforcing policies. Humans aren’t capable of keeping up with the volume of monitoring events necessary to enforce Zero Trust. Automate as much of your remediation, monitoring, and threat detection systems as possible to save your security and operations teams time and bandwidth.
The Three Zero Trust Security Model Principles
Adhering to the three core principles of the Zero Trust Security Model forms the foundation of creating your own Zero Trust cybersecurity environment.
1. Require Secure & Authenticated Access to All Resources
The first main principle of Zero Trust is to authenticate and verify access to all resources. Each time a user accesses a file share, application, or cloud storage device, re-authenticate that specific user’s access to the resource in question.
You must assume that every attempt at access on your network is a threat until confirmed otherwise, regardless of the location of access or hosting model. To implement this set of controls, utilize measures like remote authentication and access protocols, perimeter security, and network access controls.
2. Adopt a Least-Privilege Model for Access Control
The least-privilege access model is a security paradigm that limits user access only to the spaces and resources absolutely essential to performing their job. By limiting individual user permissions, you prevent attackers from gaining access to large amounts of data with a single compromised account. By limiting access to data, you essentially create micro-perimeters around data (a concept started in the networking world, but very applicable to data, as well), which limits cybercriminals’ ability to access sensitive data or otherwise spread.
First, discover where you have sensitive data. Then, identify where that data is exposed to too many people or to people who don’t need access. The next step is remediating over-permissive access, which is a difficult, but worthwhile, task. Create new groups and assign data owners to manage the groups and use them as a means to implement least privileged access. Audit access and group memberships on a regular schedule and put data owners in charge of who can access their data. Make sure, for instance, that your IT team doesn’t somehow have access to the finance team’s data and vice versa.
3. Inspect and Log Every Network & File Event
Zero trust principles require inspection and verification of everything. But logging every network call, file access activity, and email transmission for malicious activity is a large undertaking that will take a combination of manpower and smartly deployed technology.
Monitoring and logging are arguably the most important principles of maintaining a Zero Trust security model. With monitoring and data security analytics in place, you can tell the difference between a normal login or a compromised user account. You will know that a ransomware attack is in progress or if a malicious insider is trying to upload files to their cloud drive.
This level of cybersecurity intelligence is difficult to achieve. Most tools in this category require you to code overly complicated rules or generate a significant number of false positives. The right system will use individualized baselines per user account and detect abnormal behaviors based on perimeter telemetry, data access, and user account behavior.
Implementing a Zero Trust Model
Zero Trust starts with data. Here are some key recommendations for where to start and how to protect your data within the Zero Trust framework.
- Identify Sensitive Data. Figure out where your sensitive data lives. This could be internal departmental folders or places where you store PII or PHI. You need to know where your sensitive data lives and who has access to it before implementing the right Zero Trust protection measures.
- Limit Access. Once you’ve identified your sensitive data, ensure that only the people who need access have it. This will limit sensitive data exposure and make it more challenging for hackers to gain access to it. You’ll want to audit your access permissions on the individual, group, and organizational levels.
- Detect Threats. Finally, you need to detect when suspicious activity is happening with your data or networks. Continuously monitor and log all activity related to data access including active directory, file and share access, and network perimeter telemetry. Compare the current activity to baselines of prior behavior and apply security analytics and rules to detect abnormal activity that may indicate active cybersecurity threats from internal or external sources.
Benefits and Limitations of a Zero Trust Model
Implementing a Zero Trust architecture within your organization has wide-ranging benefits. However, it’s important to remember that Zero Trust isn’t simply a magic bullet in terms of cyber defense. Here are the core benefits of Zero Trust as well as potential limitations that you should be aware of.
Benefit 1: Greater Network and System Visibility
Because Zero Trust never assumes that any device or user is trusted, you get to decide what resources and activities need coverage in your security strategy. All data and computing sources should be protected optimally. And once you have the proper monitoring installed to cover both resources and activity under a Zero Trust framework, you’ll have even more visibility into system activity. You’ll now know the time, location, and application involvement of every access request and be better equipped to flag and respond to suspicious activity.
Benefit 2: A More Secure Remote Workforce
Remote work has exploded in the past two years and cybersecurity concerns along with it. As users and devices access critical data from across the globe and outside the physical workspace, employing Zero Trust helps ensure the security of a distributed workforce. Zero Trust goes above and beyond traditional firewalls and security measures that aren’t necessarily adequate in a remote work environment. Under Zero Trust, identity is attached to users, devices, and applications that seek access, offering robust protection for both work and data in any location.
Benefit 3: Effective Ongoing Compliance
Zero Trust helps ensure continuous compliance across multiple industries and regulatory frameworks. Every access request being evaluated and logged is a huge aid in compliance documentation, for instance. Tracking the time, location, and applications involved in each access request creates a seamless and transparent audit trail. With continuous compliance, audits are streamlined as there is a visible chain of evidence for all access requests. This minimizes the effort required to produce evidence, making governance operations faster and more efficient.
Limitation 1: Coping with BYOD Trends and Workplaces
In the era of BYOD policies and environments -- along with the “always-on” mentality of many remote employees -- organizations need to allow for greater data and system access flexibility. Each individual device has its own properties, requirements, and communication protocols, which need to be tracked and secured under the Zero Trust model. While this is more than feasible, it may require a bit more legwork upfront to configure your Zero Trust security measures in a workplace that relies heavily on BYOD.
Limitation 2: Accounting for High Number of Applications
Another challenging factor to consider when adopting Zero Trust is the number of applications you’re using across the organization for people and teams to communicate and collaborate. You’re likely employing versatile and flexible cloud-based apps, but a high number of applications in use can make implementing Zero Trust somewhat of an uphill battle. Consider what third parties are handling your data, how it’s being stored, and whether or not each application is absolutely necessary before placing 100+ applications in your tech stack that will all need to be monitored and secured under Zero Trust standards.
Limitation 3: Authentication Doesn’t Verify Intention
The unfortunate fact is that, even if users are fully authenticated, Zero Trust can’t discern their intentions. Malicious insiders seeking to do damage to their own organization -- for whatever reason -- may still do so with the data or systems that they have authorized access to. The same principle holds true for public-facing web applications. Certain users may sign up for accounts, provide the right information, and gain proper access. But that doesn’t mean that they don’t have malicious intentions of compromising systems or data with what access they do have.
Moving forward, adoption of the Zero Trust framework will only grow based on evolving cybersecurity threats, an increase in remote work, and the explosion of BYOD and IoT. Taking a data-first approach to security is essential to Zero Trust. The more organizations know where their most sensitive data exists, who can access it, and what they’re doing with it, the more effective their defenses can be against today’s sophisticated threats. By implementing a Zero Trust architecture, you’ll both limit the blast radius and damage of a potential cyberattack and take steps towards cybersecurity compliance no matter what vertical your company is in.
David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.