Zero Trust is a security model developed by former Forrester analyst John Kindervag in 2010. Since then, Zero Trust has become one of the more popular frameworks in cybersecurity. Recent massive data breaches prove that companies need to be more proactive about cybersecurity, and a Zero Trust model might be the right approach.
Zero Trust says to trust no one, not even users inside the firewall. Zero Trust means that every user and device should have their credentials verified every time they access any resource inside or outside the network.
Read on to discover more about the Zero Trust security framework.
How Zero Trust Security Works
Zero Trust security has evolved into a holistic approach to cybersecurity that involves several technologies and processes. The goal of Zero Trust security is to protect the company from advanced cybersecurity threats and data breaches, while helping the company achieve compliance with FISMA, HIPAA, PCI, GDPR, CCPA, and any future data privacy and security laws.
Here are the focus areas for the Zero Trust Framework. Forrester recommends organizations address each of these focus areas to build the best Zero Trust security strategy.
- Zero Trust Data: Your data is the thing attackers want to steal. So it makes sense that the first pillar of the Zero Trust Framework is to protect your data first, not last. This means companies need to be able to analyze, protect, classify, monitor and secure their enterprise data.
- Zero Trust Networks: Attackers have to be able to navigate your network to steal data, and it’s your job to make that as difficult as possible. Segment, isolate and control your network with technology like next-gen firewalls that are designed to do just that.
- Zero Trust People: Humans are still the weakest link in your security strategy. Limit, monitor, and strictly enforce how your users access resources both inside the network and on the internet. Establish VPN, CASB, and more to keep your users protected.
- Zero Trust Workloads: A workload is a term used by the infrastructure and operations team to mean the entire stack of applications and back-end software that enable your customers to interface with your business, and unpatched customer-facing applications are a common attack vector you must defend. Treat the entire stack from hypervisor to web front-end as a threat vector and protect it with Zero Trust compliant controls.
- Zero Trust Devices: Because of the Internet of Things, (e.g., smartphones, smart TVs, and smart coffee makers), the number of devices that live on your networks has exploded in the past few years. These devices are a potential attack vector and should be segmented and monitored like any other computer on your network.
- Visibility and Analytics: In order to enforce Zero Trust principles, empower your Security and Incident Response teams with the visibility of everything going on in your network – and the analytics to make sense of it all. Advanced threat detection and user behavior analytics are key to staying on top of any potential threats in your network.
- Automation and Orchestration: Automation helps keep all of your Zero Trust compliant systems up and running, and your Zero Trust policies enforced. Humans are not capable of keeping up with the volume of monitoring events necessary to enforce Zero Trust.
3 Principles of the Zero Trust Security Model
- Require secure and authenticated access to all resources.
The first basic principle of Zero Trust is to authenticate and verify all access to all resources. Each time a user accesses a file share, application, or cloud storage device, you have to re-authenticate that user’s access to the resource in question.
You have to assume that every attempt at access on your network is a threat until confirmed otherwise, regardless of location of access or hosting model.
- Adopt a least privilege model and enforce access control.
The least privilege access model is a security paradigm that limits each users’ access to only the access they need to do their job. By limiting each user’s access, you prevent an attacker from gaining access to large amounts of data with a single compromised account.
Use Role Based Access Control (RBAC) to enforce least privilege and empower data owners to manage access to their data. Audit access and group memberships on a regular schedule.
- Inspect and log everything.
Zero trust principles require inspection and verification of everything. Logging every network call, file access, and email for malicious activity is not something a human or an entire team of humans can do.
Implementing A Zero Trust Model
Here are some key recommendations to implement the Zero Trust framework.
- Update every element of your cybersecurity strategy to comply with Zero Trust: Identify any parts of your current strategy and technology that don’t comply with the Zero Trust principles listed above and update them.
- Analyze your current technology stack and determine if you need to update or replace any tech to achieve Zero Trust: Approach your technology vendors and ask them how they comply with Zero Trust. Seek out new vendors for any additional solutions you need to implement a Zero Trust strategy.
- Be methodical and deliberate as you implement Zero Trust: Don’t be hasty. Set measurable touchpoints and achievable goals. Ensure that your new vendors match their implementation to Zero Trust principles.
Zero Trust Model: Trusting Your Users
Zero Trust is kind of a misnomer, but ‘Trust Zero Things but Verify Everything” doesn’t have the same ring to it. You do need to trust your users if – and this is a big if – they have the appropriate authorization and your monitoring doesn’t detect any shenanigans.
Zero Trust with Varonis
Varonis provides a data-centric security approach to implement Zero Trust in your company.
- Varonis scans permissions and folder structures to help you achieve least privilege access, establish data owners, and implement a workflow to empower data owners to manage access to their data.
- Varonis classifies your data and identifies PHI, PII, GDPR, PCI, HIPAA, and more so you can add extra security and monitoring to your most sensitive data, and more easily meet compliance.
- Varonis monitors and analyzes file access, Active Directory, VPN, DNS, proxy, and email activity to create a baseline profile for each user on your network. Advanced data security analytics compare current monitored data to that baseline to detect abnormal behavior, and triggers an alert to give you actionable intelligence to respond to any discovered threats.
Varonis provides the core monitoring, classification, permissions management, and threat intelligence you need to establish Zero Trust on your network.
Why Zero Trust Model Security?
The Zero Trust framework can provide a solid defense against data breaches and advanced cybersecurity threats. All attackers need to break into your network is time and motivation — firewalls or password policies don’t deter them. You need to build internal barriers and monitor everything to catch their movements when they break in.
Download the 2019 Data Risk Report to see security issues and vulnerabilities that a Zero Trust approach can help address — and see how Varonis’ data-centric approach helps organizations establish and achieve a Zero Trust framework and strategy.