Zero Trust is a security model developed by former Forrester analyst John Kindervag in 2010. Since then, Zero Trust has become one of the more popular frameworks in cybersecurity. Recent massive data breaches prove that companies need to be more proactive about cybersecurity, particularly around the security of their data, and a Zero Trust model might be the right approach.
Zero Trust says to trust no one—not even users behind the firewall. Insider threats continue to be a major risk, and easy access to billions of compromised credentials has made breaching the perimeter a trivial task for most hackers.
Get the Free Pen Testing Active Directory Environments EBook
At the center of Zero Trust is data—and for good reason. Organizations who have visibility into their data and the activity around it can detect suspicious behavior, even when other security controls have been compromised.
Read on to discover more about the Zero Trust security framework.
How Zero Trust Security Works
Zero Trust security has evolved into a holistic approach to cybersecurity that involves several technologies and processes. The goal of Zero Trust security is to protect the company from advanced cybersecurity threats and data breaches, while helping the company achieve compliance with FISMA, HIPAA, PCI, GDPR, CCPA, and any future data privacy and security laws.
At the heart of Zero Trust is data security. Data is the asset attackers want to steal, whether that’s personally identifiable data (PII), protected health information (PHI), payment card information (PCI), or intellectual property (IP), all of it has value.
So while other security controls are important, without monitoring data activity, you will have a critical gap. No matter what form the attack takes
Here are the focus areas for the Zero Trust Framework. Forrester recommends organizations address each of these focus areas to build the best Zero Trust security strategy.
- Zero Trust Data: A Zero Trust approach starts by protecting data first and then building additional security layers. If an attacker can breach your perimeter controls, exploit a misconfiguration, or bribe an insider, under Zero Trust, they would have extremely limited access to valuable data and controls will be in place to detect and respond to abnormal data access before it becomes a breach.
Because data is the ultimate target for attackers and insider threats, it makes sense that the first pillar of the Zero Trust Framework is data. To protect data, companies need to be able to understand where their data lives, who can access it, what’s sensitive or stale, and monitor data access to detect and respond to potential threats.
- Zero Trust Networks: Attackers must be able to navigate your network to steal data, and Zero Trust networks make that as difficult as possible by segmenting, isolating, and restricting your network with technology like next-gen firewalls.
- Zero Trust People: Humans are likely the weakest link in your security strategy. Limit, monitor, and strictly enforce how your users access resources both inside the network and on the internet. Trust but verify all user activity on your network. Monitor your users to protect against those infrequent human mistakes from phishing, bad passwords or malicious insiders.
- Zero Trust Workloads: A workload is a term used by the infrastructure and operations team to mean the entire stack of applications and back-end software that enable your customers to interface with your business, and unpatched customer-facing applications are a common attack vector you must defend. Treat the entire stack from storage to the operating system to web front-end as a threat vector and protect it with Zero Trust compliant controls.
- Zero Trust Devices: Because of the Internet of Things, (e.g., smartphones, smart TVs, and smart coffee makers), the number of devices that live on your networks has exploded in the past few years. Each of these connected devices represents entry points attackers can use to infiltrate your network. To move towards Zero Trust, security teams should be able to isolate, secure, and control every device on the network.
- Visibility and Analytics: In order to enforce Zero Trust principles, empower your security and incident response teams with the visibility of everything going on in your network – and the analytics to make sense of it all. Advanced threat detection and user behavior analytics are key to staying on top of any potential threats in your network so that you can identify anomalous behavior in real-time.
- Automation and Orchestration: Automation helps keep all of your Zero Trust security systems up and running, and your Zero Trust policies enforced. Humans are not capable of keeping up with the volume of monitoring events necessary to enforce Zero Trust. Automate as much of your remediation, monitoring, and threat detection systems as possible so you can save your human resources for Incident Response and other more important tasks.
3 Principles of the Zero Trust Security Model
- Require secure and authenticated access to all resources.
The first basic principle of Zero Trust is to authenticate and verify access to all resources. Each time a user accesses a file share, application, or cloud storage device, re-authenticate that user’s access to the resource in question.
You have to assume that every attempt at access on your network is a threat until confirmed otherwise, regardless of location of access or hosting model.
To implement this set of controls, remote authentication and access protocols, perimeter security and network access controls.
- Adopt a least privilege model and enforce access control.
The least privilege access model is a security paradigm that limits each users’ access to only the access they need to do their job. By limiting each user’s access, you prevent an attacker from gaining access to large amounts of data with a single compromised account.
First, discover where your folder permissions expose your sensitive data and remediate over-permissive access. Create new groups and assign data owners to manage those groups, and use these new groups to implement least privilege access. Audit access and group memberships on a regular schedule and put data owners in charge of who can access their data. IT shouldn’t control access to the Finance team’s data – the Finance team should
- Inspect and log everything.
Zero trust principles require inspection and verification of everything. Logging every network call, file access, and email for malicious activity is not something a human or an entire team of humans can do.
Monitoring and logging are arguably the most important capabilities to maintaining a Zero Trust security model. With monitoring and data security analytics in place, you can tell the difference between a normal login or a compromised user account. You will know that a ransomware attack is in progress or if a malicious insider is trying to upload files to their cloud drive.
This kind of cybersecurity intelligence is difficult to achieve. Most tools in this category require you to code overly complicated rules or generate a significant number of false positives. The right system will use individualized baselines per user account and detect abnormal behaviors based on perimeter telemetry, data access, and user account behavior.
Implementing A Zero Trust Model
Zero Trust starts with data. Here are some key recommendations for where to start to protect your data within the Zero Trust Framework:
- Identify Sensitive Data: Figure out where your sensitive data lives. This could be internal “finance” or “legal” folders or places where you store PII or PHI. You have to know where your sensitive data lives and who has access to your data before you can protect it.
- Limit Access: Once you’ve identified your sensitive data, check to see that only the people who need access to it have access. This will limit sensitive data exposure and make it more challenging for hackers to gain access to it.
- Detect Threats: Knowing where your sensitive data is and limiting access to it are key first steps toward a Zero Trust framework. Next, you need to be able to detect when anomalous activity is happening with your data. Monitor all activity related to data access – active directory, file and share access, and network perimeter telemetry – compare the current activity to baselines of prior behavior, and then apply security analytics and rules to detect active cybersecurity threats from internal or external sources.
Zero Trust with Varonis
- Varonis scans permissions and folder structures to help you achieve least privilege access, establish data owners, and implement a workflow to empower data owners to manage access to their data.
- Varonis fixes permissions issues like broken access control lists (ACLs) and remediate Global Access Groups automatically to get you to Zero Trust in months instead of years.
- Varonis classifies your data and identifies PHI, PII, GDPR, PCI, HIPAA, and more so you can add extra security and monitoring to your most sensitive data, and more easily meet compliance.
- Varonis monitors and analyzes file access, Active Directory, VPN, DNS, proxy, and email activity to create a baseline profile for each user on your network. Advanced data security analytics compare current monitored data to that baseline to detect abnormal behavior and triggers an alert to give you actionable intelligence to respond to any discovered threats.
Why Zero Trust Model Security?
The data-centric Zero Trust framework can provide a solid defense against data breaches and advanced cybersecurity threats. All attackers need to break into your network is time and motivation — firewalls or password policies don’t deter them. You should build internal barriers and monitor activity to catch their movements when, not if, they break in.
Check out the Varonis Live Cyber Security Demo and see how Varonis’ data-centric approach helps organizations establish and achieve a Zero Trust framework and strategy.