Zero Trust is a framework for information security that does not presume a user, whether inside or outside its network, is trusted without real-time authentication or verification. Permission is only granted to a user once they have been verified as trusted, and this process happens continuously.
Zero Trust, also widely referred to as Zero Trust architecture or Zero Trust security, ensures visibility and security controls are in place to secure, manage and monitor every user, device, app and network.
The Zero Trust security model is now in widespread use as a strategic approach to cybersecurity, with notable examples including Google’s BeyondCorp and Gartner’s CARTA.
Why Zero Trust is essential
The average cost of a data breach or loss in 2022, according to an IBM report, is nearly $5 million for critical infrastructure organizations. For organizations in other industries, it’s close to $4 million. These averages represent a near 13 percent increase on 2020 figures.
The financial incentive to significantly reduce data loss and breaches is clear, and the Zero Trust model provides a way to achieve this.
The Zero Trust network isn’t just effective though, it has also become mandatory under President Joe Biden’s 2021 Cybersecurity Executive Order.
The issues with the traditional information security model
Zero Trust as a cybersecurity concept came into common usage more than a decade ago but it has only become predominant as an information security framework in the past few years. To understand its rapid ascent, we need to get to grips with the issues that faced the traditional information security model.
Known as ‘perimeter-based security,’ the traditional approach to information security is akin to castle-and-moat logic.
Everyone within the castle walls – the local area network – is trusted, while everyone beyond is prevented from accessing it through the use of firewalls. As such, every user with access to internal networks is deemed trustworthy by default.
The main issues with this are twofold: bad actors with access can move freely across the network causing untold damage, and legitimate users that are off-site cannot access the network.
The problem of keeping bad actors out while allowing off-site users access has been made all the more acute by the relatively recent widespread adoption of remote working, cloud computing, software-as-a-service (SaaS), and office practices such as bring-your-own-device (BYOD). On-site data centers and internal applications are increasingly rare, while off-site user access is now a common requirement.
Since so many aspects of information security management have been taken off-site, the perimeter-based security model no longer makes a great deal of sense. Indeed, such an approach is especially vulnerable to outsider attacks using sophisticated phishing methods whereby they pretend to be a trusted user to gain access.
The solution proposed by the Zero Trust framework is to forget attempts at protecting sensitive information behind a firewall, and instead to consider everyone as a potential threat until it has been demonstrated otherwise.
How does Zero Trust work?
In practice, this approach is based on the Principle of Least Privilege (PoLP) when dealing with access requests.
This means that the identity of the user requesting access is subject to real-time verification on every occasion. This is typically achieved through multi-factor authentication (MFA) or two-factor authentication (2FA), whereby a password is requested in conjunction with a temporary code or trusted device.
Even after the user’s identity has been verified, there may be further access control measures for specific resources or applications under, for example, role-based access control (RBAC).
Zero Trust network access overcomes the risks presented by perimeter-based security in the following ways:
- There is no internal network, so the distinction between an outside threat and a remote worker no longer holds.
- The distinction between off-site and on-site devices and applications also breaks down. User verification at the individual level occurs irrespective of location or device used.
PoLP ensures that every user must be verified in order to be trusted and gain access. Compared with perimeter-based security as well as physical security measures, this allows for distributed and granular control over information and resource access security.
As well as this, the Zero Trust approach considers the context of the access request as well as the security threat of the access environment. In so doing, Zero Trust significantly reduces a network’s attack surface.
The principles and technologies underpinning Zero Trust architecture
Principle of least privilege (PoLP)
As mentioned, one of the main Zero Trust principles is that threats can originate from inside as well as outside an internal network, and this assumption is expressed in the PoLP.
Access rights are limited to those required to complete a specific task, and this is justified by research revealing that 80 percent of data breaches happen using privileged credentials.
Micro-segmentation means separating an internal network into different zones with secure perimeters. In this way, a network can be broken up into dozens of access control zones that each require user verification. An individual with access to one zone will need to re-authenticate to access another, or they may not have the privilege to do so.
This method significantly reduces the risk of lateral attacks throughout a network once an intruder has gained access.
Multi-factor authentication (MFA)
Another chief tenet of Zero Trust is MFA, whereby a user is asked to verify their identity in two or more ways. As such, a bad actor who learns the password for a secure area will still need to provide additional information to enter.
Two-factor authentication (2FA) is perhaps the most well-known application of MFA, as it is widely used for online banking and social media accounts. President Joe Biden’s Cybersecurity Executive Order now even mandates MFA as a federal requirement.
Zero Trust concerns device access as well as user access. A comprehensive Zero Trust framework monitors all devices and IP addresses seeking access and checks to ensure they are authorized.
Zero Trust can encompass many more technologies than those outlined, including IAM, SIEM, analytics, encryption, and file system permissions.
Implementing Zero Trust with Vertikal 6
Many organizations of all sizes are on their way to adopting a Zero Trust approach to network security. Implementing a comprehensive Zero Trust framework is an ongoing process though.
If you think your organization still has security gaps that need to be closed, unmet compliance requirements, or are unsure how to define and set appropriate access levels for users, get in touch with the Zero Trust professionals at Vertikal 6 to schedule a free consultation.