Trust no-one: a quick guide to the zero trust security model
- Published: Friday, 31 May 2019 08:56
First developed in 2010, the zero trust security model has recently grown significantly in popularity. Jan van Vliet explains why zero trust security offers several benefits over and above traditional network-based security approaches; and describes the fundamental aspects required for implementing it.
The zero trust model is based around a central concept which states that an organization should have no default trust options for anything/anyone either inside or outside its boundaries. Instead, everything should be properly authenticated every time, before access to the network is granted.
How does zero trust differ from traditional approaches?
Most traditional approaches to network security focus on building strong perimeter defences / defenses that make it difficult for anyone to gain access without permission. However, where these approaches tend to fall down is that once inside, there is a default level of trust assigned to everyone/everything. As such, if a hacker manages to gain access, there’s often very little to stop them from moving freely around and accessing/exfiltrating anything they like.
Conversely, the zero trust model proposes that all access should be disconnected until the network has verified the user and authorised their reason for being on the network. Of course, achieving this requires an adaptable security strategy leveraging modern technology to go over and above traditional approaches.
Why should organizations adopt the zero trust model?
According to the UK Government’s Cyber Security Breaches Survey 2018, 43 percent of businesses reported breaches or attacks over the preceding 12 months, illustrating just how much of an issue cyber crime is becoming. Not only is it on the rise, but the penalties facing those unable to properly protect confidential or sensitive information are getting stiffer as well.
The way in which organizations structure networks is also a big factor. Many now have critical data and information stored in the cloud, making it even more important to properly verify and authorise users before granting them access. In addition, the explosive growth of mobile devices have made it easier than ever for users to access this sensitive data from anywhere, at any time, further necessitating the need to govern access at all levels with a zero trust policy.
Putting the zero trust model into action
The zero trust model relies on first creating a secure environment using continuous infrastructure transformation. It requires thinking differently and being a step ahead of hackers in order to provide a secure environment. The security team must introduce multi-factor authentication in order to access various micro segments of the network for high security, effectively making it difficult for hackers to obtain all of the different pieces they need to access someone’s account.
The model also includes a high-level risk management philosophy that builds on anomaly detection and data analytics. This helps in curbing security threats and aids in quicker detection and response to a security breach.
Zero trust networking adds additional protection against insider threats
Zero trust networking is an additional part of the zero trust model that’s designed to stop lateral movement within the corporate network. Once in place, a user who is on the same corporate level as his or her colleague will be prevented from having the same access as that counterpart. This is done by adding perimeters for verification at each step within the network. It uses micro-segmentation and adds granular perimeters at critical locations to prevent a malicious insider from accessing the organization’s most sensitive data and system processes.
Zero trust networking also eliminates the drawback of the traditional perimeter-based security model by completely removing trust entitled to internal users and tightening security around valuable assets.
Effective zero trust combines technology with processes
Zero Trust begins with granting user access only for the time they need to complete a given task, as per the governing policies of the organization. Doing so requires the implementation of various technologies including multifactor authentication, scoring, analytics, file system permissions and orchestration.
However, zero trust is about more than just using the right technology. It also develops security parameters by understanding how key business process are linked to the stakeholders and their mindsets. After all, security is designed from the inside out, not the other way around
The key benefit of the zero trust security model is that it helps organizations to overcome the growing limitations of perimeter-based security. By emphasizing the need for verification of user credentials at regular intervals, it creates an effective new barrier to safeguard applications, processes and data against both malicious insiders and external threat actors.
Jan van Vliet, VP & GM EMEA of Digital Guardian.