What Is Zero Trust?

Zero trust (ZT) is an architectural approach and goal for network security that assumes that every transaction, entity, and identity is untrusted until trust is established and maintained over time. ZT strategies contrast with the legacy view that a network is secure unless security systems identify a breach.

Security beyond the edge

Over the last decade or so, enterprises have become increasingly digitised. They now include cloud architecture, incorporate more remote work, and have added as-a-service solutions among other transformative changes. Security teams have scaled network security accordingly, often strengthening safeguards by segmenting the network into smaller zones.

This strategy, unfortunately, created more opportunities for attackers. When attackers access a user’s login information, they can move laterally across the network, spreading ransomware and adding privileges as they go.

Multi-factor authentication (MFA) improved credential strength, but added only one extra layer of authentication. Once in, hackers still have continuous access until they log out or the system logs them out.

New ways of working, including bring-your-own-device (BYOD), remote work and cloud architecture added a new set of vulnerabilities. But even new, stronger cybersecurity protections with heightened visibility end at the edge of the enterprise network and are blind beyond that point.

Zero trust security model

The ZT approach to cybersecurity turns the old paradigm upside down. Cybersecurity is no longer defined by network segments or within an enterprise network boundary. Trust is not granted based on whether a connection or asset is owned by an enterprise or an individual. It is also not granted based on physical or network location – internet or local area network.

Instead, ZT focuses on resources, users, and assets individually, no matter who owns them and where they are located. Authentication is individually performed for an enterprise resource before a user is granted access.

The ultimate goal is to get to zero trust of any network element until it is verified.

Zero trust standards

The short answer to zero trust certification and standards is that there aren’t any. The National Institute of Standards and Technology (NIST), founded in 1901 and now part of the U.S. Department of Commerce, provides technology, measurement, and standards information for the U.S. Its goal is to increase technology competitiveness.

NIST creates standards for communications, technology, and cybersecurity practices. The group has not yet created standards or certification for zero trust, but it has created a Special Publication (SP) discussing ZT’s architecture goals.

The paper’s abstract describes zero trust this way: “Zero trust is a term for an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources.” The document goes on to describe the zero-trust approach in depth.

Zero trust confusion

There is some confusion in the cybersecurity world about what ZT is. Some vendors are taking advantage of the confusion to sell products tagged as ZT products. For the uninformed, this can lead to the misunderstanding that ZT is product-based.

ZT is not about particular products, although new and legacy products can be building blocks for ZT architecture. ZT is a revolutionary approach to cybersecurity. It stands firmly in the reality of how organisations and workers connect and work together today.

Moving toward zero trust

If an enterprise is building its infrastructure from scratch, it is possible, and perhaps simpler, to identify essential workflows and components and build purely ZT architecture. As the business and infrastructure change, the growth can continue to adhere to ZT principles over the long term.

In practice, most ZT implementations will be a process. Organisations will remain in some balance of ZT and perimeter-based security over time, gradually implementing modernisation initiatives.

Fully establishing ZT architecture is likely to take several years and encompass a number of discreet projects before reaching the ultimate goal of zero trust. However, there is never an “arrival” at ZT. It is about continuing to implement and enforce the ZT strategy over time, taking into account future business and infrastructure changes.

Developing a plan in advance of taking action can break the process down into smaller pieces and demonstrate success over time. Starting with a thorough catalog of subjects, business processes, traffic flows and dependency maps prepares you to address targeted subjects, assets, and business processes.

Moving toward zero trust

If an enterprise is building its infrastructure from scratch, it is possible, and perhaps simpler, to identify essential workflows and components and build purely ZT architecture. As the business and infrastructure change, the growth can continue to adhere to ZT principles over the long term.

In practice, most ZT implementations will be a process. Organisations will remain in some balance of ZT and perimeter-based security over time, gradually implementing modernisation initiatives.

Fully establishing ZT architecture is likely to take several years and encompass a number of discreet projects before reaching the ultimate goal of zero trust. However, there is never an “arrival” at ZT. It is about continuing to implement and enforce the ZT strategy over time, taking into account future business and infrastructure changes.

Developing a plan in advance of taking action can break the process down into smaller pieces and demonstrate success over time. Starting with a thorough catalog of subjects, business processes, traffic flows and dependency maps prepares you to address targeted subjects, assets, and business processes.

Zero trust principles

ZT architecture is a goal and an approach that takes time and attention to implement. It is not a one-time installation you can deploy and go on to the next. It is a philosophy of cybersecurity that is supported by four primary principles. A particular principle may rely on a particular security technique such as MFA for identity, but the technique used over time can change.

There are three basic functions that underlie the ZT approach.

  • Posture – in pre-ZT perimeter-based security, identity verification either seldom happened black and white, safe or unsafe. The ZT approach means evaluating identities, devices, applications, and data usage for possible and acute risks. Posture is qualitative and looks at the whole picture.
  • Continuous assessment – the ZT approach is to constantly evaluate all transactions. A previous approach, network admission control (NAC) had a degree of this quality, but was a single chokepoint, checked a smaller number of criteria, and then granted trust. ZT architecture considers every access attempt as a chokepoint.
  • Assumed compromise – security operations centre (SOC) teams often operate on a policy of “verify then trust.” It is the assumption that all is well until a security system issues an alert. ZT starts from the assumption that nothing is secure, and nothing should proceed until everything is clear.

The zero-trust journey

ZT must be progressively implemented and continuously enforced. It is not a complete replacement or a one-time deployment that is then in place for the life of the network. It is a multi-year and multi-project incremental process that involves multiple aspects of the network, and it will need constant assessment as work habits, technology, and threats change.

How your organisation implements the ZT approach depends on your operation. Your highest-value assets are a good place to start.

The ZT journey includes four components:

  • Identity and access management (IAM) – Users want single-sign-on and administrators want consolidated user administration. For an IAM project to be successful, it has to balance the organisation’s need for security with availability, usability, and cost-efficiency. It starts with mapping out which users need access to what resources, and adding MFA if the resource is particularly sensitive.
  • Privileged access management (PAM) – For the most sensitive resources, a PAM tool such as CyberArk, BeyondTrust, or Thycotic adds an additional level of security. This increases security and adds visibility.
  • Passwords – Password philosophy changes over time, and NIST recently issued new guidance. Based on their analysis, they recommend long passwords using familiar words instead of a group of random characters that is hard to remember. In addition, bad actors use compromised passwords quickly, and NIST’s opinion is that changing passwords every 90 days does not lower risk, but MFA does.
  • Continuous monitoring – Define your organisation’s policies for access, whether based on time, new resource requests, resource modifications, or anomalies. Authentication and authorisation must be strictly enforced before access is granted.

Related Research

Related Articles