Zero Trust

Definition of zero trust

Zero trust, a term initially coined in 1994 and later popularized by Forrester Research, has evolved to today mean a cybersecurity model in which actors can only be granted privileges to an IT environment once they are verified. A common convention of traditional, perimeter-based architectures is to "trust, then verify," in which levels of trust are assigned to segmented network zones or groups of users. Many legacy networks seek to keep malicious actors out, while assuming that anyone who is already inside the network can be trusted.

Inversely, zero trust marks a new architectural model that treats misplaced trust as a vulnerability that can be exploited: It assumes that threats exist both inside and outside a network, so no one or thing can be trusted implicitly. Under the zero trust model’s principle of "verify, then trust," permissions are only granted to every user account, device, application, or service once it is properly validated, in order to prevent the lateral movement of any potential attackers. More importantly, that trust must be continually re-assessed or else that trust could be invalid. Visibility or posture and threat risks is key for establishing trust and must be done continually – both during the initial connection request and during in case the risk level changes.

While traditional cybersecurity frameworks "trust, then verify," the zero trust model is based on the principle of "verify, then trust."

Why is zero trust important?

Legacy security practices have cracked under the strain of trying to scale and adapt to modern IT, and don't measure up against increasingly complex modern-day attacks that exploit distributed workforces, remote work, and bring-your-own-device (BYOD) policies for employees. Zero trust is an approach or a goal of implementation as an iterative process that is as flexible in real time to organizational operations, and as automated as possible, leading to less downtime and IT architectures with smaller rule sets that are easier to be automatically implemented and/or not requiring more people to maintain and react to. A defense strategy anchored in zero trust is designed to make an organization’s security posture as software defined as possible to increase resilience and the flexibility of the business in the face of increasingly sophisticated attacks, including ones that capitalize on stolen identities or credentials, lateral movement, shadow IT, BYOD and IoT.

Getting started with zero trust

Zero trust as a higher-level approach and architectural model is a wrapper around new specific security implementations, such as the Secure Access Service Edge (SASE) architecture described by Gartner to secure incoming and outgoing Software-as-a-Service (SaaS) and web transactions, which includes the communication channel-based Zero Trust Network Access (ZTNA) as a zero trust-based VPN.

While there has yet to be an industry-wide standard or certification regarding zero trust, there are different approaches and frameworks available, such as the US National Institute of Standards and Technology’s (NIST) special publication called "Zero Trust Architecture," that can serve as a guide in mapping out a zero trust strategy for your organization. Establishing initiatives and projects under the following areas can also help your organization along in its zero trust journey:

Identity and access management (IAM)

Users, including their devices and services, need to be authenticated before they can gain access to company resources. In order to do this, security teams need to determine every user’s use profile and the appropriate access they need to specific resources, which is meted out through an IAM service. Multifactor authentication (MFA) tools are also recommended over static passwords, especially for protecting sensitive assets.

Privileged access management (PAM)

As an added layer of protection, critical assets may also be protected by PAM tools, which log privileged account activity as part of robust authentication process. In the event of a breach, the data contributed by these tools makes for a more detailed forensic assessment. 

Password management

Longer passwords with familiar words are more effective – and easier to remember – compared to those that require a combination of special characters, numerals, and uppercase and lowercase letters. Similarly, necessitating regular password changes does little to minimize risk, as threat actors usually capitalize on compromised credentials in a matter of hours. In light of this, MFA is still recommended over the use of a single password.

Continuous health assessment

Unlike scheduled evaluations, security teams may instead consider continuous assessment, which monitors all transactions to stay vigilant for any signs of breaches or compromise. Telemetry from all sources – including endpoints, services, and email – should be consolidated to continually gauge the risk of every user identity, application, data, and device within an IT environment.

Zero trust misconceptions

Misconception 1: Zero trust can be achieved by a single security solution.

Reality: Zero trust is not defined by any one product, nor is it dependent on the latest software and hardware trends

It would be more accurate to say that there are products and services that work well as part of a zero trust environment. Zero trust is not a one-size-fits-all model; its successful implementation will depend on the needs of individual organizations. However, companies can benefit from prioritizing tools that can incrementally automate tasks that manage multiple solutions or tasks that are performed manually. This can, over time, streamline and reduce the complexity of an organization’s cybersecurity architecture.

Misconception 2: Zero trust adoption calls for a network security overhaul

Reality: Implementing zero trust does not necessitate a “rip and replace” effort

Zero trust is meant to augment, not supplant, an organization’s existing security controls. Every DAAS element is unique in importance and security needs, so organizations can start small instead and focus on establishing a “microperimeter” around one asset at a time. Assess your organization’s current cybersecurity setup to determine how the tools you already have can be adapted to a zero trust environment, and any new security technologies can supplement your network later as needed.

Misconception 3: Zero trust should be applied to the most important assets first

Reality: Start with less important assets, then work your way up

Your most sensitive assets should not be the starting point of your organization’s zero trust journey, because these do not leave a lot of room for error. Organizations should endeavor to develop in-house expertise in practicing zero trust before they attempt to create a zero trust environment around their high-value assets. Security teams can refine their organization's zero trust strategy by practicing on less critical assets, and then gradually scaling up their efforts. Once security teams have successfully determined which tools and policies work best for their organizations, and have secured their mission critical DAAS, they can return to implementing zero trust on less valuable assets.

Examples of threat scenarios

By shrinking down attack surfaces to more manageable protect surfaces, a zero trust approach can fend off potential threats that would otherwise adversely impact legacy networks, such as:

Stolen credentials

If a malicious actor were to abuse stolen user passwords in an attempt to remotely infiltrate a traditional network, they may be able to gain unauthorized access remotely by logging in with their own device. Under a zero trust environment, however, all actors are considered hostile: Verification will be required of both user account and device identities, so an unrecognized device will not be able to pass authentication tests.

Compromised devices

Should a malicious actor infect a user’s device with malware through attack vectors like phishing emails, they may exploit that device to gain a foothold into a traditional network, where the compromised device is implicitly trusted. In this case, a zero trust environment would make lateral movement impossible for a bad actor, as privileges differ across protect surfaces and the device’s access will still be limited based on the principle of least privilege. A zero trust model also involves the continuous assessment of user permissions, so this kind of suspicious network activity would be immediately flagged.

Augmenting your zero trust network

No one is immune to cyberattacks, and a zero trust mindset can help maintain the integrity of an organization's security posture regardless of its size. Enterprises can leverage on the visibility provided by solutions within the Trend Micro Vision One™ threat defense platform to help them incorporate zero trust elements into their current security infrastructure.

Trend Micro’s zero trust strategy leverages the comprehensive XDR telemetry and capabilities to provide exceptional visibility into attacks and posture risks. Zero Trust Risk Insights equips security teams with the ability to continually monitor the security posture of their organization, exposing unseen risks to make better decisions. By examining for threat and posture risks in identities, devices, cloud applications, and data usage, it helps organizations understand their overall risk posture and priorities. It can also share risk scores to SASE solutions, third-party or Trend Micro (in preview) to make automated and intelligent access control decisions.