What is zero trust?
How a zero trust security strategy better protects your business from internal and external attackers
As businesses shift to the cloud and attacks become more sophisticated, traditional security perimeters tied to the corporate network are no longer adequate to protect valuable resources in the modern IT environment. Employees still need to be able to access corporate data and applications, no matter where they’re stored or where employees are located, but businesses also have to be able to implement and monitor protections at a distance. Zero trust is a security concept many businesses are turning to in order to solve this dilemma.
Securing a remote workforce with a zero-trust strategy
Why zero-trust is the latest foundational cyber security construct for the modern workplaceDownload now
Zero trust is based on the idea that no user or device, whether inside or outside a network, can be trusted. It’s a preventative technique effective for controlling access to networks, applications, and data.
It was coined in 2010 by Forrester Research and started gaining traction in 2014 when Google announced its implementation of a zero trust strategy, BeyondCorp, after falling victim to the Operation Aurora attack in 2009.
How does a zero trust model differ from regular methods?
Traditional methods of security work on the assumption that everything within the organisation’s network can be trusted and that all users will act responsibly. This ‘castle-and-moat’ strategy leaves the organisation open to internal threats, but it also gives external attackers unlimited access once they break through that initial barrier.
On the other hand, zero trust requires users both inside and outside the network to be continuously authenticated to access applications and data. Since the point of infiltration is usually not an attacker’s target but just a way in, zero trust uses micro-segmentation, multi-factor authentication, and other barriers to limit the access attackers have once they have entered the network.
What strategies does a zero trust network model use?
A zero trust policy is not one technology, but a holistic approach that can be built into the existing architecture and should be used across an entire organisation. It uses multiple methodologies to uphold the idea of ‘never trust, always verify’. Here are some tactics organisations can use to limit the access users and endpoints have within its network:
- Least-privilege access: This involves assessing the needs of each user and gives them the least level of access possible so that resources are only available to those that absolutely need them, rather than open to anyone in the network.
- Identity and access management (IAM): IAM automates the processes of authenticating users and managing the appropriate levels of access for each user. IAM systems will provision users with access based on their role and deprovision employees that leave the company.
- Multi-factor authentication (MFA): This is a core component of an IAM policy that requires the user to supply two or more verification factors, often through one-time passwords (OTPs) sent through SMS, email, or an app.
- Endpoint security technology: The desktops, laptops, tablets, and mobile phones that any employee might use to access corporate resources add to the points of access for an attack and have to be properly secured. As more employees connect through their own devices or WiFi connections, this is especially important.
- Micro-segmentation: This method divides workloads into separate zones and secures them individually, creating more barriers that attackers would have to bypass.
How do you enact a successful zero trust framework?
The tactics listed above will only work, however, if you can continuously monitor and validate a user and their device. Zero-trust enforcement relies on real-time visibility of a user’s identity, endpoint type, login details, and other attributes, and without this visibility, you won’t be able to clearly define policy.
You’ll need to identify the most sensitive data, assets, applications, and services (DAAS) and separate this from the rest of the network. Then you’ll want to map out the traffic surrounding this data—how it’s being accessed, where it’s going, and what it’s being used for. Knowing the intent of your organisation’s data is crucial to protecting it, and automated discovery tools can help with understanding this and deciding which data flows are absolutely essential.
Once you know what flows will be allowed and which won’t, you can architect the network to place boundaries between the different flows, creating micro-segments that will require authentication and validation to pass through and will help contain breaches.
Here monitoring comes in again, but this stage is not about defining policy but rather enforcing it. You still need real-time visibility once you’ve implemented a zero trust architecture, only this visibility will be used to ensure continuous compliance.
Making changes to a zero trust policy after implementation
Automation will be a crucial component of your policy engine to quickly make changes when necessary. The automated system can judge policy change requests that are within defined legitimate parameters and pass along those outside the parameters to actual human eyes, reducing the time you have to devote to maintaining your new zero trust model.
Interested in finding out how zero trust can improve your remote working strategy? Get your free pdf from Citrix here.