What Is Zero Trust?
Zero Trust is a cybersecurity strategy that eliminates implicit trust within a network or system. In short, it means, “trust no one.” With zero trust, every user is held to the same scrutiny when trying to access a system, program, or asset.
In place of an external-only security architecture (where the perimeter of a network, not internal access points, is defended) often called a “castle-and-moat” approach, zero trust employs controls at various access points within a system. This approach removes what is often referred to as “privileged access,” a kind of access where users have elevated permissions. Zero trust falls under the umbrella of “identity and access management” as it pertains directly to user access.
How Does Zero Trust Work?
Zero trust is intended to shrink the potential attack surface during a breach by proactively limiting what users can access within a network or system. A good way to think of it is as a series of roadside check points between towns. Every driver, no matter who they are or where they’re going, must stop at the check point for verification before continuing to the next town.
The History of Zero Trust
The term “zero trust” was coined by Forrester back in 2010, and at the time it referred to a new system that was starting to replace the outdated perimeter security model. The idea was for organisations and security experts to scrutinise the efficacy of firewalls or perimeter models in the face of evolving cyber threats.
The first application of this model was in 2014 with Google’s BeyondCorp. This technology shifted access control to specific users and applications in place of the castle-and-moat system. As remote work became more common in the coming years — accelerated by the pandemic — the flaws in VPN systems that allow this remote access became apparent and more companies began to utilise technology solutions for zero trust. Workforces have become dispersed and physical barriers into a network or system (like in a traditional office) have disappeared in recent years, making zero trust a necessity for security.
While the term has become so buzzy it’s almost lost meaning among many in the security industry, the actual application of zero trust is critical to modern cyber security and can limit the damage done if your organisation is attacked.
What is Zero Trust Network Access?
Zero Trust Network Access (ZTNA) is a component of the overall zero trust strategy and ideology. If ZTNA is implemented for a network, a user must go through the same access controls, regardless of location, to access any part of that network. Unlike a VPN, which adds a layer of control if a user is outside of a physical perimeter, ZTNA applies everywhere, every time a user requests access.
Zero Trust vs. Zero Trust Framework
The two terms are interchangeable. Zero Trust, if applied to an organisation, is a framework that dictates user and access management. It depends on use case whether zero trust or zero trust framework is utilised.
Zero Trust vs. Least Privileged Access
Zero trust is often confused or conflated with the concept of least privileged access. Least privileged access refers to giving a user access to only what they need to complete a task, and nothing more. While least privileged access deals with user permissions or privileges, zero trust implies that there is no automatic privilege. Every user must go through the same access controls every time.
Zero Trust and Multi-factor Authentication
A simple way to start implementing zero trust within your organisation is to require multi-factor authentication for access to critical assets and systems. Multi-factor authentication is an access control that verifies the user is who they say they are, regardless of their location or the hardware they are logging in from. It requires two (or more) forms of authentication that are a combination of something they know (a password), something they have (a phone or fob key), and something they are (a known user or employee identity). Multi-factor authentication meets zero trust requirements by forcing a user to identify themselves every time they wish to gain access.
Zero Trust and Credential Theft
According to recent data, compromised credentials are the top cause of data breaches, outpacing phishing attacks and vulnerability exploitation. Implementing a zero trust model can prevent credential theft and credential-based attacks by adding another layer of security and ensuring that no user has privileged access. This protects organisations’ most critical access points and data. Implementing multi-factor authentication (as mentioned above) can prevent these kinds of breaches.
However, it should be noted that multi-factor authentication is not enough, especially against sophisticated attacks, so zero trust should be one piece of a robust security architecture.
Benefits of Choosing a Zero Trust Model
Opting for a zero trust model can increase your organisation’s cybersecurity in a multitude of ways, including:
- Reducing potential attack surface
- Improving cloud security
- Gaining better access control
- Preventing the use of stolen credentials, as credentials alone would not allow access
- Improving compliance
How To Implement a Zero Trust Architecture
Going from strategy to application of zero trust is a little more complicated than just requiring multi-factor authentication and calling it a day. The application will depend on the organisation’s business and security needs, as well as organisation or industry-specific risk factors that need to be addressed.
However, there are general guidelines organisations can follow to work towards zero trust architecture:
- Identify and assess important access points that would require extra controls. Those can be as broad as the entire network or as granular as individual files.
- Identify the users that would utilise those access points and assets.
- Determine what technologies or solutions to use to create the access control, such as multi-factor authentication.
- Establish set polices and implement controls for set users and access points.
- Monitor controls and adjust or expand as needed.
Minimum Requirements for Achieving Zero Trust
To properly implement a zero trust model, the following aspects of identity and access must all be accounted for:
- Identity. All users must be met with the same access controls.
- Data. All data and data access must be evaluated and protected according to risk.
- Devices. All devices must be secured (with endpoint management) as well as monitored.
In addition, organisations should use analytics and monitoring to ensure zero trust is being followed and there are no threats or breaches.
Barriers to Zero Trust
Many organisations utilise a hodgepodge of security and access management solutions, many of which do not integrate with each other. This means it is difficult for an IT team to set permissions across a network or organisation without manually doing so through each application. This becomes more difficult once third parties are introduced to the organisation as well.
In addition, with the dissolution of a physical perimeter, users are accessing digital networks from anywhere and everywhere, so no blanket permissions can be applied based on a perimeter. Individual access points must be evaluated by the IT department.