“Never trust, always verify” is the Zero Trust catchphrase. The Zero Trust Approach is an evolving data loss protection model that focuses on users, assets, and endpoints. It sounds simple – it’s based on the need to authenticate and authorize any access to the network, because trust is not assumed, not even if it has already been granted. But it’s more than that.
Zero Trust is a continuous cycle of ensuring that the network or system and all data in it is safe from internal and external breach. It verifies who the accessing user is, that their device is what they say it is, and it monitors the behaviour of that user, be it a human or program, to make sure they aren’t up to any funny business even after they are granted access.
On another level, Zero Trust is already thinking ahead to limit the impact if a data breach does occur.
The fall of the perimeter
It’s a departure from the previously sufficient “trust but verify” method, which, once inside the perimeter, trusted every user by default. But firewalls haven’t been popular in cybersecurity for quite some time now. Securing a network from the outside isn’t enough.
With the rapid expansion of network trends such as VPNs and cloud-based assets and the shift towards utilizing remote workers who tend to work on their personal devices (very much thanks to the pandemic), from all over the world, the original method has become starkly lacking.
With so many variables, a much more comprehensive system was needed to keep data safe(r). A static security system guarding the gates of a system just wouldn’t cut it anymore.
A new type of cybersecurity system
Enter Zero Trust. Put simply, it’s no longer just a case of “we don’t trust you until we do”, it’s more along the lines of
we don’t trust you or your device until we do, and then you need to keep proving yourself to us or else we’ll stop trusting you in a heartbeat.“
It takes into account all possible types of networks, from local and cloud to hybrid. It also considers all possible user access: local, remote, and everything in between and beyond, and it thoroughly inspects endpoints. It’s a cyber watchdog that never sleeps.
Any and all information in transition is encrypted, authorized and validated, and leaves a trail that is consistently inspected. Users need to gain and maintain access.
What are the Zero Trust guidelines?
The Zero Trust Approach is a widely recognized framework for preventing malicious actions that could result in data loss. The concept is not new. The need to rid the cyber world of perimeters is something that has been discussed since the early 2000s, and Google developed the first zero trust architecture in 2009 after it experienced a massive breach of its own.
But the term “Zero Trust” wasn’t coined until analyst John Kindervag of Forrester Research used it in 2010. And the world ran with it.
Source: Forrester Research, Inc. (link)
In the US, the NIST 800-207 is the recommended Zero Trust guideline to adhere to (it’s the one the Biden administration mandates all US Federal Agencies use). In the UK, the NCSC Zero Trust principles mirror the US guidelines.
The basic components of Zero Trust are:
- Know your architecture. Identify the components of your network, including users, devices, services and data that you’re trying to protect.
- Know your identities. Each user requesting access, be it a human, a service, or a device, needs to be uniquely identifiable.
- Know you user’s behaviour and device health. You need to be able to measure and assess user behaviour and service and device health to indicate whether or not to establish confidence in them.
- Use authorisation request policies. Define policies against which each authorisation request will be judged.
- Authenticate and authorize across multiple signals. Don’t focus on just one area, make sure to include device location and health, and the identity and status of the user to assess risk.
- Monitor users, devices and services. Continuously asses their health, and link monitoring to your policies.
- Don’t trust any network. This includes your own local network.
- Choose to only incorporate services that have Zero Trust in mind. Use only services and products that have been designed to integrate with Zero Trust guidelines.
It’s important to remember that attackers adapt, and so Zero Trust mechanisms are also evolving. The most important goal for Zero Trust is widespread implementation. The fewer chances we give attackers, the harder their job will be.