Newer, more sophisticated cyber threats are forcing businesses to rethink security practices. Unfortunately, outdated security measures no longer provide sufficient protection for sensitive data. Hackers are getting sneakier and their attacks more sophisticated. A recent IBM study found that 48% of cybersecurity professionals say the frequency and sophistication of insider threats have increased in the last year alone. This is why the “Zero Trust” security framework is becoming increasingly important among businesses.
Zero Trust security is a way of thinking about your security architecture and overall risk management strategy. The idea is that you shouldn’t trust any user trying to access your services, even if they work within your organization. This is different from how many businesses have traditionally configured their security settings. In a traditional trust environment, administrators give employees broad access to whatever they need. As a result, there’s no way to determine who is connecting to the network or their intentions. For example, let’s say that you have three employees in your marketing department who need access to your company’s marketing database. You might configure your security settings so that each of them can see everything in that database. In a Zero Trust environment, you would configure each marketing employee, so they only have access to the exact data they need to do their job. The idea is that if one of these employees leaves the company or does something malicious with their access, they can’t see everything in the database.
Microsoft describes the fundamental Zero Trust security principles as follows:
Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Use least privileged access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection to help secure data and productivity.
Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defences.
Zero Trust starts with identity, verifying that only the people, devices and processes granted access to your resources can access them.
Next comes assessing the security compliance of device endpoints – the hardware accessing your data – including the IoT systems on the edge.
This oversight applies to your applications, too, whether local or in the cloud, as the software-level entry points to your information.
Next, there are protections at the network layer for access to resources – especially those within your corporate perimeter.
Infrastructure includes data hosted on on-premises or in the cloud – physical or virtual, including containers and micro-services and the underlying operating systems and firmware.
And finally, data protection across your files and content, as well as structured and unstructured data wherever it resides.
Zero Trust is a comprehensive end-to-end strategy and requires integration across your entire digital estate, including identities, endpoints, networks, data, apps, and infrastructure.
The foundation of Zero Trust security is identities. Both human and non-human identities need strong authorization. It involves connecting from personal or corporate endpoints with a compliant device and requesting access based on strong policies rooted in the Zero Trust principles.
For example, Microsoft’s Zero Trust security model involves unified policy enforcement where the Zero Trust policy intercepts the request, explicitly verifies signals from all six foundational elements based on policy configuration, and enforces least privileged access. Signals include the user’s role, location, device compliance, data sensitivity, application sensitivity and much more. In addition to telemetry and state information, the risk assessment from threat protection feeds into the policy engine to automatically respond to threats in real-time. The policy is enforced during access and continuously evaluated throughout the session.
Policy optimization further enhances this policy. Governance and compliance are critical to a robust Zero Trust implementation. Security posture assessment and productivity optimization are necessary to measure the telemetry throughout the services and systems.
The telemetry and analytics feed into the threat-protection system. Large amounts of telemetry and analytics enriched by threat intelligence generate high-quality risk assessments that can be manually investigated or automated. Attacks happen at cloud speed – your defence systems must act at cloud speed, and humans can’t react quickly enough or sift through all the risks. The risk assessment feeds into the policy engine for real-time automated threat protection and additional manual investigation if needed.
Traffic filtering and segmentation are applied to evaluate and enforce the Zero Trust policy before access is granted to any public or private network. Data classification, labeling, and encryption should be applied to emails, documents, and structured data. Access to apps should be adaptive, whether SaaS or on-premises. Runtime control is applied to infrastructure, with serverless, containers, IaaS, PaaS, and internal sites, with just-in-time (JIT) and Version Controls actively engaged.
Finally, telemetry, analytics, and assessment from the network, data, apps, and infrastructure are fed back into the policy optimization and threat protection systems.
There are many advantages to implementing a Zero Trust environment, including:
Improved Compliance: A secure environment can also help you Ensure regulatory compliance. For example, Zero Trust shields all user and workload connections from the internet, so they can’t be exposed or exploited. This invisibility makes it easier to demonstrate compliance with privacy standards and regulations (e.g., PCI DSS, NIST 800-207) and results in fewer findings during audits.
Reduced Cyber Attacks: A Zero Trust environment reduces your risk of cyber attacks by preventing unauthorized access and malicious usage of your systems. Following the principle of least privilege, every entity is assumed hostile. Therefore, every request is inspected, users and devices are authenticated, and permissions are assessed before trust is granted. In addition, trust is continually reassessed as context changes, such as the user’s location or accessed data.
Without trust, an attacker who gets inside your network or cloud instance through a compromised device or other vulnerability won’t be able to access or steal your data.
Better Visibility: The Zero Trust security approach requires you to determine and classify all network resources. This gives you more visibility into who accesses what resources for which reasons and helps you understand what must be done to secure those resources.
Customer Trust: Today, organizations work in a diverse and distributed ecosystem, making it challenging to keep customers’ personal information private. A Zero Trust strategy makes it possible to ensure data privacy and, in turn, build customer trust.
Enhanced Flexibility: An organization’s technology needs are constantly shifting. As a result, applications, data and IT services may be moved around. Before zero-trust, moving applications and data from private data centers to the cloud, or vice versa, required new security policies to be created at each new location. This is not only a time-consuming process but can also result in mistakes that lead to security vulnerabilities. You can centrally manage app and data security policies with Zero Trust and use automation tools to migrate these policies where required.
The Zero Trust framework is a new way of thinking about your security architecture and risk management strategy. And while implementation requires time and expertise, the benefits are immediate and extend far beyond security. From making better use of your resources to enhancing compliance, a Zero Trust framework improves your security posture and can help you build strength and resilience throughout your organization.