Zero Trust Explained
With the reality of a distributed workforce, the concept of a corporate security perimeter has shifted. Gone are the days when we only had to secure our office buildings; today, we must protect everyone's personal spaces, including their homes. To navigate this complexity, organizations need a comprehensive security model, and that's where zero trust comes in. Rather than blindly trusting everything within the corporate firewall, the zero trust model verifies every request as if it came from an untrusted network because it assumes a breach could occur.
This approach is based on three key principles: explicit verification, least privileged access, and constant breach assumption. Every request for access must undergo full authentication, authorization, and encryption before access is granted. These authentication and authorization processes take into account all relevant data, such as the user's identity, data classification, device and application health, and location, whether it be a home office or a beach house in Hawaii.
Strong policies form the foundation of zero trust, allowing for a secure mobile workforce while still promoting productivity. Access to resources and information must be limited based on legitimate business processes, and user service and application access should be granted on a just-in-time and just-enough basis. Adaptive policies and data protection controls, based on risk assessments, must be in place to protect against the worst-case scenarios. Design your system so that each component operates independently, without affecting others, within reasonable risk tolerance. By using telemetry, analytics, and intelligence, you can increase visibility, accelerate detection, and respond in real-time. Every step forward helps to reduce risk and increase trust throughout your digital estate.
Whether you're assessing your zero trust readiness or implementing measures to improve security across your identities, devices, applications, data, infrastructure, and networks, always keep in mind that no matter the source or target of a request, never trust, always verify.
You can think of zero trust like a secured hotel. There's a guard at the front door and the front door is locked. Then past there the elevator requires a key card. Then past there all the rooms are locked too. Once you enter a room all the drawers are locked too. It's layers of security.
What is an example of zero trust?
An example of zero trust in action would be an organization that implements a multi-factor authentication process for all employees, regardless of whether they are accessing the network from within the office or from a remote location. In this scenario, each time an employee wants to access sensitive data or systems, they must provide not only their username and password but also a code sent to their mobile device or generated by a security key. The organization also verifies the device the employee is using, its operating system and security updates, and the location of the device before granting access.
Another example of zero trust would be an organization that only allows access to specific data and systems based on a user's role and the task they need to perform. The organization uses least privilege access controls to ensure that users can only access the resources they need to do their jobs, and nothing more. Additionally, the organization uses network segmentation and micro-segmentation to isolate sensitive data and systems from the rest of the network, making it more difficult for an attacker to compromise the entire network if they gain access to one system.
These are just a few examples of how organizations can implement a zero-trust approach to security. The goal of zero trust is to verify and validate every access request and to limit access to the least amount necessary, reducing the attack surface and minimizing the risk of a breach.
What are the six pillars of Zero Trust?
Zero trust security is typically built around six key pillars:
- Verify explicitly: Verify the identity of users and devices before granting access to resources and information.
- Least privilege access: Limit access to resources and information to only what is required for the user to perform their job.
- Assume breach: Assume that the network has already been compromised and act accordingly to minimize damage and prevent further breaches.
- Micro-segmentation: Segment the network into smaller parts, making it more difficult for an attacker to move laterally and compromise the entire network.
- Continuously monitor and assess risk: Use telemetry, analytics, and intelligence to continuously monitor the network for signs of compromise and adjust security policies in real-time to respond to changes in risk.
- Secure the supply chain: Ensure that third-party vendors and contractors are following security best practices and that their systems and applications are secure before granting access to your network.
These six pillars form the foundation of a zero-trust security model and provide a comprehensive approach to securing a modern, distributed enterprise. By following these principles, organizations can better protect their data, systems, and applications against cyber threats.
Why do companies move to zero trust?
Companies move to a zero-trust security model for several reasons:
- Remote workforce: With the increasing number of employees working remotely, it has become more challenging to secure traditional corporate networks. Zero trust provides a comprehensive security model that can be applied to a remote workforce, ensuring that all access to corporate resources and information is secure, regardless of location.
- Cybersecurity threats: Cyber threats are becoming increasingly sophisticated and frequent, making it more difficult to protect against data breaches and cyberattacks. Zero trust helps to minimize the risk of these threats by verifying all access requests and limiting access to only what is necessary.
- Compliance requirements: Many industries have strict regulations and compliance requirements, such as the European Union’s General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS), that mandate the protection of sensitive information. Zero trust provides a comprehensive security model that can help organizations comply with these regulations and standards.
- Cloud adoption: As more organizations move their applications and data to the cloud, they need to ensure that the same level of security is maintained. Zero trust provides a security model that can be applied to cloud-based resources and applications, helping organizations to secure their cloud infrastructure and protect against threats.
- Security incidents: Companies that have experienced security incidents, such as data breaches or cyberattacks, often move to zero trust as a way to improve their overall security posture and reduce the risk of future incidents.
Overall, companies move to zero trust to improve their security posture, comply with regulatory requirements, and secure their digital estate in the face of increasing cyber threats.