A phrase that has gained popularity in the cybersecurity world in recent years is “Zero Trust”. The term “zero trust” was first coined in a paper published in 2010, where John Kindervag at Forrester Research explained how traditional network security models fail to provide adequate protection because they require an element of trust. Traditionally, network permissions have been managed broadly by allowing a free flow of data through “trusted” computers and devices by default. This method simplifies some of the IT process but opens a network to vulnerability. If one of the “trusted” devices is compromised, this could lead to all the computers and devices on the network to become infected.
The CompTIA Security+ SY0-601 Handbook offers this example; “Imagine Homer regularly accesses files on multiple servers in the network. Today, he clicked on a link in a malicious email and inadvertently installed malware on his system. The malware then uses Homer’s system and credentials to access all or most all of the server files that Homer regularly accesses.” In this scenario, Homer’s computer is about to infect several of his company’s servers. The Zero Trust method addresses these vulnerabilities by validating devices within a network, even if they were previously verified to access it. One approach in Zero Trust Network administration is to implement a MFA (Multi-Factor Authentication). Returning to Homer’s example, just before Homer accesses the company server with his infected device, “the Server prompts Homer to provide a second authentication factor, which is unknown to the malware. This effectively blocks the attack.”
In theory, the Zero Trust environment is easy to understand – Devices within or outside a network are treated with similar levels of security. Though it sounds relatively simple, its actually a very complex implementation on the backend because the strict permissions can interrupt communications between devices and users, especially when administering a network with many users. Since every device within a network is treated as a threat until its verified, their access is blocked by default. This requires Network, Security, and Systems engineers to design a set of rules, or standard procedures that are customized to specific programs and devices based on individual user attributes.
For an added layer of security and to ease access into secure networks, organizations are implementing multi-factor authentication to verify user devices. This means that users need to confirm their identity through a unique code often generated and delivered through email or text messages. This is a means for a zero-trust network to identify the user who is tied to a device. Other means to secure a Zero Trust Network include Authentication services, Remote Access, and Application Access Controls.
According to Fortinet, a “Zero Trust model has three needs that need to be addressed in order to be effective; to Identify, Authenticate, and Monitor Users and Devices On and Off The Network.”
Discover and Identify Devices:
Organizations are taking a Zero Trust approach to enhance workplace mobility. The expanded freedom of work from anywhere has increased the need for endpoint security and ZTNA to replace a VPN network. Some ways that companies protect data on Mobile devices is by implementing company profiles with customized settings that are defined specifically to each user device, while others provide employees with devices that are preconfigured manually to their network standards. In the cases where workers are using their own devices, or hybrid environments that blend with personal and work devices, authentication services, multi-factor authentication, remote access, and application access controls help prevent network compromise.
Know Every User That Accesses Your Network:
The increase in internet dependency, Internet of Things devices, and Bring Your Own Devices justify the importance of understanding what is accessing a network, who is using those devices and if there are vulnerabilities. If someone who does not have clearance gains access through a misplaced or stolen device, this could prove to be a vulnerable situation in the wrong hands. In a Zero Trust model, additionally to securing devices through mandatory validation, users must prove their credentials through multi-factor authentication methods. This ensures that the people who are controlling the devices, are in fact the people who are authorized to access a network.
Protect Assets On and Off the Network:
To ensure a secure environment, it’s crucial to know what devices are connecting to a network. There has been a dramatic increase in applications and devices that are susceptible to a forever expanding threat surface. Internet of Things (IoT) devices and Bring Your Own Device (BYoD) work policies have added an entirely new dimension to the demand for a secure network. Every device that connects to a network is an endpoint, due to the increase in wireless personal, home and work IP devices, there has never been more of a need to secure endpoints and their access to secure networks.
The United States National Security Agency encourages organizations to embrace a Zero Trust Model. They state that “as cybersecurity professionals defend increasingly dispersed and complex enterprise networks from sophisticated cyber threats, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them to secure sensitive data, systems, and services.” Microsoft highlights the 3 Benefits of a Zero Trust Network to be the ability to be productive anywhere by enabling a mobile workforce, Cloud migration allowing for digital transformation with intelligent security for today’s complex environment, and Risk mitigation by limiting security gaps and minimizing the risk of compromising more devices on a network. Microsoft has defined their Zero Trust approach to Verify Explicitly, use least privileged access, and to assume a breach.
Cybersecurity breaches and news of malware attacks have become a daily occurrence, and it’s for this reason organizations needs to act quickly to improve their security posture. There is no single solution to guarantee that an organization won’t be breached, but by implementing several layers of protection and a strategic approach to managing network access, the risks can be greatly reduced. Making the decision to implement and comply with a Zero Trust model is without a doubt a step in the right direction.