Network security is always being challenged, and with that has come the zero-trust security model.
In the past, the idea that organizations had was that securing the perimeter around their IT network would be enough. That’s no longer the reality.
This has been heightened by the effects of the pandemic. The zero-trust model is more relevant than even a year ago because employees are working remotely.
The zero-trust security model starts to address the issues of securing the perimeter. With zero-trust security, you can secure all IT resources in a more comprehensive way than a perimeter-based model can.
In 2019, Microsoft publicly signaled they were using the zero-trust security model. They highlighted some of the tenants they were relying on for that implementation including the principle of least privileges and verification of a user’s identity with authentication.
The following are key things any organization should know about the zero-trust model.
Table of Contents
The zero-trust security approach is often described as a cloud-based model. There are three big advantages.
First, every transaction that occurs between users and networks, and devices is verified. Users only get access to what they need, and the third advantage is that the whole interaction is monitored and then logged for both security and compliance.
What Is It?
In 2010, John Kindervag developed the zero-trust model. It’s also sometimes called zero-trust network architecture. It was created by Kindervagas a way to present new options as opposed to perimeter-based security.
With zero-trust security, all traffic has to be verified within an infrastructure. Then, an IT team always knows who and what’s being accessed, as well as when.
There was a real need for the zero-trust approach because perimeter-based security tends to be optimized for on-premises infrastructure.
Now, there are different needs because of the dispersion of many workforces as well as the reliance on cloud applications.
With zero-trust security, nothing inside or outside a perimeter is inherently trusted. Everything has to be verified before access is granted. There’s no access until the network knows who you are. There’s no access granted to machines or IP addresses until they’re authorized either.
Underlying zero-trust philosophy is the assumption that there are just as easily attackers within a network as there are outside.
The least-privilege access principle is important in zero-trust security. This means that all of your users are given only the access they must have to do their jobs.
The growing popularity of the zero-trust model has come from the fact that some of the most damaging data breaches in recent years have occurred because cybercriminals have been able to get inside firewalls, and then once they gain access, they can move around through the systems with little resistance.
Also, the perimeter model was also referred to as castle and moat, but the castle isn’t isolated anymore.
Companies don’t house their corporate data centers. Instead, they have a combination of data storage in the cloud and on-premises.
Plus their customers, employees, and vendors are accessing applications from different locations and sometimes from around the world.
The Upsides of Zero-Trust
Some of the advantages of zero-trust have been briefly touched on, but it’s a big undertaking, so it’s worth delving into these more.
First, of course, you’re less vulnerable.
With a zero-trust security approach, you’re also required to have strong policies regarding access, identification and verification. That means that you’re putting in place best practices like implementing multi-factor authentication or using biometrics.
You’re segmenting data and reducing possible attack surfaces too.
While the advantages tend to outweigh the disadvantages from the perspective of most organizations, there are downsides that you have to think about.
For example, it’s a big endeavor to set up a zero-trust security architecture.
You also have to ensure that even in the midst of the re-organization, you’re still able to function.
It requires more employee monitoring, and you’re going to have more devices to manage.
Implementing a Zero-Trust Architecture
In the zero-trust model, you start by identifying your protect surface. This is initially made up of your most valuable, critical assets, services, applications and data. Your protect service is unique to your business.
Your protect surface, since it’s your most critical assets, is a lot smaller than your attack surface.
When you identify a protect surface, you can start to assess traffic movement.
You can begin to audit who your users are and how they’re accessing data and applications.
That allows you to then create a perimeter around the protect surface, and from there, you can grow your zero-trust architecture outward.
You should also view zero-trust security as dynamic, meaning that it can and does change as needed.
For example, you might see something that you should have initially included in your protect surface but didn’t.
There’s no dependency on location in zero-trust, which is what makes it so relevant right now, with people often working remotely.
Zero-trust instead of being location-dependent spans across your whole environment.
You’re gaining visibility even as your users are accessing applications from anywhere.
The Pillars of Zero-Trust
The principles of zero-trust are sometimes described as pillars.
The first pillar is the resources. Your data, devices, and services are resources you have to protect under this principle. If your employees use their own devices, these might also be considered part of your resources for the purposes of zero-trust.
The next pillar is communication so that everything coming from within and outside a network is treated the same way. Then another pillar is called per-session access, meaning that every resource connection should be independently established by the session.
The policy should be dynamic and built on least privilege, and monitoring is integral.
Finally, continuous improvement is always part of the principles of zero-trust. You’re never “done,” creating zero-trust protection for an organization. Instead, there’s not just continual monitoring but also ongoing efforts to improve protection at every level.