What Is Zero Trust?
This emerging security framework goes beyond usernames and passwords to stop dangerous activity in its tracks.
Zero trust is a cybersecurity approach designed to enforce security for every user, on every device, at every stage of a digital journey. The traditional security model is based on perimeter defense: Users present their credentials at the gates and, once validated, are admitted to the network. Zero trust addresses insecurities and flaws inherent in this model, positing that traffic inside the network should not be automatically trusted—even if it is associated with an ostensibly authenticated user with valid credentials.
Zero trust aims to connect your most important asset—your data—with your most important resource—your people. This is especially critical now because people tend to interact with data at a number of locations—on a server at the office, on the cloud, on a laptop at home, or on their phone from just about anywhere. A zero trust framework allows you to monitor interactions wherever they occur and disable access or shut down interactions when necessary.
Today’s epidemic of cybersecurity threats, combined with the massive shift of corporate work from office to home, has created a perfect storm of enterprise vulnerability. With the rapid growth in the amount of sensitive data an organization creates and maintains, implementing a zero trust architecture is a clear imperative.
Compare and prescriptively improve your IT risk metrics against your industry peers.
What are the key principles of zero trust architecture?
The single most important principle of zero trust is “Never trust, always verify.” Drilling down further, the framework involves these other key principles:
- Authenticate at multiple points of entry. Unilateral access should not be granted once a user enters the “front door.” Check identity at all stages of access, using multiple authentication factors.
- Use least privileged access at all times. No user should be given the keys to the kingdom. Access should be limited to the bare minimum resources needed to perform a user’s job.
- Segregate the network. Unrelated parts of the network—for example, app development and finance operations—should be completely disconnected from each other.
Never trust, always verify.
- Protect every endpoint. Zero trust architecture must be able to analyze behavior and stop dangerous activity everywhere on the network, including on endpoint devices located at the network’s edge.
- Assume the worst. By acting as if the network is already under attack, an enterprise operates in a defensive state of maximum preparedness. This helps to limit damage in the event of a successful attack.
- Automate whenever possible. Zero trust can require a significant investment of time and resources and is largely impossible to achieve without automation.
Why is zero trust more secure than traditional security frameworks?
Zero trust offers the following advantages over traditional approaches:
- Zero trust is device-agnostic. Implemented properly, zero trust provides security at every level of operation—from the data center to the cloud to the edge. Traditional, perimeter-based access is not device-focused. A user could use a computer in an internet cafe, a borrowed cellphone, or any device able to log in to a network. As long as that person has a valid username and password, a traditional security infrastructure will validate and admit them, even if a device is riddled with malware.
- Zero trust works in real time. Traditional security tools often rely on periodic audits or penetration-testing activities to determine where vulnerabilities lie. Zero trust analyzes every transaction to determine its legitimacy, as it occurs, helping organizations stop attacks before they can gain significant traction.
- Zero trust understands behavior, not just identity. Imagine a user has a valid username and password, or even a valid code sent to a cellphone. But if that user’s laptop and phone have been stolen, a traditional security system would still let that user erase or download files at will from servers. Zero trust looks beyond the identity of users, examining their behavior to spot suspicious patterns of data usage.
- Zero trust uses automation to free up security operations staff. Security is often a tedious, manual job. Modern zero trust solutions use AI and automation to streamline security operations and allow staff to work on longer-term initiatives of greater value to the organization.
[Read also: Security automation, once considered a holy grail and not terribly popular, is enjoying a renaissance—here’s why, and how to make it happen]
What does zero trust mean for IT operations?
Zero trust introduces new ways of working that embed security and compliance in day-to-day IT ops. In traditional environments, security operations teams are generally separate from infrastructure and compliance management. If an IT change pushes a device out of compliance or introduces a security risk, zero trust tools allow the system to quickly revert to a known safe state—and can help prevent further changes that cause problems.
Security breaches cause significant operational problems. The cost of network downtime has been estimated to be $5,600 per minute, or $336,000 per hour. For large organizations, like global retailers and major manufacturers, the cost can be even higher. When Amazon’s AWS platform went offline in 2017, downtime caused up to $160 million in total losses to customers. To be sure, downtime isn’t always security related. But the principles of zero trust can also help prevent careless configuration errors that can lead to network instability.
Implemented properly, zero trust is just another way to strengthen network operations, helping operations managers answer questions about who has access to resources, what risks the systems and datasets represent, and which actions should be taken to shrink the attack surface. Ultimately, zero trust provides visibility into operations that is otherwise hard to come by.
What does zero trust mean for security operations?
The traditional tools of a security operations center (SOC) are built around perimeter defense. Zero trust upends that design, providing security not just at the entry points to the data center but also on edge devices. Security considers the behavior of all actors on a network at all times. For those in the SOC, this orientation can require some rethinking of day-to-day operations. Over time, however, most security professionals realize the benefits of a zero trust structure.
The finance team shouldn’t have access to source-code files on application development servers, and coders shouldn’t have access to sensitive financial data.
Fundamentally, zero trust reduces the size of a network’s attack surface. Stringent rules can help block access to certain types of data among a wide range of users, even if they’ve been successfully authenticated. For example, the finance team shouldn’t have access to source-code files on application development servers, and coders shouldn’t have access to sensitive financial data. Making data access much more difficult through zero trust infrastructure inherently improves cybersecurity.
Even if someone manages to outsmart those defenses, however, zero trust provides additional safeguards at the device level. For example, zero trust solutions can ensure that a device gets paired with its correct owner. If a laptop is stolen and the thief tries to log in with different credentials than expected, the system can shut down or limit access, giving the SOC time to investigate.
All told, zero trust technologies and techniques provide security operations with granular rules about network access. This in turn addresses regulatory compliance, privacy, and related concerns.
What are the technologies used in zero trust?
Core zero trust technologies include the following:
- Identity management and protection. A core tenet of zero trust is knowing who is an authorized user and ensuring their credentials are kept safe. Identity management and protection systems ensure user credentials are accurate and up to date, mandating strong passwords and quickly purging old accounts from the roster. Single sign-on tools are also a hallmark of zero trust.
- Multifactor authentication. A subset of identity management tools, multifactor authentication (MFA) technologies are a core component of zero trust. MFA dramatically raises confidence that users are who they claim to be. MFA can use multiple factors, including a token key code, geographic location, and biometric data, to authenticate users seeking access.
- User management. With these tools, security managers can dictate the types of actions a user can take. Actions may be allowed based on role, location, time of day, type of device, or other factors.
- Endpoint security. Zero trust software can reside not just in the data center and on the cloud but also on edge devices, providing the same protection to a user’s equipment as they get in the office.
- Behavioral analysis and management. These algorithms monitor behavior on the network and generate real-time scores to determine if a user’s actions are legitimate: If a user takes actions outside expectations, the score falls. Hit a certain threshold, and the account will be locked out, pending review.
- Encryption tools. Encryption is a common additional method to prevent data tampering, even in the event of a successful attack.
- Automation and robotic process automation (RPA). Human operators cannot keep track of all of the tools above, so automation is key in a zero trust environment. It streamlines malicious behavior detection, data traffic analysis, and patch distribution.
- Artificial intelligence (AI) and machine learning (ML). Many of the tools mentioned above depend on AI and ML rather than human intelligence. Like automation, AI/ML is not a stand-alone application used in zero trust but rather a broad technology that informs its design.
What is zero trust network access (ZTNA)?
Zero trust network access is a remote-access solution designed with zero trust security principles in mind. ZTNA is different from a traditional VPN because it is designed to give users access only to the services they need.
[ZTNA matches] services and applications to a remote user instead of simply opening the gates to the entire enterprise.
VPNs, on the other hand, are usually designed to provide blanket access to a network, much like a standard network login would offer. In this way, ZTNA works like an on-premises zero trust access solution, matching services and applications to a remote user instead of simply opening the gates to the entire enterprise.
As the number of remote users in the typical enterprise grows, ZTNA solutions are becoming increasingly critical.
How should IT and security leaders get started with zero trust?
IT and security pros can take the following steps to implement a zero trust strategy:
- Know what you have. Zero trust requires visibility. A detailed inventory of all systems, including Internet of Things (IoT) devices, is the first step in setting up a zero trust infrastructure. Many tools are available to help automate this process, but discovery can be complicated when devices are used remotely.
- Know what your devices are doing. Creating an inventory of equipment is only the beginning; the next step is understanding how that equipment operates. Are systems up to date? Have patches been applied? Are they in compliance with security policies?
[Read also: Are your workers in compliance with security policies? Sometimes they break the rules for what seem (to them) the right reasons]
- Reduce your attack surface whenever possible. Unused devices should be removed, outdated user accounts disabled, and unused services turned off. Zero trust solutions are designed to prevent access when something is amiss. But the approach is much more efficient and effective if you can reduce the devices and services that can be compromised to as few as possible. Segmenting a network is another effective way to reduce the attack surface.
- Begin with user-centric security enhancements. Roll out solutions such as multifactor authentication and single sign-on identity management systems. These tools can be enhanced over time with more-sophisticated zero trust technologies, such as ZTNA and role-based access control (RBAC), which is key to linking users to authorized behaviors.
What are the challenges to implementing a zero trust network architecture?
With zero trust, you cannot simply install software and call it a day. Challenges to building and maintaining zero trust network architecture include the following:
- The scale and scope of zero trust can be massive. Zero trust is a new concept for most enterprises, and it takes time to implement correctly. The best strategy is to start with a small group of critical systems and users, rolling out zero trust solutions to these areas and proving their worth before expanding more broadly.
- Some legitimate activity can be stopped by mistake. Many early zero trust cybersecurity solutions would incorrectly prevent users from accessing data or services they should have been able to reach. If a zero trust solution prevents the CEO from accessing sales records, it likely won’t be in use for long. Care must be taken to balance protection from legitimate threats with long-term usability.
- Delays can make zero trust less useful. Some zero trust solutions may be good at spotting dangerous activity. But they might not stop it in time to avoid damage. Zero trust works best in real time, preventing destructive behavior before it has a chance to spread across an IT environment.
- Compatibility issues can multiply. Older, legacy systems may be incompatible with zero trust solutions, requiring upgrades. Failure to eventually upgrade IT infrastructure to zero trust may leave you vulnerable to attack.
- Zero trust requires ongoing vigilance. After you roll out zero trust across your network, the system will still require regular updates and maintenance—and awareness of new attack vectors—in order to remain effective.