What is Zero Trust?
In this article
Digital transformation, cloud adoption and remote working have created the perfect storm that breaks the legacy architecture of a perimeter-based security model.
Cloud computing has pushed data, users and devices outside of the trusted corporate network. Organizations must respond with the appropriate security measures to eliminate vulnerabilities in this new environment.
Zero trust security is the answer to this challenge. But what is zero trust security?
Zero trust allows access to an organization's network from anywhere without compromising the ability to stay compliant with fast-changing privacy regulations. It's essential in today's work-from-anywhere world.
What is zero trust?
Zero trust is an IT security framework that provides secure access to applications and services based on defined access control policies, whether a user is inside or outside an organization's network. Besides being authenticated, authorized users must be continuously validated for their security configurations and postures before being granted access to data and applications.
Watch this 26-minute WWT Experts video and hear what WWT's Dr. Tim Robinson has to say about Zero Trust, including if there is more than one right way to approach it.
Zero trust is a series of concepts and involves the orchestration of many products across various pillars (e.g., user, data, devices, network, application and automation) to deliver a unified architecture. Because it works for infrastructure with no traditional network edge, you can apply the framework to local networks, the cloud and anything in between.
Why is zero trust security important?
Zero trust focuses on securing a company's digital assets and preventing a breach. Here are the key benefits of a zero trust architecture compared with a legacy security architecture:
Reduce attack surface
Zero trust mitigates the risks associated with the increase in attack surface caused by the adoption of cloud computing and remote working. It uses micro-segmentation to define micro-perimeters close to the data source, thereby eliminating the broad lateral movement found in many legacy architectures.
Limit access to sensitive data
Zero trust components positively authenticate and authorize users and their devices to reach approved applications and information. This means the least privileged access model grants users access to data on a need-to-know basis. You can make company assets invisible to unauthorized users with the right technical solution. Since threat actors can't attack what they can't see, you can minimize the damage of a breach by limiting what can be accessed.
Assess risks continuously
Unlike legacy architectures, a zero-trust solution can dynamically assess the security risk of users, devices and services to mitigate risks that may occur post-authentication. It can shut down access if a resource falls below what the organization deems as an acceptable risk level.
Adopting a zero-trust mindset
To address today's threat environment, you need to start with a zero-trust mindset:
- Assume all network traffic and requests for critical resources may be malicious.
- Assume all infrastructure and devices may be compromised.
- Accept that all access approvals to critical resources can incur risks.
- Be prepared to perform damage assessment, control and recovery operations.
- Implement aggressive system monitoring, system management and defensive operations.
Zero trust comprises various technical attributes that allow organizations to address the highest-risk areas efficiently. An effective Zero Trust security framework should offer:
- A security-first design: Reduces risks through isolated network virtualization, granular separation of duties and least privileged access.
- Automated threat mitigation and remediation: Decreases the complexity of implementing security measures while preventing human errors.
- Continuous and always-on security measures: Includes default-enabled and ubiquitous encryption, continuous monitoring of user behaviors, and context-aware adaptive authentication.
Implementing zero-trust security
Standards organizations, such as NIST, regularly publish architectural blueprints on how to build out zero-trust architectures. However, not every organization can instantly replace a legacy security architecture with a fully mature and optimized zero-trust approach. As such, we have laid out a logical path to provide our customers with a blueprint on where to get started and how to mature zero trust architecture over time.
- Establish stakeholder buy-in across the enterprise. Zero trust is a concept that spans the entire organization and often requires cultural change. Document and communicate the business benefits of a zero-trust strategy. Then, before any technical work begins, establish alignment and support from executives and business leaders.
- Gain visibility of all endpoints operating on your network. Asset discovery and inventory – including all users, devices, networks, apps, workloads and data – will show you what every device is doing on your network and whether this access is appropriate. Key technology solutions can help you discover and manage these endpoints.
- Follow data classification practices for your organization. Organizational data should be tracked, monitored, protected and only accessed by authorized users. Creating a set of basic data labels and data tags will help you understand how and where sensitive data flows through your network and defines a structure to govern data. Systems identified with corresponding data labels and tags should also be noted and tracked within your asset inventory.
- Address identity and establish least-privileged access. User identity is at the heart of a robust zero-trust strategy. Document your current maturity in identity and access management (IAM) and address key security gaps. For example, use least-privileged access models to ensure users only have rights to access critical data and applications on a need-to-have basis. Implementing additional functions from IAM – including single-sign-on (SSO), multi-factor authentication (MFA) and role-based access control (RBAC) – will help you strengthen your authentication posture. Frequent review of roles and access is critical, especially as employees move into different positions.
- Shrink your attack surface with enterprise segmentation. Micro-segmentation defines micro-perimeters close to the data source, whether the segmentation target is a data class, application or business unit. User access can be isolated to a specific micro-segment of the network. These smaller network segments eliminate the ability for bad actors to move laterally across the network and reduce the likelihood of a single compromise affecting the entire organization.