In cyber security, identities are the real problem, numerous security breaches and successful attacks are due to privileged accounts and user accounts. We need to rethink our trust in identities and the granting of access to networks, applications and data – so redefining "trust". This is precisely what the Zero Trust model aims to address.
The phrase "Zero Trust" is on everybody's lips and is a response to current trends, including the fact that resources are increasingly located outside the company's own (network) boundaries. However, there is nothing new about Zero Trust: About ten years ago, the former Forrester analyst John Kindervag introduced to the IT world the concept of the "Zero Trust Network" – where companies never classify anything like one hundred per cent secure. For this reason, the Zero Trust model assumes that all assets, users and resources are not as trustworthy as such.
Today, security experts are seeing new opportunities in the Zero Trust approach to cyber security. Since the GDPR came into force, companies that fail to adequately protect their customer data risk severe penalties. Thus, Zero Trust can also be used to improve data protection. Here transparency plays a decisive role, i.e. the data flows and assets (users, devices, applications and services) must be known in order to introduce the appropriate authentication, authorisation and other access restrictions at all levels. At the same time, data must also be encrypted – both at the application- layer, during transmission and also during storage.
Identity is central to Zero Trust
The core of a Zero Trust strategy is to allow only authorized persons and resources to access the desired resources on a selective basis and with the required authorization. So in most transactions, identity is the main factor. This is explicitly not restricted only to individuals. Devices, networks and applications also access valuable data and so are also considered to be key players. The following points should be focused on as a first step:
1. Grant access by checking which persons and resources request access
2. Understand the context of the request.
3. Establish the risk of the environment for access.
4. Then grant access based on the principle of "least privilege".
Another factor that needs to be considered during authentication is the user's behaviour. Users typically use the same resources and have a regular activity pattern. When an abnormal behaviour is identified, then additional, stronger authentication factors need to be triggered. Zero Trust pushes companies to think again about having a high, multi-layered security wall and developing a model made up of many distinct segments. In other words, instead of concentrating on perimeter-based defences, companies should define the individual segments – with an immediate emphasis on critical data, applications, systems and networks, thus protecting the "crown jewels" right from the outset. This data centric approach has implications for all the areas of a corporate infrastructure.
On the Zero Trust journey
This makes it clear that introducing the zero trust model involves a rethink and, in most cases, continuous change. But where should the journey start? In addition to NIST SP 800-207 (Zero Trust architecture), the IDSA framework – named after the alliance of the same name – can also be used. This states that only making endpoints, firewalls and networks secure does not provide much protection against identity and credential based threats.
This evolution need not, and indeed cannot, happen overnight. On the contrary, the existing security architecture must continue to be developed in a targeted manner, i.e. the existing infrastructure needs to be modified and existing security controls need to be supplemented. This is also one of the model's greatest advantages. For this reason, we recommend starting the Zero Trust journey with a dedicated use case, or an app or user group. This way, initial successes can be demonstrated, valuable experience can be gained and new architectures or technology can be tested.
Zero Trust addresses current and future security challenges
Zero Trust is more relevant today than it has ever been because of the dispersed, virtual world, as the traditional infrastructure perimeter has eroded. Cloud and IoT are just two examples of this. Zero Trust provides companies with an architecture that uses identity context and enables risk-based access to critical resources. This improves security without compromising user-friendliness. Taking a methodical approach to implementation means that current and future threats can be significantly reduced and effort kept to a minimum.
Zero Trust architecture with the right partner
So there is no need for a completely new security landscape in a Zero Trust concept usually, most of the security landscape is already in place. The crucial factors here are that policies must fundamentally take into account the current risks, blind trust is a foreign concept and authorisations are kept to a minimum and dynamically adjusted.
Do you have any questions about the Zero-Trust approach, or do you need some support? We would be happy to show you the benefits of Zero Trust personally.