Digital transformation, the increase of disruptive technologies and working from home has left gaps in business security boundaries. As a result, traditional perimeter security solutions are inadequate to cope with the demand to work everywhere. Worryingly, data breaches and security incidents are only getting more frequent, making the concept of trust extinct. Trusting is a vulnerability. How does it work? Zero Trust security requires strict and continuous identity verification to minimise trust zones.
This blog provides guidelines on implementing an effective identity-centric Zero Trust architecture by achieving security in a post-perimeter environment.
What is Zero Trust?
We have seen a fast forward digital transformation for businesses. They’ve adopted new technologies like the IoT, cloud delivery and mobile. Thus, this has led to the disintegration of the traditional IT security perimeter. In this environment, the cloud delivers applications to the cloud. The user could be anywhere and have multiple devices in use. As a result, you cannot rely on a single point of trust because it’s untenable. All interactions are inherently risky, so you need a Zero Trust stance.
Zero Trust is a strategic initiative and principle that helps businesses prevent data breaches and protect their assets by assuming that no entity is trustworthy. The National Institute of Standards and Technology (NIST) defines Zero Trust as ”a collection of concepts and ideas designed to minimise uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Zero Trust goes beyond the ”castle-and-moat” concept, which dominated traditional perimeter security, and it recognises that trust is a vulnerability. Traditional security concepts accept all users as trustworthy once they are inside the corporate network – including threat actors and malicious insiders. As a result, anyone can move freely and laterally, able to access and exfiltrate whatever data they want as long as they can get past the first defence.
Zero Trust is a security model that requires strict identity verification and moves the decision to authenticate and authorise closer to the resource. As a result, this Zero Trust focuses on authentication, authorisation and minimising implicit trust zones while maintaining availability and providing seamless authentication mechanisms. Furthermore, access rules are as granular as possible to enforce the least privileges required to act.
The Zero Trust foundational principles:
- Dynamic policy determines access to corporate resources. Then, it enforces this on a per-session basis and updates based on information collected about the current state of client identity, application/service and the requesting asset, including behavioural and environmental.
- All communications to resources must be authenticated, authorised and encrypted.
- Authentication and authorisation are agnostic to the underlying network.
- The enterprise can monitor and measure the integrity and security posture of all owned and associated assets.
The situation
In the modern, digital landscape, employees demand mobility, and customers demand omnipresence. They require access to resources anytime and anywhere. As a result, traditional perimeter security cannot protect your data and network from sophisticated cyber-attacks anymore.
Using legacy security solutions, which rely on on-premises routing to enforce authentication and authorisation to the cloud, impeeds productivity, scalability, user experience and increases operational costs. Furthermore, legacy solutions lead to complexities, admin overheads and, it creates fog and friction for users.
The increased use of IoT, multi-cloud platforms and containers require numerous identities to authenticate them. These all need to be created and managed. As a result, businesses have become increasingly reliant on identities and credentials. However, these credentials are attractive targets for cybercriminals. Compromised credentials and identity theft are the primary causes of security incidents and data breaches.
Due to the expanding attack surface, regulations like GDPR, CCPA, PCI DSS and HIPAA are based on the principles of accountability and require strong authentication and authorisation on every data communication and process.
Furthermore, the global working environment is changing. Remote working, fueled by the pandemic, accelerated adoption of cloud platforms and increased the need to effectively authenticate and grant access to corporate recourse based on contextual, adaptive and dynamic decisions at the access point.
A new type of Zero Trust
As a result, there was a need for NIST (The National Institue of Standards and Technology) to standardise Zero Trust architectures. The new blueprint for Zero Trust provides general deployments and use cases where Zero Trust could improve an enterprise’s overall information technology security posture. As a result, this publication will lead to greater adoption of the Zero Trust security model.
The NIST approaches of Zero Trust Architectures
NIST provides three approaches to build an effective Zero Trust architecture.
Identity-Centric
An identity-centric approach to Zero Trust places the identity of users, services and devices at the heart of policy creation. In this, enterprise resource access policies are based on a person’s identity and assigned attributes. The access privileges granted to a given user, service or device is the basis for the primary requirement to access corporate resources. For a more adaptive authentication, the policy enforcement may consider other factors as well. For example, a device used, asset status and environmental factors.
Network-Centric
The network micro-segmentation of corporate resources protected by a gateway security component is the basis for a network-centric approach of Zero Trust architecture. To implement this approach, the enterprise should use infrastructure devices such as intelligent switches (or routers), Next Generation Firewalls (NGFW) or Software Defined Networks (SDN) to act as policy enforcement protecting each resource or group of related resources.
The Network-centric approach focuses on segmenting the traditional perimeter into sub-zones. Therefore, users are only trustworthy once they are inside a zone. This method reduces risks to a degree. However, it is not risk-free since it assumes an entity is safe in a sub-zone. As a result, this approach would require additional security measures and strong identity governance.
Cloud-based combination
A cloud-based, combined Zero Trust architecture approach leverages cloud-based access management and software at the Service Edge (SASE) components. Such as Software Defines Networks (SDNs) or Next Generation Firewalls (NGFW). Which protect on-premises resources and monitor network traffic.
Implementing Zero Trust
The modern enterprise security perimeter is no longer a physical location; it is a set of access points dispersed and delivered from the cloud. Identities are now the new perimeter and should be at the core of access decisions. The identity of any resource, user, device or service, provides the crucial context for applying access policies.
Identity is the cornerstone of Zero Trust security for applications and data assets that an enterprise wants to protect. The greatest challenge is to employ a comprehensive Zero Trust security solution that covers identities and data end-to-end.
Conclusion
In the traditional ”Castle & Moat” security concept, bad actors are trustworthy only when inside corporate networks and free to roam unencumbered. Zero Trust security concepts allow organisations to grow securely in the cloud and adjust to borderless and dispersed environments.