Rapid advancements in technology particularly cloud computing and mobile applications have redefined the security parameters, altogether. People are bringing their own smart phones/devices and are working remotely, giving rise to data being shared, accessed outside the corporate network, sent to external vendors, facilitators, collaborators and partners. The traditional approach of perimeter security is no more.
The new perimeter is not bounded by the physical location of the organization rather it has been extended to every access point that stores or accesses organizational resources and services. Frequent interactions with corporate resources and services often bypass on-site perimeter security model which mostly rely on firewalls and VPNs.
These firewalls and VPNs lack desired visibility, technological advancement, and the agility to deliver secure, timely and end-to-end security coverage. It was therefore imperative to redefine the traditional security model that adapts to latest changes, embraces cloud computing as well as mobile workforce and protect valuable organizational data irrespective of its location.
It was in this backdrop that John Kindervag coined the term “Zero Trust Architecture” in 2010. This introductory article is simply aimed at providing an insight of what ZTA is and how can it be beneficial across organizations.
To analyze the concept of Zero Trust Architecture or Zero Trust Network to proffer actionable recommendations for business executives and IT security managers alike.
Why are Traditional Cyber Defense Mechanisms Weak?
In earlier traditional frameworks, it was assumed that the attacks often occur from the outside, and cyber-defense is often emphasized on the perimeter. This mechanism does offer advantages and protects from cyber threats to some extent, However, hackers sometimes gain access to the system wherein the network security is unable to distinguish between good or bad giving rise to the demand for having a system that merges the concept of “perimeter-based security” and “defense in depth” to the tenets of Zero Trust.
What is ZTA?
ZTA is one of the latest buzzwords in the field of cyber security coined by John Kindervag at Forrester Research Inc. Before we proceed further, it is important to clearly understand what Zero Trust is and what it is not.
In a Zero Trust model, every request is strictly checked, analyzed, authenticated as per policy, and scrutinized for anomalies before granting access. It requires all users, both from within the organization or from outside to be authenticated, authorized, and constantly validated before being granted access to data, services, and resources. Rather than considering that each and everything behind the corporate firewall is secure, principles of Zero Trust Security beef up an organization’s security model by eliminating perimeter-based defense and implementing strict authentication at each access point regardless of the user. The Zero Trust Security model considers no device, user and system as inherently trusted or trusted by default.
Zero Trust Architecture (ZTA) in its simplest form states that organizations should not intrinsically trust anyone or any access request whether from inside or outside its security perimeters. Instead, they must verify anything and everything trying to connect to its systems before granting access. In simpler words, Zero trust boils down to Never Trust; Always Verify. Based on this principle of Never Trust; Always Verify, Zero Trust is a strategic step with the intention of preventing successful data breaches by removing the concept of trust within an organization’s network architecture. In other words, it is a security structure that strengthens an organization by eliminating implicit trust and implementing strict authentication, both user and device, throughout the network.
Central Theme of ZTA
Instead of believing that everything outside the corporate security firewall is safe, ZTA assumes that everything is unsafe; assumes a breach every time access is attempted and considers if it is being originated from an unauthentic source/network. ZTA teaches us not to trust, no matter where the request originated from or what resources it wants to access. This philosophy of No Trust is the central theme of ZTA.
Why Implementing ZTA?
Owing to rapid advancements in digital technologies, cloud computing, etc. Implementing ZTA has always been on the card even before the Covid-19 pandemic. These days, where organizations mostly rely on working remotely particularly in the wake of the pandemic, this architecture has become a necessity with a view to respond to security threats that have never been more apparent before and to keep increasingly dispersed networks secure particularly in the era of ransomware (a type of malicious software actually designed to block access to a computer system until a sum of money is paid).
Core Principles of ZTA
Exercise Principle of Least Privilege (POLP) Access
Do not grant unlimited access to anyone; rather grant the least privilege access based on verifying who is requesting the access, context of the request, and the risk of the access environment. Adopt risk-based Just-In-Time (JIT) and Just-Enough Access (JEA) policies and data protection to protect both organizational data.
However, Zero Trust Architecture furthers the POLP and takes it to another level i.e. Dynamic Least Privilege (DLP) whereby whenever a user needs higher access rights, they can.
Assume Breach Mentality
Perimeter-based security models cannot keep pace with cloud services and the mobile workforce. Smart attackers can successfully penetrate organizational networks, use resources, manipulate data, disrupt businesses, and work under the radar through their innovative ways. The only way to stay ahead of these attackers is to adopt an “assume-breach” approach with a view to identify, detect and isolate them before they make the best use of your data or inflict serious damage. The users must be given the least possible access required to perform their job functions to limit the blast radius.
Continuous Explicit Verification and Trust Evaluation
Continuous verification means no trusted devices, users, or credentials at all. Every device, user, data flow, or application needs to be treated as untrusted. Always authenticate and authorize accesses based on all available data points i.e. user identity, location, service, etc.
Guidelines for ZTA Implementation
Following guidelines can help any enterprise to accrue full advantage of this security model, however, it must be remembered that it needs to be consistently pursued and it must be regularly evolved to keep pace with the rapidly changing technologies and innovative threat patterns.
Users, devices, and digital artifacts that need network access have to be identified upfront before proceeding any further. Users could be employees, third-party contractors, service accounts, server less functions, or even certain users with privileged accesses including system administrators, developers, etc. Likewise, Zero Trust also caters to different devices that connect to an organization’s network. The use of Internet of Things (IoT) devices has made the identification and cataloging of these IoT devices even more challenging. These devices include workstations (laptops/desktops), smartphones, tablets, printers, smart security cameras, switches, routers, modems, etc and as part of ZTA, all these devices must have secure configurations. Lastly, different applications and other intangible digital artifacts including user accounts, applications, and digital certificates also require network access.
Apart from all these, one needs to know about shadow IT/devices; i.e. technologies or devices organization’s IT team is not aware of and for which the IT team has to conduct a detailed scan so as to know about all such access points.
Know your Protect-Surface
IT protect-surface means all those things that are important to the business. It includes the data, applications, assets, services, and most importantly the network that the company data traverses. What data to be protected, which applications have sensitive information and are crucial to business, important assets, or the services that an attacker might exploit, need to be looked into. For example, if the business provides guarding security services, then background information of the guard force is critical to your business; the Data is the guard’s personal information; the Assets are the servers that store this data or even the equipment where the data is stored and the Services are the services used to access the data.
Each protect-surface needs to be secured in a manner that is appropriate for that protect-surface. What’s critical to running your business needs to be protected first and prioritized accordingly.
Understand the Cyber Security Controls already in place
After mapping the protect surface, the next principle is analyzing the cyber security controls that are already in place in the organization. These exercises are helpful after the protec-surface mapping has taken place. It helps the IT guys to make the best use of existing tools or redeploy them with a view to reaching areas where cloud and other internet-based resources reside.
The Zero Trust model uses micro-segmentation and is one of the most critical aspects in implementing Zero Trust as it expects the enterprise to know which data is sensitive and which is not. In other words, micro-segmentation means splitting security perimeters into smaller, more manageable zones having different access protocols for each zone and a user or device or a program having access to one zone will not be able to access other zone(s) without explicit permission/authorization.
Incorporate New Tools and Modern Architecture
In most of the cases, already deployed cyber security tools will not satisfy a comprehensive Zero-Trust model and additional tools may have to be added to provide protection while implementing the Zero Trust model with the help of the latest security tools that are able to pick up the slack where traditional tools fail.
Leverage Multi-Factor Authentication (MFA)
MFA requires two or more than two verification means in order to gain access to any resource. One; the Knowledge Factor, which is normally a password, a pattern or a PIN. Two; the Possession Factor, which can be an ATM, a smart card, or even a mobile phone (OTP). Three; the Inherence Factor, which could possible include fingerprints, face or even a retina scan. The system will validate the authenticity of all the factors mentioned above in order to grant access.
Apply Detailed Policy
After having incorporated required technologies to build a Zero Trust framework, it’s time to put them to use for which a Zero Trust policy or rules to permit access to different resources, granting access to need-to-know basis. This policy must precisely state who all to be granted access to which data and services and when. After finalizing the policy at the strategic level, IT managers can then reconfigure all security devices to allow access to the permitted ones and deny access to others.
Monitor and Alert
This is the last step in the implementation cycle involving monitoring and alerting tools which provide the security guys visibility into whether the newly designed system is working properly or the gaps in the Zero Trust framework are still being exploited.
It must be remembered that there will always be gaps/inconsistencies for which organizations need to carry out detailed analysis to identify and fix the flaws.
Though, it may be difficult for the operators to monitor flaws in the Zero Trust model manually; the latest cyber security tools with AI capabilities like Automation and Response, Network Detection and Response and Security Orchestration, etc would be able to reduce human involvement to a great extent. These state-of-the-art tools would not only identify security-related incidents but also get to their root causes and suggest remedial measures.
Benefits of ZTA
Reduce Risks of all kinds
Zero Trust assumes all users, services or even applications are untrustworthy and should not be permitted to communicate until proven otherwise (through stringent verification methodology and predefined authentication/authorization). Having been through this process, it reduces the overall risks and does not allow overprovisioned software or services by continuously keeping an eye on every access attempt.
Accurate Inventory of Organizational Infrastructure
Organizations with Zero Trust architecture have the benefit of being aware of the number and types of users, devices, applications, data, and even services included in the corporate infrastructure and where these resources reside. An accurate infrastructure inventory not only helps with security-related matters but is also beneficial for long-term performance planning purposes.
Greater Visibility all across the Organization
Since Zero Trust assumes everything is untrustworthy; it is you who has to finalize which all resources, applications, etc are to be protected and how (ideally everything must be protected). This way you will have full visibility into precisely who or what is making an attempt to access your network and will have visibility as regards to the access time, location etc.
Simplify IT Management
In order to evaluate the access requests continually, one can use automation which would release the workload over human resources and make things easier for IT guys. If the ZTA, based on key identifiers, judges the request to be standard, the access is granted automatically. IT guys do not necessarily have to bump in approving every access request and may intervene only when the automated system flags are raised. This would simplify IT management to a great extent. The higher the automation, the lesser the human resources required for IT.
Improve Data Protection
Zero Trust delivers better data protection. A Zero Trust model coupled with just-in-time (JIT) access would prevent undesirable users or malware from accessing an organizational network. Once it is possible to limit user access or control how long can they access would certainly help in reducing the impact of any breach as once the system is breached, it can expose precious data quickly. So, if the access is restricted and is time-specific, perpetrators will have a lower chance of getting what they are looking for.
Enables Hybrid Workforce Security
The recent pandemic has resulted in a remote working style and forced people to work from anywhere using any device resulting in remote accesses and associated risks. ZTA enables the protection of such a hybrid workforce across all security domains.
Supports regulatory compliance
Regulatory compliances like General Data Protection Regulation (GDPR) etc remain a major source of concern for organizations. The basic challenge for these organizations remains the same and that is how to keep the data protected. In a ZTA, every time, an access is made, the identity is verified which is helpful in knowing who is accessing and from where before granting access to use the resources.
Zero Trust Challenges
Large Scope of Zero-Trust Initiative
In ZTA, the focus is on the network owing to the implicit trust that is part of perimeter-based network security, however, the network is certainly not everything in an organization’s IT environment and systems. Organizations also have to cater for applications and associated generated data besides application development to support their business. This is a pretty large scope and that is precisely why organizations take years shifting entirely to Zero Trust.
Need for a Strong Identity System
The identity system is one of the most important security technologies for a ZTA. These systems are the ones that authenticate a user/device. Security tools actually use this identity (user/device) as a point of reference and determine how much access powers and limitations in an IT environment it has. IT specialists implementing ZTA need to be aware and ready because if this adaptive trust model is to be shifted to identity-centric, hackers will get after attacking identities.
Residual Security Risks
Any organization that has a “Zero Trust Model”, its users and devices may not be able to access any resources, applications, or data which means that at some point in time, entities have to be granted a degree of trust and believe that they are what they say they are. This is certainly risky, however, rather than having an implicit trust, a Zero Trust model is significantly far more effective in keeping an IT system secure.
A Zero Trust Model appears most effective once planned over the entire organizational network; however, organizations may have to resort to a step-by-step approach for this change from traditional security based on their resources and Zero Trust maturity. Even a slow transition, traditional perimeter-based security – hybrid infrastructure – Zero Trust, would be an approach worth considering. Each step in this direction will certainly make a huge difference in risks reduction and a step closer to Zero Trust.