Zero Trust is more than a buzzword or a single product. Instead, it is a recognition that how we work has fundamentally changed and that we need to shift the way that we think about working securely.
At its core, Zero Trust marks a move away from the binary security model that focuses on keeping the good guys in and bad guys out, to one that validates every interaction before granting access to resources.
The common mantra of “never trust, always verify” expresses the core concept of the Zero Trust philosophy. But what does it mean in practice and how did we get to this point? In the hopes of understanding why we need to reconceptualize how we think about security, let’s take a look at what has changed in recent years to bring us to this new point of departure.
Imagine There’s No Perimeter, It’s Easy If You Try
We used to think of work as occurring at a physical place or location. Now we think of it as something that can be done from multiple locations and on many devices.
As recently as a decade ago, we came to the office and powered up our desktops in order to connect to the local network and access all of our resources. Since we were mostly logging in from local machines, it was fairly simple to know who was supposed to be inside the network and who wasn’t. At the end of the day, we left work at the office.
Later on, when we began connecting remotely and the open web was more of a risk factor, security turned out to be a higher concern so we started implementing firewalls like a moat around our castles. VPNs could teleport us into the network if we had the right credentials, but there was still a pretty clear definition of where our perimeter was. And it was generally assumed that if you had made it past the drawbridge, then you belonged there and could be trusted to move about as you pleased.
These days, there is not much of a network to speak of and the perimeter has been made irrelevant. The wide-scale move to cloud services like AWS has replaced the local network, moving many of our most valuable resources outside our supposed ring of protection. We no longer work from cubicles, instead using different devices to access resources from cafes, airports, homes, trains, and everywhere in between.
What we are left with are a series of endpoints seeking to access an equally dispersed set of cloud-based resources. So what exactly is the perimeter supposed to be protecting, and where does it begin or end? Simply put, there is no longer a line dividing those users or devices that we should inherently trust and those we should not.
Cat and Mouse, Moose and Squirrel — Because on the Internet, Nobody Knows You’re a Dog
As a concept, the idea of “never trust, always verify” sounds pretty darn catchy. But what do we really mean by this in practice?
For starters, we cannot assume that a user or device is who they say they are.
Since we have shed the idea that there is an inside and outside of a perimeter, we now need to view everything as if it were exposed or compromised, and therefore requiring authentication every time that it requests access. There are no more “safe” or “trusted” zones to be found here.
Data points like IP addresses are no longer useful for authentication purposes because everyone is working from different locations and IPs can be easily spoofed. Instead, we need to think about identifying devices and users/applications, verifying who they are, and making sure they have the right permissions to perform each action requested.
So how does this approach materialize in actual practice?
4 Zero Trust Principles You Should Know
To clarify the approach in more concrete terms, here are four of the key principles, practices, and technologies that we use in Zero Trust.
Multi-factor authentication (MFA) is one of the key technologies in use today for verifying user identities. With its roots in RSA tokens and Google’s Beyond Corp, MFA requires that a user requesting access provide not only something that they know (ie. their credentials) but also something that they have. This kind of verification might be carried out with a device like a Yubikey, an application on the user’s device like Google Authenticator, a push notification to their mobile, or in the worst of cases, an SMS. The hope is that if an attacker has stolen the credentials from a breach, data dump, etc, they will be denied access when challenged with MFA.
With machines calling in for access from around the world, verifying that each device has proper authorization is essential. Whether they are mobile devices belonging to employees or an AWS server, verification becomes necessary before granting access.
Limit Privileged Access
Not every employee should have access to all parts of your business; they probably do not need it in order to do their job, and it creates an unreasonable level of risk. Insider threats and compromised user accounts are common concerns that can be mitigated if we limit what users have access to in the first place. So even though we still require verification for every user, the Zero Trust approach tells us to provide everyone with the minimal level of privileges that they need, hopefully making it harder for adversaries to access more valuable bits of information or controls.
By the same token, we should be monitoring user behavior through all interactions to ensure that they are behaving as expected. Chances are that Steve from accounting probably does not need to have access to your users’ passwords or other sensitive data that is unrelated to his job.
In a similar vein, Zero Trust tells us to not put all of our company’s eggs in one basket. In practice, this means breaking up your data or other resources into smaller, divided sections so that even if an adversary is able to break into one part of your system, they are unable to make off with the entire haul in one go.
Zero Trust is a Process, Not a Product
Implementation of the principles laid out above will not come overnight, nor will your company achieve Zero Trust success by buying a shiny new product.
Instead, we should look to Zero Trust as a guiding principle that leads to a more honest conversation about how an organization works, and which processes and technologies need to be adopted in order for it to work more securely.
How are we granting access? According to what types of criteria? And what kinds of verification should we require? These are all questions that organizations should consider when deciding which Zero Trust solution is best for them.