As more users connect remotely, gravitate to Internet of Things (IoT)-based devices, and rely on digital communication to get work done, a growing number of organizations are turning to zero trust network architecture as the way to tighten access to critical data. But confusion persists.
When it comes to determining which components encompass a zero-trust network architecture, the concepts continue to mean different things to different people. Many businesses focus solely on user authentication, but that just scratches the surface of a true zero trust model.
Properly defining it
Among the security companies offering zero-trust solutions is Sophos, which gives the following description on its website:
“Sometimes referred to as ZTN or ZTNA, the main idea behind zero-trust network architecture is not to trust things “inside” a network or trust anything automatically or by default. Don’t trust anyone or anything. Just because we have a username and password doesn’t prove that we are the user those credentials belong to. Instead, everything must be verified. Regularly. And monitored and analyzed. Everything is assumed to be under constant attack, and that adversaries have already breached defenses. Security must adapt and require more points of data than just a username or password. Device, location, time of day, a second factor (2FA) or additional factors (MFA) for authentication and more can be incorporated when deciding if something should be allowed access or not and to hunt out anomalous or suspicious activity.”
For many security terms, the meaning of zero trust has been diluted, said Bradley Schaufenbuel, vice president and CISO at Paychex, a provider of payroll, human resources and other services.
“Every security vendor on the planet rushed to adopt the term to describe its product,” Schaufenbuel says. “Setting aside technical implementation and focusing on principles is helpful.”
To that end, he suggests using the definition the National Institute of Standards and Technology (NIST) set forth in Special Publication 800-27:
“Zero trust is the term for an evolving set of cyber security paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned).”
With zero trust, authentication and authorization are discrete functions performed before access to an enterprise resource is established, according to the NIST definition. “Zero trust is a response to enterprise network trends that include remote users, bring your own device [BYOD], and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources [assets, services, workflows, network accounts, etc.], not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
With the basics better understood, security teams can move forward with zero trust implementation planning. But fine-tuning everything takes time and companies must continue to follow a broader security strategy.
In a blog post titled “Trust Nothing: What Does Zero Trust Mean and Why is It Important?”, Sophos notes that while zero trust technologies continue to roll out into consumer technology, there are still many platforms and services that aren’t zero trust. It’s important to continue practicing safe cybersecurity habits:
“Better cybersecurity can become a habit for you and your family if it is practiced every day,” Sophos said in the blog post. “Paying attention to what is happening in the world of cybercrime will help protect your valuable information if your devices are ever stolen or accounts are compromised.”
Consider this on the way to deployment
The primary components of a zero-trust architecture are robust authentication and granular authorization, and before an organization can implement either of those, they need to have a clean directory of identities and associated entitlements, Schaufenbuel says.
“I always recommend that organizations start their zero-trust journey by assessing the state of their identity and access management capabilities and closing any gaps therein,” Schaufenbuel says. “The next step is to implement robust authentication technology, including federated single sign-on across resources and support for strong — usually multi-factor — authentication.” For machine identities, this might mean PKI-based authentication.
Next, they need to focus on granular authorization. “This means access control at the resource level and not at the network level, Schaufenbuel says. “This may require investments in technology such as micro-segmentation.
Finally, an organization should implement a solution to continuously validate authentication and authorization throughout each session. “There are several vendors that have created zero trust extended ecosystem platforms that tie all these components together, Schaufenbuel says. “But remember that zero trust is not a silver bullet or a quick fix. It is a set of overarching principles and not just a product, and implementing it is a journey—and typically not a quick or easy one.