Zero trust

Who do you trust? And just what is zero trust, anyway?

Zero trust security is all the buzz right now. That's both good news and bad:

It means organizations are taking their security more seriously and putting in the controls they need to better manage risk.

It also means that the meaning of what "zero trust security" is gets blurred in all of the noise.

With that in mind, what does zero trust actually mean when it comes to enterprise security? It's an important question to answer because when it's done right, zero trust helps solve some of the biggest challenges enterprises face when securing their systems and data. Consider the findings from the 2020 Verizon Data Breach Report, which found among hacking-related breaches that 80% involve credentials in some way, whether that's guessing passwords or using stolen username and password combinations.

Because zero trust security improves authentication — both its security and user experience – zero trust makes it possible for enterprises to enhance their security posture, gain operational security efficiencies and even improve their user experience.

What is zero trust security?

The long-held access principle of least privilege holds that computing processes, software programs, and users should only be enabled to access those resources they need to do their jobs. Zero trust security is a set of security principles that enforces the concept of least privilege within enterprise technology environments. Or, as the National Institute of Standards and Technology (NIST) puts it, zero trust is "a set of guiding principles for workflow, system design, and operations."

The book, Zero Trust Security: An Enterprise Guide, written by experts Jason Garbis and Jerry W. Chapman, details the three core principles of zero trust: ensure all resources are accessed securely; regardless of location, adopt a least privilege strategy and strictly enforce access control; and inspect and log all traffic. By following those principles, people, workloads, networks, devices, and data are all much better protected. That's especially true for attacks based on identity and access credentials.

Of course, zero-trust security can't be successfully implemented across an organization in an ad-hoc manner. Success requires a strategy. That strategy is best defined within one's zero trust architecture. A zero-trust architecture is best described in terms of identity access and privilege management, identity governance, systems segmentation, such as network segmentation. All resources must be considered within the architecture, such as data, endpoints, applications/software instances, cloud systems, and users.

Enter ZTNA

It's important to point out that zero trust principles are core to network security, too. This is often referred to as the software-defined perimeter or zero trust network access (ZTNA).

As you might assume, with ZTNA, users are not granted access to networks and the assets they connect until they are properly authenticated. In zero-trust, the user is not just vetted with a username and password or even just a second factor of authentication. Instead, the authentication process vets as much about the digital transaction as possible, including the user, device, network, and transaction context. The context of a transaction includes such things as the location of the user and the level of trust given to that network or device, among other attributes. Based on these characteristics, the user is authenticated and granted certain levels of access based on privileges and entitlements that were previously determined. A high-level example would be granting employees more various degrees of access whether they are working from home, from a coffee shop, an office in China, or within the headquarters’ corporate LAN.

That level of trust is continuously reevaluated. For instance, in our example of the worker moving from their home network to the corporate LAN within the same afternoon, their level of access can automatically be increased to access sensitive data based on access from the more trusted location.

In this way, zero trust can improve both security and convenience — and that's a rare find in cybersecurity.

While zero trust gets talked about more, there will be many who try to co-opt and change its definition, and over time the clarity of what zero trust means will grow hazy. That's why it's essential to stick to the correct definitions and operational models.

We think there are two great places to start. These are NIST Special Publication 800-207 Zero Trust Architecture and the book Zero Trust Security: An Enterprise Guide.

prestitial ad