Zero Trust Architecture (ZTA) means exactly that: compliance officers and IT security teams are trained to not trust any network activity, anywhere, at any given time — not even on the inside of their own computer network.
Don’t panic; ZTA is not as difficult to work with as it sounds. It’s simply a different way of approaching cybersecurity. So let’s take a look at how it works.
Where did the Zero Trust model for cybersecurity originate?
Cybersecurity expert John Kindervag, currently an executive at Palo Alto Networks, developed the Zero Trust model while he was a principal analyst at Forrester Research. Essentially, the Zero Trust security model requires all users to identify themselves repeatedly, in real time, through continuous authentication procedures, as long as they are logged on to your network.
This means users must submit repeated access requests — even though they are already logged in — and use multi-factor authentication processes even after they’ve gone through regular access controls (such as using passwords).
Zero Trust security is akin to driving down the road, and at every intersection someone asks to see your driver’s license to assure you really should be driving that car on that street.
What are the principles of Zero Trust Architecture?
Traditional cybersecurity models are designed to hold down the fort, so to speak: they secure the network perimeter, to protect sensitive data against cyber attacks perpetrated by hackers trying to launch malware, viruses or ransomware attacks from the outside. This approach focuses on blocking unauthorized users by applying sophisticated identity and access management techniques.
That approach, however, won’t provide much help once an unauthorized user gets past the firewalls and the authentication procedures, such as by using a stolen password. Once hackers are in, they can bring along malware and other bugs, leading to data breaches — and because traditional network architecture doesn’t restrict movement inside a network, an undiscovered hacker can do extensive damage.
The Zero Trust strategy is more difficult to breach because it launches repeated authentication requests before granting any user access. Zero Trust architecture also makes it much more difficult for an unauthorized user to make lateral moves inside the network, or to find a way to level up from a least privileged access account. ZTA uses network segmentation and micro-segmentation to impose strict workflow limits, and to assure that no user is granted any network access beyond what he or she needs to do the job.
Not only does ZTA protect a network from damage done by a hacker who got inside; it also helps companies structure their workflow in such a manner that the attack surface becomes smaller.
This is an important point because as more and more businesses operate in an increasingly interconnected manner, their attack surfaces are expanding. Every time a company transfers data between employees on premises and remote workers on VPN connections at home (or to third party contractors and cloud services), the risk for a data breach increases.
The Zero Trust Security Model forces a company to look at specific workflows and ask: Did we ask everyone to identify themselves before we let them in the door? If we didn’t, then how can we change our security model to become more closely aligned to a Zero Trust Network?
The Zero Trust approach and remote worker security
It may help to think of a Zero Trust network as being built not around static things, such as computers and servers on a network in an office; but rather around users and interrelated networks, connected through the internet of things (IoT), the public cloud, and employees who work from home on their own devices. ZTA focuses on protecting your workflow, rather than the endpoints or your corporate network.
A crucial element of a ZTA network — and one that doesn’t exist in an ordinary “guard the perimeter” network — is that the Zero Trust security model checks the health of the device trying to connect to the network before it’s granted secure access. Is the VPN secure? Are connections encrypted? Can this device become an unwanted access point for least-privilege users?
How to diagram and implement a Zero Trust solution
While still a new approach to cybersecurity, federal government agencies embraced the Zero Trust security model quickly — especially after the attack against the Office of Personnel Management in 2015, where the personal data of more than 20 million current or former government employees had been stolen from a compromised background investigation database. Many federal and law enforcement agencies quickly followed OPM and updated their security policies to Zero Trust architecture, to improve their data security.
Fortune 500 and global companies have also begun implementing the Zero Trust security model. Perhaps most notable among them is Microsoft, which views ZTA as the cybersecurity model of the future. Microsoft began implementing Zero Trust access control in 2015, and views ZTA as fundamental to its long-term security plans. (One of Microsoft’s goals is to abolish all passwords and replace them with biometric authentication such as fingerprints.)
Implementing Zero Trust methodology
The Microsoft Zero Trust security model is broken down into layers as shown in the diagram here and outlined below:
- First, verify the identity of the user and establish least-privilege user rights, and replace passwords with biometric-based access.
- Second, verify the health of the device trying to connect to your network.
- Third, define the individual user’s access using least-privilege methodology, before any access is granted.
Moving to a Zero Trust security model will make for a very different user experience. It brings changes in workflow and also requires different authentication processes across the entire network, so this isn’t a change that can be made overnight. But if you do go the Zero Trust route, your cybersecurity is bound to improve dramatically.
Cloud environments are increasingly under attack by hackers and it’s important for your company’s data security that you know which cloud security models and security architectures are used by your cloud partners. A consistent Zero Trust security strategy across all platforms will greatly improve your data protection and cybersecurity efforts.
Is Zero Trust in your future?
As your business forges a path through the remote workforce challenges of our highly interdependent world, many Reciprocity tools can help keep your business safe and improve your cybersecurity.
ZenGRC’s compliance management, risk, and workflow management software is an intuitive and easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before those risks manifest as real threats.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.