Risk professionals have lived by the adage “Trust but Verify” for decades — but this time honored idea is becoming outdated in the current cybersecurity climate, and is being replaced with “Never Trust, Always Verify”. Organizations have learned the hard way not to trust the outside world, but they’ve also learned not to put too much trust in their employees. Despite numerous training sessions and reminders, people still set weak passwords and fall victim to social engineering attacks. Now organizations have a new strategy: zero trust network security. This article explains the guiding principles behind zero trust and how the methodology differs from current security practices.
What Is Zero Trust Security?
The basic idea behind the zero trust (never trust, always verify) approach is to consider all attempts to access networks, machines, and data as a threat regardless of the source. The scope includes access from inside and outside of the network. Since most organizations maintain a mix of on-premise and cloud services solutions and in-office and work-from-home employees, controlling access is not as straightforward as it was 20 years ago.
In May 2021, the White House issued an executive order mandating the adoption of zero trust for government agencies. The order explains the zero trust security model as one that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs.”
How Does Zero Trust Work?
Past models for cybersecurity focused on network perimeter access security, placing a higher emphasis on preventing access breaches from the outside. The risk with this model increases when someone has managed to gain access or when the threat comes from an insider. By treating all access attempts as a threat, we minimize the impact of a breach by containing any intruders.
How to Create a Zero Trust Network
Each network is unique, but several principles of zero trust can apply to most organizations.
1. Focus on User Identity
To achieve viable zero trust security, the focus moves from network perimeter security to identity-defined security. When security is based on knowing the user identity and what they are attempting to access, we end up with a more robust security approach than the network perimeter defense model.
2. Adopt Least Privilege Access
Some organizations have taken steps toward zero trust by implementing the concept of least privilege. When adopting the principle of least privilege, users are only granted access to the applications they need and only the functionality needed to do their job. Zero trust adds another layer to the security model by challenging the user’s access request every time they attempt to access the application, even after they are successfully on the network.
3. Require Multifactor Authentication
Multifactor Authentication (MFA) or Two Factor Authentication (2FA) goes beyond the simple username and password for accessing a network. These methods rely on primarily three categories of inputs: something you know (probably a password or pin), something you have (usually a token generating a code), and something you are (like a fingerprint or facial recognition). Organizations have even adopted additional categories, somewhere you are (geographical location, region, or building) and something you do (gestures or touches).
4. Implement Federated SSO
Federated Single Sign-On (SSO) uses a third-party identity provider to authenticate systems across different organizations. This allows you to authenticate cloud services with the convenience of single sign-on.
As we look to the future of IT security, the requirements needed to protect our organizations will continue to evolve to meet the ever-changing threats. If you consider implementing a zero trust (never trust, always verify) approach, understand that this may require a complete redesign of the network security model for on-premise and cloud services. Considering the complexity of most organizations, the extent of the zero trust security transformation should be researched, planned, and managed appropriately. Done correctly, implementing a zero trust approach can be a highly effective safeguard against modern security threats.
Elliott Bostelman, CDPSE, is a Manager of Compliance Solutions at AuditBoard. Elliott joined AuditBoard from Deloitte, where he provided consulting services over information security management, risk advisory, and GRC implementation & modernization. He also serves in the US Army Reserves, focusing on cyber operations, network defense, and information technology. Connect with Elliott on LinkedIn.