“Do not trust anyone!” The catchphrase that best describes zero trust, is a security concept encouraging organizations to automatically distrust all network activity. As this security concept gains traction, many security providers are flooding the market with solutions. In this article, we will unpack the top technologies for a zero trust cybersecurity architecture.
NIST describes zero trust as “the term for an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets, and resources.”
Moat and Castle
Most traditional security solutions are based on the castle and moat concept. The castle (i.e. internal network) is protected against outside threats by a moat (i.e. security gateway). The intention is to make it difficult for outsiders to gain access. The limitation is that everyone within the castle is trusted by default.
Once an intruder finds a way into the castle, they can freely roam without proving their identity. This leads to advanced attack vectors like insider threats, impersonation attacks, and attacks from disgruntled employees.
Another vulnerability to the castle and moat strategy is the era of “decentralized data storage.” Most organizations choose to store information across various cloud architectures and vendors, further increasing the attack surface.
This minefield of identity management, decentralized data, and advanced threat vectors makes the zero trust model an attractive concept.
For zero trust security to be effective, it requires that no one is trusted by default, even those from within the organization. Effective verification and identity management is the key to prevent data breaches.
This type of security infrastructure requires a holistic approach to network security. Combining various technologies and adopting core principles allows organizations to build an impenetrable castle.
4 core principles of zero trust security?
The philosophy of zero trust is simple: presume every interaction on your network is a potential threat. Attackers live both inside and outside your network, therefore no device (i.e. user or machine) should be trusted, especially in the world of IoT.
The military has a clear chain of command, indicating which access rights each person within the army has. Organizations need to adopt a similar paradigm. Security resources should be allocated to protect the most important digital assets, instead of an encircling moat that hopefully keeps some bad actors outside. The four concepts below are core to creating an environment of zero trust.
Information must be provided on a need-to-know basis, which reduces the exposure of certain data sets within your environment. Using the military approach, organizations can classify information suitable to certain users, minimizing breaches of sensitive information. This can be done by creating classification levels and one-time-use credentials which are revoked after a period of time.
Microsegmentation is the practice of breaking up security perimeters into small zones, allowing you to manage your network in segments. In the castle analogy, the guards could allocate more security to sensitive areas like the royals’ bedrooms. Instead of investing in protecting the entire castle, you may choose to segment critical business areas and allocate sufficient security resources.
Multi-factor authentication (MFA)
A password is no longer sufficient protection. Most people create very weak and/or reuse passwords, creating a risk for effective authentication. Multi-factor authentication requires more than one authentication piece to validate the user. This enforces tighter restrictions within your network and ensures that account takeovers are rare.
Leverage machine learning
Traditional security solutions that use a signature-based approach are incredibly ineffective. Instead, organizations need to embrace machine learning and artificial intelligence to create a more secure environment. Signature-based solutions compare all network traffic with a known database of threat signatures, but what if the threat is unknown? Machine learning solutions can learn normal vs abnormal behavioural patterns and autonomously respond and quarantine suspicious activity.
With the rise of IoT and offensive AI, zero trust is the only concept that will help organizations fight back effectively.
A framework for zero trust environment
When reviewing your environment, prioritize the data, applications, assets and services that are critical to your business operations. Once you know the surface that needs most protection, you can spend most of your resources establishing a zero trust environment. The remaining, less fragile, parts of your organization can get by with less security layers or perhaps just the moat. The goal is to segment your entire network into micro-perimeters, with individual policies that define what level of trust is applicable.
Creating a zero trust environment takes time and requires an extensive review of your current situation, but it doesn’t require a full technology transformation. With the right security consultant you can take a pragmatic approach to starting the journey towards zero trust.
1. Determine trust levels
Every segment of your environment would require different protection levels. For instance, a financial services organization would likely segment credit card information as sensitive, due to the nature of the data. This information would need the utmost protection, similar to the royal families and their bedrooms. Less sensitive information would not need a robust security layer – the moat would suffice.
2. Establish perimeter boundaries
Once your trust levels are determined, you can create access gateways to certain parts of your environment. Through the implementation of effective authorization gates and micro-segmentation, you can create boundaries. Organizations need to architect a solution that controls access to their application and network. The architecture must be constructed to protect the highest priority surfaces first.
Create your zero trust policies
When adopting a zero trust structure, the static security policies that are currently in place become obsolete. Zero trust is a dynamic concept that requires a flexibility traditional security paradigms can’t accomplish. Once you have determined your trust levels and architected your surface areas, you will need policies that enforce the required behavior and access controls. The key is to know your users. Know what applications they access, why they access them, and how they are using them.
Monitor and improve
The final step is to monitor and improve your approach. This is where machine learning plays an important role. With the right machine learning technology, organizations can review all logs, both internal and external, and focus on patterns of normal vs abnormal behaviour. This dynamic approach will allow the machine to improve policies and trust levels of users and what applications/data they can and should have access to.
To create a zero trust environment, organizations need to adopt a culture of distrust by default. Coupled with the power of machine learning technology, one can adopt policies to find the balance between effective protection and operational flexibility. Start by determining your trust levels, establishing perimeters and areas of high risk, implement effective policies and use machine learning to monitor, adapt and improve. At RSI Security we help organizations with best of breed frameworks, methodologies and technology sets to achieve zero trust.