Zero trust security is not a new concept, but it has gained popularity in recent years. As companies become increasingly distributed, they must offer flexible network access without putting sensitive data at risk. That’s where zero trust security comes in. What is zero trust security? Let’s discuss the five critical things you should know.
What is zero trust security?
Zero trust security can be boiled down to a simple concept: never trust, always verify. That means you must always verify the identity and trustworthiness of every user and device trying to access your network. Traditional networking safeguards are based on a castle-and-moat architecture. This means that all users and devices within the network are assumed to be trustworthy and can access the resources they need. Those outsides of the network (or moat) must be verified and trusted before gaining access. One of the glaring problems with this approach is that it doesn’t consider the possibility of insider attacks coming from an authorized user/device within the network. That means that an attacker simply needs to hack into the network—for example, by compromising a user account—and then there are few, if any, obstacles remaining in their way. What is zero trust security? It’s a reimagining of network security based on the concept that you shouldn’t automatically trust anyone or anything trying to connect to your network. Instead, you should verify users and devices that try to connect, whether they’re coming from the outside or inside the network perimeter. In other words: trust no one.
Where did zero trust security come from?
The concept of zero trust was first prototyped more than a decade ago by John Kindervag at Forrester, but it didn’t truly gain traction in the industry until recently. The zero trust security architecture came from the realization that the traditional castle-and-moat model was becoming increasingly vulnerable. Years ago, a typical organization’s sensitive data was kept in a central location. This made the network and its resources easy to monitor for threats and protect from attacks. Now, many enterprises are adopting technologies that offer more outstanding networking capabilities for distributed access. These technologies include public and private clouds, service-based software and infrastructure, virtualized SD-WAN and firewall solutions, and more. Securing an entire enterprise network means putting multiple safeguards in place. The traditional security architecture is being replaced by the more flexible and robust zero trust security model.
Zero trust security benefits
One of the fundamental goals of networking is to allow the flow of information between computers, people, and organizations. However, that information is becoming more decentralized and must be relayed through various channels, which increases risk. Since traditional security architectures simply can’t provide omnipresent protection for data and communications, organizations around the globe are adopting zero trust security.
Zero trust security use cases and examples
- Scaling with remote and branch offices: Setting up new branches comes with its own set of security risks. However, using a zero trust model, you can get granular control over who and what can access your network. This can help eliminate attacks from stolen equipment, devices, or credentials.
- Remote and work-from-home: When setting up a Secure Access Service Edge (SASE) configuration, whether for faraway branch offices or remote and traveling workers, zero trust security keeps networks and resources secure. Zero trust requires user identities and devices to be verified, which eliminates many methods of attack.
- Securing data at HQ: When you define access rights using an SD-Perimeter approach, zero trust enables you to restrict access to sensitive resources to only the personnel who need it. This restricts lateral movement on your network and keeps data secure from both outside actors and malicious insiders.
Zero trust security benefits your business by giving you granular control over security controls and access policies, so you can better protect the network.
How to implement zero trust security
Now that you understand what zero trust security is, you can create a plan for implementing it. The best strategy is to break your implementation process up into a series of small, repeatable steps so you can slowly build out your zero trust architecture while improving and refining things as you go. The five basic steps to implement zero trust security are:
Step 1: Define your protect surface(s)
You may be familiar with the term “attack surface,” which is the sum of all the potential access points an attacker could use to penetrate your network. With traditional network security methodologies, you need to defend your attack surface by creating a perimeter of security controls (like firewalls and intrusion detection systems) that extends around your entire network. This used to be easy when all of your sensitive data was located on one centralized server, and you could only access it from inside the local network. Now that your enterprise data, devices, and users can be located in and accessed from anywhere in the world, it’s essentially impossible to identify, define, and defend every potential access point. The zero trust security model asks you to focus on the micro-level—the individual data, applications, assets, and services you need to protect. These items are known as your protect surfaces, and your goal is to create access control policies and establish security controls specifically designed to protect each of them. So, the first step towards implementing zero trust security is to identify and define each protect surface. You may find it helpful to use the acronym DAAS—Data, Applications, Assets, and Services—when determining what to include in your protect surfaces: D: Identify any data that contains sensitive or proprietary information that may be valuable to a hacker or damaging to your organization if it were stolen—e.g., HIPAA data, financial records, trade secrets. A: Do any of your enterprise applications process sensitive data or contain proprietary code? Those applications need to be included in a protect surface. A: All network assets, including laptops, point-of-sale terminals, IoT devices, cell phones, and manufacturing equipment, need to be inventoried and protected. S: Identify and locate all critical network services that could impact your business productivity or security, such as DHCP, Active Directory, and VoIP.
Step 2: Map your interdependencies
How do traffic and data flow between each of the items you identified in your DAAS? You need to know how each of these resources interact with each other to account for these interdependencies when you create access policies and enable security controls around protect surfaces. By mapping your interdependencies ahead of time, you can safeguard each protect surface without accidentally breaking anything.
Step 3: Construct micro-perimeters
You’ve already narrowed your focus from one attack surface to many small protect surfaces. Now you need to shrink your big network perimeter into a series of smaller micro-perimeters. That means you need to segment your network around your DAAS and implement security controls for each individual protect surface. One of the greatest things about zero trust security is getting very granular with your security controls. Since you’re focusing on a small network segment, you can use the best security technology for that specific job. You want to segment your network as much as possible to create small protect surfaces that target security controls with a high level of specificity.
Step 4: Establish access control policies
Your micro-perimeters will rely on access control policies to determine who can have access and how to establish trust. You should use the “Kipling Method” to decide who should have access to each protect surface, which means asking the following questions:
- Who should have access to this resource?
- What application is being used to access this resource?
- When is the resource being accessed?
- Where is the user or device that’s requesting access?
- Why do they need access to this resource?
- How should you allow access to this resource?
Again, the smaller your network segments, the more precise you can get with your access control policies.
Step 5: Monitor and optimize
Once you’ve segmented your network, created micro-perimeters, and enabled your zero trust access control policies, you need to monitor each protect surface and conduct frequent log reviews to ensure operations are running smoothly. You should look for signs of latency and performance issues, as well as make sure your policies are being applied correctly and your security controls are restricting access appropriately. By following these five basic steps, you can create a zero trust security implementation that’s completely customized around your business requirements, protect surfaces, and security vulnerabilities.
Zero trust security best practices
Here are some additional tips for implementing zero trust security in your enterprise.
1. Assess your current strengths and weaknesses:
Zero trust security doesn’t necessarily require an expensive technology upgrade to implement. Instead, you should look for ways to augment your existing network and security architecture using zero trust principles and policies. By thoroughly analyzing your existing tools and solutions, you can identify gaps in your zero trust readiness and avoid spending money on things you don’t need or already have.
2. Invest in discovery and classification tools:
Identifying your DAAS is the critical first step in your zero trust journey, so you should make things easier on yourself by investing in the right tools for the job. Look for solutions that can automatically discover network assets, application interdependencies, and sensitive data. These automated tools won’t just make your job faster—they’ll ensure you don’t let anything slip between the cracks.
3. Assess trust dynamically and consistently:
Verifying the identity of a user or device is only part of the zero trust equation— you also need to determine their trustworthiness, which may change depending on context. For example, is this an average time for this user to connect to your network? Is this device in a geographic location that makes sense in this situation? Has the user or device been involved in any suspicious behavior elsewhere on your network? You need to determine trust on a dynamic basis, and apply the same criteria to every account, whether they’re in the office, at home, or abroad.
4. Implement zero trust identity and access management (IAM):
Without an identity and access management (IAM) solution that supports zero trust security principles and security controls, you can’t verify identities and establish trust. For example, you may want a solution that incorporates user and entity behavior analytics (UEBA), which monitors account and device behavior so it can spot unusual or risky activity, report it, and block access. You’ll also need features such as single sign-on (SSO) and multi-factor authentication (MFA) to provide additional identity verification and security levels. SSO allows users to access all enterprise resources using the same user name and password, which means you can enforce the same password complexity requirements and access control policies across your entire network. MFA requires users to provide a second method of identity verification, usually with a code texted to their smartphone or generated by an app.
Zero trust security simplified
What is zero trust security? It’s both a mindset and a methodology for security that addresses the limitations of a castle-and-moat architecture for today’s distributed business network. By following the principle of “never trust, always verify,” and using the implementation steps and best practices outlined above, you can take advantage of zero trust security’s benefits for your enterprise. Are you looking for a way to streamline your zero trust deployment without sacrificing security? Nodegrid’s Zero Trust Security Framework Foundation is a family of network management hardware and software that supports zero trust principles through features like:
- Secure boot and geofencing technology so only you can install and boot your configuration
- Integration with zero trust IAM providers like Duo, Okta, and Ping for SSO and MFA capabilities
- Unified cloud management, control, and access for consistent configuration across branches