Zero trust has gone from new idea to buzzword and industry paradigm in a decade. Much more than a one size fits all product or service, zero trust requires an organization to identify its most sensitive assets, monitor traffic flows, and enforce granular, application-level access policies–all of which are entirely dependent on your organization. As organizations look to strengthen their network security or update their cybersecurity defenses, the gospel of zero trust awaits.
With the swift adoption of remote work and added difficulty identifying network perimeters, zero trust as a solution is gaining steam. Top cybersecurity vendors compete for positioning in this new marketplace with several zero trust tools to aid in your organization’s adoption of the framework and continued maintenance. But ultimately, moving towards a zero trust network environment is an organizational choice. We’ll touch on the history of zero trust, the benefits, and how to implement zero trust into your network security starting today.
Also Read: Top Zero Trust Security Solutions of 2021
Ten years of zero trust
In the 2000s, the Jericho Forum was a group of international IT leaders concerned with the then-fixation on perimeter-based security strategies. By 2010, Forrester’s John Kindervag had presented the basic features surrounding the new concept known as zero trust. Today, zero trust networks are an industry standard for enhancing security inside your network.
What is Zero Trust?
“Trust nothing, verify everything” can sum up the concept of zero trust. In a few more words, zero trust means: within your organization’s network of resources, no one user, packet, or device should be trusted or granted greater privileges than required. Where in the past, outside network attacks might’ve been an organization’s security priority, the trust vested inside networks has proven to be just as dangerous a vulnerability. A zero trust strategy centers around refined controls to improve and rightfully restrict access to your network and applications. By limiting movement, you mitigate the risk of malicious actors accessing key segments.
Gartner defines zero trust network access (ZTNA) as “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications.” In layman’s terms, ZTNA removes visibility or potential access to assets by enforcing stricter privilege policies inside your organization’s network. As a relatively new market, zero trust tools serve as alternatives to VPN and DMZ architecture, or a granular approach to network access control (NAC), identity access management (IAM), and privilege access management (PAM).
Intro to Microsegmentation
A core feature of any zero trust environment is the creation of micro-perimeters around critical segments, also known as microsegmentation. While your old network security might’ve identified IP addresses or only required initial access for a user to trek the network, microsegmentation uses software-defined barriers requiring proper verification of the user, location, and device. Segmentation gateways (SWG) or next-generation firewalls (NGFW) play a critical role in meticulous policy enforcement at the application, machine, and user levels. With this power in hand, IT professionals can define user groups, access groups, and network groups for multiple applications or devices.
Why zero trust?
The days where malicious users can make lateral movement and access to entire networks are coming to an end. As organizations’ networks expand by remote workforce or increased customer traffic, using a zero trust framework is essential in limiting users’ access to specific data and applications.
But even before the boom of IoT devices or the COVID-19 pandemic, trust was a major organizational vulnerability. As Mr. Kindervag stated emphatically at a 2019 conference, “What is trust? Trust is a human emotion that we’ve injected into digital systems for absolutely no reason at all!” The examples of breaches due to mistaken trust, up to the most powerful institutions in the world, are numerous. Notable incidents of trust gone wrong within the U.S. federal government include the Chelsea Manning and Edward Snowden breaches in 2013. Both actors used their network access to obtain sensitive information outside the scope of their role. Organizations that adopt zero trust can manage access controls at a granular level and protect their most sensitive segments.
In attacks like the FireEye and SolarWinds breaches in December 2020, advanced persistent threats (APTs) were able to move laterally through the network, harvesting sensitive information, in-part because all they needed were stolen credentials. Without microsegmentation and a zero trust framework, one bad actor’s access could turn into a lingering nightmare where adversaries are consistently present in your network.
Implementing zero trust
Every zero trust framework is custom to your organization’s network security. No one vendor is necessary for your organization to start making moves towards a zero trust environment. Your organization also doesn’t have to reinvent your IT infrastructure. Here’s a look at how to implement a zero trust network in five steps.
1. Identify the Protect Surface and Users
Much like a hyperenergetic pufferfish, network perimeters are increasingly fluctuating, and attempts to protect the entire network make for stressed IT professionals. The zero trust framework requires zooming in on your organization’s most sensitive information to define your “protect surface.” If your entire network is the attack surface, your protect surface is the segments that contain sensitive data, essential IT operations, and anything else your organization deems worthy of more robust user privileges.
Another task best completed at the onset of your zero trust journey is identifying users and devices and crystallizing authentication protocols. Solutions like IAM go beyond single sign-on (SSO) or multi-factor authentication (MFA) as an auditing mechanism for identity governance.
Also Read: Best IAM Software
2. Mapping Traffic Flows
Identifying how your sensitive data moves on your network and what devices are accessing it is essential to protecting that information. By mapping your traffic flows, you gain actionable intelligence regarding the interdependencies of your most important segments, devices, and network. As you consider who will need to access what, this analysis will provide added context to your data’s purpose. IT administrators can then refine controls to ensure only permitted traffic flows are valid and place boundaries between the different zones and segments.
Devices play a vital role at this stage as you can also determine how users are accessing the network and segments. By managing device inventory for your internal organization, administrators can access scenarios of managed versus unmanaged devices. With larger organizations and networks, endpoint security solutions (EDR) and user and entity behavior analytics (UEBA) have emerged as additional tools to mitigate attacks in their tracks.
3. Construct Your Micro-Perimeters
Now that you have identified your protect surface, mapped flows, and devices, you’ve got what you need to create your organization’s zero trust environment, and the fun begins. Using a next-generation firewall (NGFW), you can establish a segmentation gateway or micro-perimeter around the protect space. These segmentation gateways offer you an application-level inspection and access control to stop potential actors from reaching your most sensitive segments. Completing this is even easier nowadays as software-defined networking (SDN) platforms can enable you to deploy filters within the network fabric.
4. Configure Access Policies
You’ve defined your protect surface, mapped transaction flows, and segmentation gateways or NGFWs–your network is ready for the trusty Kipling Method. By answering the following questions provided by Palo Alto Networks, you’ll be able to design and enforce granular policy enabling privileged user access and safe application communication.
- Who should be accessing a resource?
- What application is accessing a resource inside the protect surface?
- When is the resource being accessed?
- Where is the packet destination?
- Why is this packet trying to access this resource within the protect surface?
- How is the packet accessing the protect surface via a specific application?
5. Monitor and Maintain
While your zero trust network is all set, the task of monitoring and maintaining the network architecture begins. Your network administrators now have access to review all logs up to Layer 7, giving them insight into zero trust policies’ operational aspects. By inspecting and logging all traffic, your organization can use and enforce what it’s learned to continue improving its network security. Eventually, your organization may reach “D-Day” when your network makes the switch from the default ‘allow’ to default ‘deny’ for any flow anomalies.
Securing a network’s data and applications while offering uninterrupted and convenient access is the constant balancing game for any organization. While the default ‘deny’ function could deny access to an intended user or device, it’s an opportunity to investigate and resolve the specific connectivity issue. Whether this potential time lost is worth more robust security through zero trust is up to your organization. As for savings to your organization, moving other sensitive segments from legacy networks to your zero trust network can also be cost-effective and non-disruptive.
Trust nothing, verify everything
With a fear that too much trust could be an organization’s most dangerous threat, it’s no surprise seeing a movement towards this least privileged access method. Traditional tools like firewalls, VPNs, and NAC used to secure the network at the perimeter. Today, however, internal access from consumers, remote workers, and IoT devices pose even more risk. By establishing a zero trust environment, every user and device requires authentication. While the task is daunting, IT professionals who’ve taken on the challenge agree–starting small is better than not starting at all.