The Road to Zero Trust: The Journey varies but the destination is the same
November 2020 by Bryan Embrey, Sr. Product Marketing Manager, Pulse Secure
Perimeter-centric strategies for network security don’t work anymore, largely because the “perimeter” is fast becoming obsolete in a virtualised, decentralised, and hybrid IT world. For many companies who are migrating to cloud-first operations or embracing Digital Transformation, the traditional perimeter is more elastic than ever. As a result, user experiences can be affected as no one wants to be locked out, inconvenienced, or worse, have their digital selves compromised.
Technological shifts and trends like IoT and BYOD have changed how data is shared and managed, resulting in an amorphous perimeter which can no longer be secured by legacy firewall approaches. Dynamic workloads moving across hybrid environments, combined with an influx of novel vulnerabilities and risks (including ransomware), have resulted in traditional security models being put to the proverbial test.
As such, the reliance on traditional security architectures has revealed gaps exposing vulnerable vectors, enabling cyber criminals to breach perimeter defences and move laterally within internal networks, often going undetected for weeks, months, and in some cases, years before being discovered.
Recognition of these types of challenges and limitations—namely, the requirement to eliminate unauthorised network access—has led to the adoption of Zero Trust.
While Zero Trust has been a dominating topic across cybersecurity for only the past few years, the concept of Zero Trust has been around longer, garnering acceptance in 2010 when Forrester Research Analyst John Kindervag formalised the “Zero Trust Model” of Cybersecurity. In short, it is both an architectural model for networks, and a framework for setting security policies.
Based on the maxim “Never trust, always verify,” Zero Trust relies on strict verification and validation of every person, device, or entity attempting to access network resources, thus augmenting the reliance on perimeter-based defences. It evaluates access requests and network traffic behaviours in real time with the primary goal of protecting data, applications, and business-critical systems from attacks and exploits.
Know Your Risk Tolerance
Cybersecurity has become a board-level concern and implementing a Zero Trust strategy to defend a constantly evolving attack surface can aid organisations in helping mature their security postures.
Breaches and attacks can negatively impact shares, cause reputational damage, and in some regulated industries, result in fines and penalties. With so much at stake, Boards of Directors and C-level decision-makers need to ask pointed questions around “risk tolerance” such as:
● What are we trying to protect, and prevent, from happening?
● What is the worst possible potential outcome?
Zero Trust Principles
Enterprises and organisations who have yet to take their first steps toward adopting Zero Trust are often overwhelmed by the variety of solutions and services to implement such an initiative. Although deploying a comprehensive Zero Trust strategy may seem daunting, several principles can be applied to help organisations reduce exposure and unauthorised access across the threat landscape. These principles can easily become a part of any Zero Trust security strategy, including:
● Principle of Least Privilege (POLP): A policy in which end-users are given the minimum amount of access they need to carry out their jobs. This helps reduce pathways and exposure to malware, attackers, and the chances of data exfiltration.
● Multi-factor Authentication (MFA): A security method that requires individuals to be authenticated with more than one required security procedure. Typically, this is a combination of things one knows (e.g. passwords or a PIN), things one has such as a fob, badge, etc., and physical markers such as biometrics, voice recognition, or fingerprints.
● Security posture verification: The process of not only ensuring user authentication, but assessing the device, its security configuration and other attributes such as network or location, to calculate a security posture and determine if it is acceptable to grant a request to access resources and applications. Given the increase in workplace flexibility and endpoint threats, device compliance checks are necessary to ensure users are not using vulnerable or compromised endpoints.
● Micro-segmentation: A network is divided into separate segments or “secure zones” in data centres or in cloud deployments that require different access credentials to help isolate workloads. This also helps limit lateral (or East-West) movement in internal networks if breached.
Four Key actions to take on the journey to Zero Trust
The overarching Zero Trust tenet “never trust, always verify” underscores the necessity that users, devices, and entities must be properly verified and authenticated before being granted access. At the front gate, for example, a user would ideally face some kind of multi-factor authentication combined with Single Sign On (SSO) to provide further layers of security.
From that point, an entity can be authenticated at every stage through the network using a combination of factors like device ID, security posture, and behaviours of said devices. That process can also leverage contextual factors like IP address, time of day, and other markers which can be matched against user profiles and roles, to make sure that no entity is behaving suspiciously, or deviating from known normal behaviour and activity.
2. Conditional Access
The Zero Trust model draws heavily from the “Principle of Least Privilege” which is the notion that users should only have access to the resources that are required to do their job. Tight and granular access control is another fundamental part of Zero Trust architecture.
Dealing with an elastic perimeter which extends outside of the traditional data centre means that access has to be strictly allocated according to roles and permissions. Furthermore, the entity accessing an application or network resource must be constantly authenticated, and if it were to suddenly fall out of compliance, access could be revoked or limited.
Zero Trust protects data and applications through encryption and micro-segmentation. Encryption protects data-in-motion so that sensitive data remains safe from possible threat actors. Advanced techniques, like Always-on, On-demand, and Per-app VPN ensure that sensitive information remains safe regardless of the location of the user, their device, or which applications are being accessed.
Micro-segmentation, on the other hand, restricts access to individual applications or resources only to authorised users through fine-grained policies. This prevents widespread east-west movement within your network so that a breach, should it occur, is both considerably restricted and easier to detect.
4. Draw Your Own Map
The path to implementing Zero Trust will vary by organisation, and plenty of solutions and services can bring you closer. A modern Zero Trust network configuration will involve a collection of technologies and coordination of controls such as Network Access Control, Virtual Private Network, Multi-factor Authentication, Single Sign On and other tools, all working collectively to achieve Zero Trust defence capabilities. Finding an integrated platform minimises security silos while providing network functionality and visibility to enable a successful shift into Zero Trust.
Although the paths to Zero Trust are different for each organisation, the principles are the same. Understanding how your network is currently configured, how data flows through it, and how access is enabled will accelerate your organisation’s movement toward Zero Trust.