We are here to talk about going back to Zero!!!
Today’s enterprises are home to hundreds of applications that are critical to their core business. However, a paradigm shift in the landscape of Information Technology due to cloud adoption, remote workforce, and mobility has forced organizations to rethink their security approach to keep bad actors from accessing their systems and data.
The buzzword in recent times has been Zero Trust, a security model many organizations are working at a frantic pace to fully implement. The zero in Zero Trust is what I refer to here as going back to Zero, fundamentally diminishing the inherent trust that traditional networks relied on for so long. In this blog, we will discuss the guiding principles that will help you along this journey. Before we dive into the mix and start implementing Zero Trust, however, let us break down and understand its pieces.
A Flight Journey to Zero – What is Zero Trust?
The concept of Zero Trust has been around for a long time and is analogous to the ubiquitous Least Privilege Access model. Zero Trust means that there won’t be inherent trust. Instead, the actor needs to establish trust to access the protected resources.
Envision it this way: let’s say you’re about to get on a flight. You go to the airport with your bags to board the flight that will take you to your destination. You are stopped in your tracks by the airport security to prove who you are and where you need to go. You show your passport and your boarding pass, which the security officer duly checks and signs off on, thus allowing entry. Then your bags are checked and you are directed towards the gate to board your flight.
You head to the gate mentioned on your boarding pass, which is checked once more—possibly along with your passport—before allowing you to board the flight. During your stay at the airport, you will be continuously monitored and only provided access to the terminal. You are prohibited from entering other secure areas in the airport. You can be frisked or asked to prove your identity if you are found suspicious, and the airport security team can throw you out or arrest you if you are found indulging in malicious practices.
Relating the above example to the Zero Trust model, you are the Subject (passenger) who is trying to access an application (the airplane) that takes you to your destination (protected information). You are asked to authenticate with your credentials (passport) and authorization (boarding pass). Your attributes and device posture (bags are checked) are duly checked and then you are allowed entry into the micro-segmented network (specific terminal and no other secure area). The user is then subjected to multifactor authentication (MFA)— the additional verification at the gate—before the user is allowed access to the resource. The user request is continuously monitored and if malicious activity is discovered, the trust is broken and the user is denied access to the application and network.
Guiding principles to implement Zero Trust
Zero Trust revolves around the following guiding principles:
- Evolving Perimeter
Although the concept of Zero Trust has been around for a few decades under different names, implementing it has not been a priority. The IT landscape is continuously changing and evolving along with it is the perimeter. Defending the perimeter can no longer be based on the archaic castle wall security model. Due to the impact of COVID-19, the entire IT landscape has undergone a major change and along with it the threats. Cloud adoption and the need to support secure remote access for a workforce that could be located anywhere has eroded the idea of the traditional network perimeter. Zero Trust would be the answer to integrating security throughout the network, not just at the perimeter while mitigating risk at the perimeter level itself.
- Zero Inherent Trust
The basic premise of a well-laid out Zero Trust Architecture is that it would assume malicious intent until otherwise proven. Zero Trust assumes that all requests to applications and services are incoming with malicious intent and would need to be verified at the perimeter level itself. With the advent of cloud and container-based applications, it becomes essential to have the risk uncovered at the perimeter level and baselines created to mitigate the risk from every asset that is communicating.
- Access Happens Everywhere
Implementation of Zero Trust Architecture results in the attainment of better visibility across networks, applications, devices and containers as the security state would be verified upon every request. How do you get visibility and ensure secure access? Enable automated visibility and trust verification. We would be establishing trust by verifying device posture as well as user and device profile, and then enforcing trust based access to applications under the Zero Trust umbrella.
- The 3 Ws – Workforce, Workplace and Workload
Zero Trust revolves around the 3 Ws—Workforce, Workplace, and Workload. Workforce refers to establishing the trust levels of users and devices to determine their appropriate access privileges. Workplace refers to implementing trust-based access control on networks an organization controls, and Workload involves preventing unauthorized access within the micro-segmented networks irrespective of where they are hosted.
- Continuous Trust Verification
Although we talk about mitigating the threat at the perimeter itself, continuous trust verification is also an inherent feature of a well-established zero-trust model. You would establish trust by verifying identity using MFA, device posture and location, and enforcing least privilege access to networks, applications, and resources. Afterward, you would regularly check to make sure the user or device continues to meet the original standard used to establish trust.
Implementation of a Zero Trust Security Model
Before embarking on your journey to Zero, take into consideration the use cases and scenarios under which your organization needs Zero Trust. The IDSA has put together a number of resources to help you keep marching towards Zero.
- The Path to Identity Starts with Zero Trust (whitepaper)
- The Zero Trust Myths Blog Series (blog series)
- Zero Trust: Where Do You Start? (blog)
- Beyond Humans: Machines and Zero Trust (blog)
- Adobe Customer Story
- LogRhythm Customer Story
- Making Sense of Zero Trust: Perspectives from Inside and Outside Government Organizations (webinar)
About the Author: Thani Anandan is a Global Director – IdM & Security at LikeMinds Consulting Inc. He focuses on building large security teams and works on enterprise implementations of IAM and Cloud Security models.