The Zero Trust model

With exponential growth in cloud technology and the mobile workforce, the corporate network perimeter has been redefined. The traditional perimeter-based security approach is found to be ineffective as the resources are hosted in multi-cloud and hybrid scenarios. Today, organizations need a new security model that can provide secure access to their resources, irrespective of where they are accessed from and regardless of user or application environment. A Zero Trust security model helps in embracing the mobile workplace and helps in protecting identities, devices, apps, and data wherever they are located.

The Zero Trust model operates on the principle of “trust no one, verify everything, every time.” This means that all users, devices, applications, and data that flow within an organization’s network should be verified explicitly before being granted access to resources:

Figure 1.8 – The Zero Trust model (https://www.itgovernance.co.uk/blog/wp-content/uploads/2015/07/PPT-Diagram-Blog.png)

Zero Trust guiding principles

The Zero Trust model has three principles based on NIST guidelines:

• Verify explicitly: The “verify explicitly” principle of Zero Trust means that access should be granted only after a user or device’s identity and security posture have been verified and authenticated. This requires the use of strong authentication mechanisms, such as MFA, that require users to provide additional forms of authentication beyond just a password, such as a fingerprint scan, facial recognition, or a one-time code. In the case of devices, they must be assessed and verified before they are granted access to resources within an organization’s network. This involves evaluating the device’s security posture to ensure that it meets a minimum set of security standards, such as having the latest security patches, running up-to-date antivirus software, and having strong passwords or other authentication mechanisms in place. Devices that do not meet these security standards are either denied access or granted limited access until they can be remediated and brought up to the required security standards.
• Least privilege access: Least privilege access refers to Just-in-Time (JIT) access, which means elevating the permission as and when required to perform some tasks and then bringing back the default access with Just Enough Administration (JEA) to perform day-to-day tasks.
• Minimize the blast radius: This refers to the assume breach mindset, where you build your defense while keeping the worst-case scenario in mind so that even if some external or internal breach occurs, there is a minimum impact on the organization. Network segmentation, end-to-end encryption, advanced threat detection, and deeper analytics visibility are some practices to minimize the blast radius.

These guiding principles help us in understanding the baseline on which we define the conditions for the Zero Trust model. Now, let’s understand which guidelines apply to which pillars.

The six foundational pillars

The following are the six pillars of the Zero Trust model. They work together to provide overall robust security for your infrastructure:

• Identities: Identities can refer to users, devices, or applications/services. It is important to verify and secure each identity with strong authentication across your entire digital estate. When an identity (user/device/service) attempts to access a resource, it must be verified with strong authentication and follow the least privilege principle.
• Endpoints: These are the carriers through which data flows on-premises and in the cloud; hence, they are the reason for creating large attack surfaces in many cases. It is important to have the visibility of devices accessing the network and notice their activities. A device’s security posture and health, from a compliance perspective, is an important aspect of security.
• Applications: Discovering the shadow IT and in-app permissions is critical because applications are the way organizations’ data is consumed. Not all applications’ access management is managed centrally, so it is important to put a stringent process for access reviews and privileged identity management (PIM) in place.
• Data: Cloud computing services and offerings have completely changed the way data was managed traditionally, which resulted in perimeter-based whitelisting not being effective anymore in current hybrid/multi-cloud/SaaS-based systems. Many organizations do not have complete visibility of what kind of data they are dealing with, the most critical data, and where it resides in the organization. That is why it is important to discover, classify, label, and encrypt data intelligently based on its attributes. The whole effort is to protect the organization’s critical data and ensure that data is safe from both internal and external threats. This is critical especially when data leaves devices, applications, infrastructure, and the network controlled by the organization.
• Infrastructure: Threats and attack vectors are very much a reality, whether they are on-premises or in the cloud. You can use intelligence-based telemetries such as JIT access, location, devices, and version to detect anomalies and attacks for ensuring security. This helps allow/block or automatically take action for any risky behavior almost at runtime, such as continuous failed login attempts.
• Networks: To make this pillar stronger, it is important to ensure that the devices are not trusted by default, even if they are in a trusted network. Implementing end-to-end encryption, reducing the attack surface by policy, network segmentation, in-network micro-segmentation, and real-time threat detection are some of the critical practices to keep in place.

Implementing all six pillars strongly is extremely hard to achieve. It becomes even more challenging when organizations have an enormously complex and hybrid infrastructure where they do not include security as a priority at an early stage. Now, let’s understand the difference between security and compliance.