How Does Zero Trust Security Work?
Zero trust in cybersecurity refers to a set of principles, policies, initiatives, frameworks, and architectures based on the “Never trust, always verify” model. Zero trust security assumes any user, asset, or resource is untrustworthy and therefore must be verified and continually evaluated for every session and every activity before access is granted. Essentially, zero trust is a form of highly granular and distributed trust based on the computing session scenarios, users, systems, and data involved.
For example, in a traditional computing environment, most computing sessions are always validated based on only the username, password, and sometimes the addition of an ID token. In a zero trust model, it isn’t just the user that is being validated—it is the device, network, time of day, type of data, purpose of the session, activity that happens during the session, etc. Zero trust experts sometimes refer to this as the “who, what, where, when, why, and how.” In zero trust, if any one of those attributes is examined and then determined to fall outside of the acceptable use boundaries, then access is reevaluated and potentially rejected.
A common analogy that is often used to describe zero trust is that of building security. A security guard sitting at the front desk reception area of the building is the equivalent of a traditional, static, network-based perimeter. In zero trust, not only is there a security guard sitting at the front desk reception area, but there are also security guards stationed at each elevator, each stairwell, and each doorway into offices on each floor.
What is a Zero Trust Architecture?
A zero trust architecture (ZTA) (also sometimes called a zero trust network, zero trust framework or security framework, or zero trust security architecture) is an end-to-end approach that involves zero trust policy, zero trust technology, and systems architected to manage security as it relates to credentials, identities, access, operations, endpoints, hosting environments, and infrastructure. A ZTA deployment can include components that are either on-premise or cloud-based. A zero trust architecture often applies a Layer 7 firewall (packet inspection for known types of traffic) and the “Kipling Method” to confirm the validity of who or what is requesting access by answering the six questions of who, what, where, when, why, and how.
ZTA core components typically include:
- A policy engine (PE), which grants access to resources.
- A policy administrator (PA), which establishes and halts communications between a subject and resource, as well as generates session-specific authentication and credentials.
- A policy enforcement point (PEP), which enables, monitors, and terminates connections between a subject and a resource.
Additional ZTA components may include:
- Data sources that provide input and policy rules used by the policy engine.
- A continuous diagnostics and mitigation (CDM) system to assess the current state of the assets and apply any updates to configurations or software.
- Threat intelligence feeds that provide threat and vulnerability data from internal or external sources and help the PE make decisions.
- Network and system activity logs that combine logs, network traffic, actions, and events.
- Data access policies with attributes and rules on access to resources.
- An enterprise public key infrastructure (PKI) to generate and log certificates issued by the enterprise.
- An ID management system to create, store, and manage enterprise user accounts and identities.
- A security information and event management (SIEM) system to collect security information for analysis.
Zero trust network access can be implemented in multiple ways to support workflows and may include some or all of the components listed above and vary in their source for policy rules. Approaches can also include micro-segmentation, identity governance, and network-based segmentation. Overall, companies typically design their zero trust architecture based on how they conduct business and existing security policies.
Network Segmentation: Network segmentation (also sometimes called micro-segmentation) involves separating a network into smaller zones to maintain divisions and control access to contain attacks. Segmentation includes the creation of a segmentation gateway by defining mission-critical assets, including devices, data, applications/software, and services. This segmentation gateway inspects any requests for access by people, devices, or systems and then applies security protocols to scrutinize them before access is granted.
Identity Governance: An approach within a ZTA involving the creation of policies based on user identity and attributes. Access is evaluated and granted to a resource based on the level of privileges assigned to that resource, the type of device used, the asset status, and other environmental factors, such as increased threat levels.
Network Infrastructure and Software-defined Perimeters: A ZTA approach that uses network infrastructures. In this approach, the policy administrator serves as the network controller to define and reconfigure the network based on policy enforcement decisions. There are multiple variations for this model based on cloud virtual networks, non-IP-based networks, and other network models.
Why is Zero Trust Important?
In today’s digital computing environment, the concept of “good guys” and “bad guys” can get fuzzy. There are the true “bad guys”— the cyber criminals, the nation-state threat actors, the hackers, and disgruntled employees. Then, there are the “good guys” that unintentionally cause problems, such as a completely trustworthy employee who, in a normal computing session, inadvertently gains access to information they shouldn’t — such as staff salary and benefits data.
Moreover, threats don’t always show up in the form of people. Devices, systems, and networks that connect can pose threats as well. For example, an authorized IoT device that regularly connects to other systems can become a “bad actor” if it has malware installed that can breach the systems it connects with.
Zero trust is important because it doesn’t rely solely on network perimeter security tools and technologies. Instead, it validates more than just the user; it examines and validates the device, network, the type of data being accessed or shared, the session activity, and the time of day the session is taking place to ascertain whether inappropriate or malicious activity is afoot. Zero trust models can help organizations contain and minimize damage from attacks and breaches.
The Solar Winds Example
The massive SolarWinds attack demonstrates the importance of why organizations can’t assume that previously authorized individuals, systems, devices, applications, and networks are trustworthy. The nation-state threat actors involved in the SolarWinds attack took advantage of broadly defined role assignments, excessive user permissions, and abandoned (but still active) accounts and applications. With zero trust security policies and frameworks in place, authentication procedures may have flagged the activity on dormant accounts or unusual actions related to role assignments and user permissions. It is entirely possible that a zero trust approach could have prevented or significantly minimized the damage caused by the Solar Winds attacks.
The Sunburst Attack
The Sunburst attack was a sophisticated and far-reaching cybersecurity breach that involved hackers infiltrating the SolarWinds Orion software. The attack compromised thousands of organizations and exploited the implicit trust that organizations often grant within their networks. Attackers moved laterally across networks and were able to inconspicuously gain access to highly sensitive data, shocking the cybersecurity community at large and clearly illustrating the vulnerabilities in traditional security architectures. The zero trust cybersecurity model has since gained widespread prominence, underscoring the need to ensure consistent security validations to safeguard networks and data.
The NIST 800-207 Standard and Why it Matters
The National Institute of Standards and Technology - or NIST - is a federal agency that develops and promotes measurement standards and technology. In the landscape of cybersecurity, NIST is most commonly known for its guidelines and frameworks that organizations use to manage and mitigate risks. The zero trust definition according to NIST is, " A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised".
NIST 800-207 focuses on zero trust architecture (ZTA) and outlines its core components: Zero Trust Policy, Policy Engine, and Policy Administrator. NIST 800-207 aims to defend against cybersecurity threats by offering guidance on implementing ZTA and promoting consistent security measures that are adaptable to various organizational needs and technologies.
The Principles of Zero Trust
The zero trust security model can be defined by three simple principles:
#1: Validate and continually verify every person that connects to your organization: In zero trust there is no such thing as a trusted user—everyone that accesses your systems and devices should be authenticated. Single sign-on is an efficient and valuable business tool, but if someone’s credentials get stolen, then there could be a major security gap. Technologies like multi-factor authentication should be included with single sign-on to increase security and ensure an improved verification process.
#2: Validate and continually verify every asset (including devices, networks, systems, and applications) that connects to your organization: Assets that connect to your organization and each other within your organization pose as much risk as people, and the location of the network alone does not automatically imply trust. In particular, Internet of Things (IoT) devices (internal or external) are highly susceptible to hacking. Requests for access from internal or enterprise-owned networks should meet the same security standards and requirements as those from external or non-enterprise-owned networks.
#3: Intelligently monitor and limit access to users, assets, and resources: By defining its resources, members, behaviors, credentials, and the level of access needed, an organization can intelligently monitor activities and control access to ensure maximum protection. Continuous diagnostics and mitigation (CDM) or similar systems support monitoring, by observing users, resources, and assets and noting unusual or malicious activity. Zero trust systems can also provide alerts when unpatched vulnerabilities are discovered. Intelligent monitoring also involves applying a ‘least privilege’ approach for all tasks and access. Behavioral and environmental attributes that can be monitored include software versions installed, network locations, time/date of request, previous behaviors, current credentials, automated analytics (device, task, or user), network or device location or time of use, current threat levels, etc.
Zero Trust Best Practices
Zero trust approaches and architectures can vary based on the needs, size, goals, and priorities of an organization. At the highest level, to maximize your zero trust implementation, consider these best practices:
- Understand your business practice and security policies: A zero trust approach should align with your business priorities, goals, and risks. This means taking some time to understand what is important to your organization and then documenting your resources, users, and their behaviors.
- Trust no one: No one inside or outside your organization should be automatically trusted when it comes to accessing systems, data, or networks. Always authenticate and authorize every user, session, and even session activity where applicable.
- Conduct data discovery: Take some time to understand the type of data you have, how it flows, its sensitivity, and where it is located. More importantly, make sure you know who has access to this data and whether their access is necessary.
- Ensure complete visibility and ongoing monitoring: To make zero trust effective, you need full visibility into all network and system activities, and you need to be prepared to fully monitor everything that goes on. Real-time monitoring capabilities can help mitigate the effects of a breach by notifying the security team of an intrusion during the earliest stages.
- Log all activity and regularly analyze it: Make sure your zero trust model includes components for both logging activity and analyzing it for unusual or malicious behavior.
- Embrace multi-factor authentication (MFA): Despite the well-documented benefits of MFA, many companies have yet to adopt it. MFA offers protection from network, system, data, or device compromise by requiring the user to login with a combination of two or more different components, usually something the user knows (a username and password), something the user has (a security token), and something the user is (facial recognition, voice recognition, fingerprint).
- Apply ‘least privilege’: Know what type of access your ‘resources’ (users, systems, or devices) need and grant the lowest possible access in all instances to help prevent lateral movement across networks and systems if a breach occurs.
- Make sure your zero trust approach aligns with your overall security strategy: Every organization has different goals, risks, data sensitivities, and regulatory compliance concerns. Your zero trust architecture should reflect these security needs and priorities.
- Implement device access control: Within the zero trust model, device access control ensures that any devices trying to access your network are authenticated and continuously evaluated. Device access control shrinks your attack surface and mitigates potential risks associated with unauthorized and/or compromised devices that are connected to your organization’s network.
- Enforce stricter verification and continuous monitoring: Endpoint security in zero trust enforces stricter verification and continuous monitoring of devices accessing the network, making it easier for your organization to ensure that its endpoints stay up to date with security standards before users are granted network access.
- Begin using advanced analytics: Organizations that seek real-time analysis of their network traffic and user behavior must invest in advanced analytics. The use of advanced analytics allows for the immediate identification of unusual network patterns or other potential threats, enhancing your ability to rapidly detect and respond to security challenges.
Zero Trust Challenges & Threats
- Proper configuration: In a zero trust architecture, PE and PA components should be properly configured and monitored to ensure enterprise resources can communicate. Changes to configurations should be logged and audited.
- Distributed denial of service (DDOS) attacks or network disruptions: Policy enforcements need to reside in a secured cloud environment to ensure an attacker cannot disrupt or deny access to the policy enforcement points (PEP).
- Stolen Credentials: A zero trust architecture with MFA and least privilege can help reduce risk and prevent an intruder with stolen credentials from moving laterally within a network.
- Network and Activity Monitoring: Not all network activity will be fully visible — for example, traffic coming from non-enterprise sources (such as that of a contractor). With a ZTA it is important to collect and analyze metadata (such as source or destination address) on any encrypted traffic to help detect an attack or the possibility of malware communications.
- Stored System Scans and Network Data: Information obtained from ZTA monitoring and analysis can be attractive to cybercriminals because it can offer insight into your enterprise architecture or security policies. You need to place high-level restrictions on who can access this critical information, such as network diagrams, configuration data, access policies, and architecture documents, to prevent it from being used in an attack.
- Automation and Artificial Intelligence: AI and other types of automation can be incredibly useful in a ZTA. However, false positives and false negatives impact your overall security posture. Engage in regular systems analysis to adjust or correct false decisions.
How to Implement Zero Trust
Organizations that decide to implement a zero trust model should follow a few key implementation practices to ensure a solution that is fully aligned with your enterprise requirements.
- Understand that zero trust is a journey: A zero trust implementation is an incremental journey and not a simple replacement of systems, technologies, policies, or infrastructure. Organizations should be prepared to continue to operate and support existing perimeter-based security while investing in a zero trust initiative.
- Create a plan: A roadmap that outlines your IT modernization requirements as you move from your current system to a hybrid zero trust or full zero trust architecture can help smooth the security migration process.
- Understand your assets, users, and processes: Any zero trust implementation needs to begin with a complete and documented understanding of all enterprise assets (virtual and physical), users (people and networks/systems), privileges currently granted, and data flows/business processes. This will help ensure that your ZTA is implemented in alignment with your enterprise’s business functions — and it will help prevent business process failures because a ZTA component denied requests due to missing information.
- Identify all users who access your enterprise assets: Identify all people and ‘non-person entities’ (NPEs) that access and engage with your systems. This includes internal staff, external individuals and organizations, such as contractors, consultants, or vendors, and IoT devices or service accounts that interact with your networks or systems. In addition, identify the types of privileges each user has, including attributes and roles. Flag any ‘blanket permissions,’ apply least privilege, and monitor and analyze how your users operate within your systems to identify behavior patterns.
- Identify all enterprise-owned and -managed devices: Managing and categorizing enterprise assets — including hardware, accounts, applications, and other digital or cloud assets — is critical to a ZTA deployment.
- Identify all non-enterprise assets: Identify and categorize all BYOD devices, vendor systems, and ‘shadow IT’ components to help with access decisions, monitoring, and forensics.
GuidePoint Security is experienced in zero trust workshops, consulting, and implementation. We can help organizations of any size and in any industry navigate the complexities of segmentation, identity governance, security policies, and network infrastructure.