What is the Zero Trust Model?
Never trust, always verify.
In today’s ever-evolving threat landscape, the traditional “trust, but verify” approach does not seem to be working anymore. Especially now since it has become increasingly common for threats to originate from within an organization. According to Verizon, 34% of data breaches in 2018 involved internal actors. This is the reason why more and more companies have started to implement a different security model: Zero Trust.
The “Zero Trust” concept is relatively new and was coined in 2010 by John Kindervag, a former Forrester analyst. Its architecture allows companies to map out both external and internal security threats and maximize the chances of timely mitigation.
In case you are not familiar with Zero Trust, in this article, I’m going to try to answer some burning questions such as:
- What is Zero Trust and why is it relevant for your organization?
- What principles is Zero Trust based on?
- How can you implement the Zero Trust model?
Defining Zero Trust
As indicated by its name, Zero Trust is a concept based on the notion that organizations should not trust anyone or any device by default and thus, they must verify every single connection before allowing access to their network. This model came as a response to former security approaches founded on the assumption that insider threat was nonexistent and that they were only focused on defending organizations from external threats.
Potential malicious actors aren’t the only driver for the Zero Trust initiative. As more and more companies are choosing to move their workloads to the cloud or follow the hybrid approach of using both on-premises and cloud applications, the popularity of the Zero Trust model has skyrocketed. Now, an increasing number of employees and their internal and external stakeholders are accessing resources from worldwide locations. And since the security perimeter is no longer contained within an office building and remote users are connecting to cloud applications from various locations, cyber-criminals have multiple points of access.
Therefore, the need for a different approach has grown.
According to the Zero Trust model, nothing neither inside nor outside an organization’s security perimeter should be trusted by default. Businesses that use the “traditional” security model, which implies that everything contained inside their network can be automatically trusted, oftentimes fail to defend themselves. In this case, malicious hackers, once they manage to get past a company’s firewall, are able to easily move through their systems. Their antiquated security architectures only aim to stop threats from entering an organization and once an infected network is left unsupervised, an organization’s sensitive data remains exposed.
On the other hand, the Zero Trust Model runs on the belief that one should “never trust and always verify”.
Traditional security architecture vs. Zero Trust architecture
The traditional security architecture is often referred to as the perimeter model after the castle-with-moat approach encountered in physical security. Through this model, protection is given by building multiple lines of defenses that attackers must go past before eventually gaining access, while possible insider threats are not taken into account.
The traditional network security architecture divides networks into zones within one or more firewalls. In this case, each zone is assigned a certain level of trust, that decides which network resources are allowed to reach. Through this model, high-risk resources (like web servers connected to the public internet) are put into an exclusion zone (oftentimes known as “DMZ” or “demilitarized zone”). Here, traffic can be closely monitored and controlled.
Below you can see a representation of standard security architecture:
Source: Traditional network security architecture, Zero Trust Networks by Doug Barth, Evan Gilman
By contrast, this is what a Zero Trust network would look like:
Source: Traditional network security architecture, Zero Trust Networks by Doug Barth, Evan Gilman
Here, the supporting system is called the control plane, and every other component is referred to as the data plane, which is being coordinated and configured by the control plane. The latter allows requests for access to restricted resources only from authenticated and authorized devices and users. At this layer, fine-grained policies based on “role in the organization, time of day, or type of device” can be applied. Furthermore, accessing even more secure resources can require stronger authentication.
As soon as the control plane has granted access to a request, the data plane will be configured to accept traffic from that client only.
The main idea here is that even though some compromises in regards to the strength of these measures can be made, a third party is given permission to authenticate based on a variety of inputs.
The Principles Behind Zero Trust and How to Implement It
According to John Kindervag, Zero Trust is based on three main ideas:
- All resources must be accessed in a secure manner regardless of location
- Access control is on a “need-to-know” basis and strictly enforced
- All traffic must be inspected and logged
Zero Trust can be linked to technologies such as multifactor authentication, encryption, and privileged access management (PAM).
PAM has been founded on the principle of least privilege, which is based on the notion that you should be giving your users only the access they need in order to avoid exposing your users to as less sensitive information as you can. For a complete overview of the term, check out our latest guide on the principle of least privilege. Also, feel free to check out our PAM solution, Thor AdminPrivilege™, that helps you stay on top of your user rights management.
Zero trust networks also employ micro-segmentation, which stands for the practice of dividing perimeters into small areas so that certain parts of your network have separate access. Consequently, if any data breaches occur, micro-segmentation will limit further exploitation of networks by malicious actors.
The UK National Cyber Security Center (NCSS) has released an alfa version of the Zero trust architecture design on GitHub. The following ten principles can be used as a starting point for building the foundation of a Zero Trust architecture:
#1. Know your architecture
The first and most important thing you should do is create an inventory of your assets and know everything about every single component of your architecture, including your users, their devices, and the data they are accessing.
Moreover, before transitioning to a Zero Trust architecture, you need to take into account all your existing services since they may not have been designed for the Zero Trust scenario and therefore may be unsafe in front of potential attackers.
#2. Create a single strong user identity
Your organization should use a single user directory and know which accounts are connected to which individuals. For granular access control, you should be creating specific roles for each user.
This way, in case of an attack, it’s crucial for you to understand exactly which user is responsible, what they are trying to access, and if they do have the necessary permissions to access certain data.
#3. Create a strong device identity
Besides users and accounts, every device owned by your organization should be uniquely identifiable in a single device directory.
Furthermore, zero trust systems have to monitor what devices are trying to access their network and make sure that every single one of them is authorized. This practice will further minimize the attack surface of your network.
#4. Authenticate everywhere
In your zero trust architecture, all connections should require authentication. At the same time, authentication should be stronger than just a username and password. Multi-factor (or two-factor) authentication is considered to be a core value of Zero Trust. So, besides entering a password, users should be able to provide additional proof that they are who they claim to be, for instance, through submitting a code received on their mobile device as evidence.
#5. Know the health of your devices and services
To be able to know the health of your devices and services in real-time is crucial. You should be asking yourself different questions, such as: Are the latest operating system updates installed? Are the latest software patches applied? Do I have a complete overview of my environment available at all times?
Your systems need to be kept up-to-date with the latest patches and you should be able to determine the version and patch level of the services you are using. For instance, a tool like X-Ploit Resilience can help you automate both Windows and 3rd party software updates.
#6. Focus your monitoring on devices and services
Given that devices and services are more exposed to network attacks than in traditional architectures it’s important that comprehensive monitoring for attacks is carried out.
#7. Set policies according to the value of services or data
The access policies you set up define the power of your zero trust architecture. This means that your policies should be defined in accordance with the value of the data accessed or taken action. For instance, actions such as creating new admin roles should require a stricter policy than low impact operations, like checking out the lunch menu, NCSS is saying.
#8. Control access to your services and data
You should not be granting your users access to a service unless the request is authorized against a policy. What’s more, always make sure your transmitted data is protected with encryption.
#9. Don’t trust the network, including the local network
In order to remove trust from the network, you need to build trust in the devices and services.
Do not automatically trust any network between the device and the service it is trying to access, including your local network. Devices should be configured to prevent DNS spoofing, Man in the Middle attacks, unsolicited inbound connections, etc.
#10. Choose services designed for zero trust
Last but not least, always opt for services specifically designed to support Zero Trust. Keep in mind that legacy services may require additional components to enable Zero Trust, so always make sure you have the resources to handle this.
Zero Trust is quite a new approach to network security and at the same time, it’s also part of a broader philosophy, which implies that you must not automatically trust your network. Instead, you should first think that any connection can potentially be malicious, and only after you’ve verified it, you can be confident that you can trust it. So, consider redesigning and rebuilding your security strategy based on the Zero Trust concept to reduce the chances of breaches and strengthen your defenses.