Zero-Trust is an up and coming security concept which says a simple thing: “Continuously validate all users, against set security configurations, before they are being granted permissions or are allowed to keep their existing access to resources & information”.

This architecture assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.

Principles of Zero Trust

• All information and services in the environment are considered resources.
• All communication must be secured regardless of network location.
• Access to individual enterprise resources must be granted on a per-session basis.
• Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and might include other behavioral and environmental attributes.
• The enterprise continuously monitors and measures the integrity and security posture of all owned and associated assets.
• All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
• The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

Getting Started with Zero Trust

Asses the organization

• Define the protect surface and identify sensitive data, assets, applications and services (DAAS) within this framework.
• Assess the organization’s current security toolset and identify any gaps within the infrastructure.
• Ensure that the most critical assets are given the highest level of protection within the security architecture.

Create an inventory of all assets along with a transactional flow of information.

• Determine where sensitive information lives and which users need access to it.
• Consider how various DAAS components interact and ensure compatibility in security access controls between these resources.

Establishing various preventative measures

• Multifactor authentication: MFA, 2FA, or third-factor authentication, are essential to achieving Zero Trust. This enforces the “something you have” providing another layer of verification for every user regardless of location (inside and outside the enterprise).
• Least privilege principles: Once the organization has determined where the sensitive data lives, grant users the least amount of access necessary for their roles in the enterprise.
• Micro-segmentation: Micro-perimeters act as border control within the system, preventing any unauthorized lateral movement. The organization can segment based on user group, location or logically grouped applications.

Continuous monitoring & maintenance of the network & systems.

• Figure out where the anomalous activity is occurring and monitor all the surrounding activity.
• Inspect, analyze and log all traffic and data without interruption.
• Adopt additional pro-active approaches (threat hunting, for example) to current incident response plan.

Benefits of having Zero Trust

• High visibility of current threat surface & protections in place.
• Maximized use of authentication & authorization.
• Granular insight into all user activity.
• Dynamically provision of access.
• Reduced lateral movement ability.
• Minimize data exfiltration.
• Protection against threats regardless of location.
• Improved overall security posture.

Current Challenges Around Zero Trust

• Legacy Applications, Network Resources, Tools & Protocols: Traditionally, all of these can’t be protected with identity verification, usually posing a cost-prohibitive obstacle i.e. it’s often too expensive to re-architect these systems. Many times these legacy systems are excluded from the approach, which makes them the weakest link.
• Zero trust vs. productivity: Introducing a zero-trust cybersecurity approach potentially affects productivity as well. The core challenge of zero trust is locking down access without bringing workflows to a stop.
• Visibility and Control: Most organizations are not equipped with comprehensive insight into – or capability to set protocols around – all individual users within their network and are thus vulnerable to threats posed by unpatched devices, unprotected services, and over-privileged users.
• Rapidly changing threat surface and threat landscape: This can potentially lead to challenges with technologies that are limited in deployment modality
• Zero-trust cybersecurity requires commitment to ongoing administration: If controls aren’t updated immediately, unauthorized parties could gain access to sensitive information.
  • For instance, if an individual leaves the organization but could still access internal information for a week. This underscores a zero-trust strategy. If companies cannot act quickly in these situations, data is at risk.

Conclusion

To deliver Zero Trust, we must cover, in detail, both Privileged Account and Session Management as well as Privilege Elevation and Delegation Management. But clearly that is not enough. To sufficiently verify who (or what) a requester is, it must include Multi-Factor Authentication as well as Privilege Threat Analytics. Going further, managing the rapidly changing threat surface, speed of administration, legacy services & resources will have to be protected & worked into traditional security, gradually moving into hybrid zero trust which is likely to become the status quo.

References

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html

https://www.crowdstrike.com/epp-101/zero-trust-security/