Zero trust is quickly gaining traction in the IT security industry. The term “zero trust” originates from the elimination of implicit trust that users enjoyed on company LANs, and replacing it with strict and continual verification.
The NIS2 directive recommends zero trust as one of the methods of improving security in the EU and increasing the overall resilience against cyber crime, including supply-chain attacks.
This article covers the basic principles of zero trust and explains what steps organizations need to take to implement it.
So, if you’re new to zero trust, start here.
Table of contents
Basics of zero trust: What is zero trust and its benefits
Zero trust is a network security model that deals primarily with controlling user access to reduce the risk of threat intrusion. But there is more to it than just access rights. Below are the basic principles of zero trust:
- User verification – Every user must prove the legitimacy of access before being admitted to an internal system.
- Transaction verification – All connections should be verified and assessed before being established.
- Least-privilege access – Users only receive access privilege to those systems they need for work.
- Continuous monitoring and threat detection – Suspicious behaviors need to be identified to weed out both known and zero-day threats.
Zero trust adoption
Zero trust is for companies that need to increase their resilience against cyberthreats. For some it is a necessity because of the large amount of business activity taking place in the online space, where admins don’t have as much control over users and assets and can’t protect them as effectively.
The benefits of zero trust architecture include:
- Enhanced security – Zero trust security approaches help to prevent unauthorized access and protect against external and internal threats.
- Improved visibility – Zero trust security solutions provide greater visibility into user and device access across your environment. This helps to identify suspicious activity and potential threats in real-time.
- Reduced risk – By implementing a zero trust security model, organizations can reduce the risk of data breaches and other cyberattacks.
- Increased efficiency – Zero trust security solutions can help streamline authentication and authorization processes, which can result in improved efficiency and productivity.
- Improved compliance – Zero trust security solutions can help organizations meet compliance requirements by providing comprehensive security monitoring and reporting.
Compliance in particular is very important for many companies. The recently adopted NIS2 directive of the EU requires member states to implement legal cybersecurity requirements to reduce the risks caused by rising digitalization. One of the readiness approaches the directive promotes are principles of zero trust.
This means that zero trust is no longer nice-to-have, but becomes almost a legal requirement.
Building a zero trust network
Zero trust is not a specific solution but an approach to network security. Developing a zero trust security architecture is equally possible with your own resources or a SaaS service. Below are the critical components that all zero trust network security must have.
Risk assessment
This is why you do it – identify critical assets that need to be protected, the users and systems that interact with them, and threats by which they could be targeted.
Common threats that small businesses face nowadays include:
- Phishing
- Malware
- Insider threats
- Ransomware
- Weak passwords
- Unsecured devices
Mission-critical systems are now at an elevated risk of intrusion due to the rise of remote work and BYOD. Companies lose control over the devices and infrastructure that employees use to access sensitive data.
Identity-based user authentication
Zero trust network security relies heavily on strict identity-based user authentication. Identity-based means that the authentication process determines with high certainty that the user is the person they are supposed to be.
For example, access credentials people use to access services like social media or online shops (disregarding SSO) consist of a username and password, both of which the users often choose. This means they can interact with these services more or less anonymously.
On the other hand, in identity-based user authentication, the access credentials, except the password, are often assigned and agreed upon. This includes company-assigned email addresses and requiring additional proofs of identity, like MFA or biometrics.
MFA (multifactor authentication) in particular is a relatively simple and cost-effective method of increasing authentication security, making it an effective protective measure against credential spoofing.
However, all this makes it more difficult for companies to manage user identities, which is why many businesses use identity and access management (IAM) solutions or at least SSO. These solutions centralize user management, allow adding new users and removing old ones, or simplify assigning access rights.
IAM vs SSO
SSO (single sign-on) refers to the practice of using the credentials from one identity directory to access multiple systems, mostly online apps. For example, you can use your Google account to log in to Twitter. The most common protocols used in SSO are SAML or OAuth 2.0.
IAM (identity and access management) is similar in principle, but more robust. IAM enables granular assignment of access privileges, credential storage, or configuring the authentication protocol.
Access control and application security
Authenticated users will need appropriate access privileges. Zero trust follows the principle of least privilege.
Least privilege means that the user only receives access privileges that they need to do their job, and only to the relevant systems. For example, the company’s accountant will have access to the accounting and invoicing system, but not the CMS or database server.
In network terms this translates into segmentation. Segmentation is a mitigating countermeasure that contains a threat that has penetrated the secured environment, e.g. via compromised credentials, and prevents it from accessing the whole network.
Depending on where it is deployed, you can distinguish between network segmentation and application segmentation.
- Network segmentation, or macrosegmentation, is a traditional method that divides the network into separate pockets. The division can be physical, as handled by a firewall or load balancer, or logical via VLANs (virtual area networks). (Note that this is different from subnetting, which is a process designed to speed up the network, not divide it to contain threats.)
- Application segmentation, also known as microsegmentation, is a networkless implementation of this concept that works in multi-SaaS environments. It groups SaaS applications into logical segments and secures them separately. This mechanism enables flexible assignment of access rights to individual users, and allows for continuous monitoring of traffic passing between the users and apps.
All these mechanisms convene into access control, a broad term that deals with who can access what systems and under what conditions.
A century ago, access control applied only to buildings and consisted of locks, keys, doors, porters, invitations, security guards, and burglar alarms. In today’s IT environments, this system still applies, albeit metaphorically.
When a remote employee connects to a company workspace (equivalent of an office), they possess access rights (keys) and their identity is verified on entry (they exchange a “good morning” with the porter). Administrators, who are in charge of keeping everything running, have admin rights (a bunch of keys in the pocket of a building manager) and when a guest wants to enter the network, they cannot do so without prior clearance or invitation (“I have an appointment with Mr. Jenkins.”).
Data security
The previous section dealt with preventing unauthorized access to data. But there is more you can do to ensure data security.
You should assess your data on criticality and protect it accordingly. The most critical data, such as customer information or company intellectual property should be stored in a secure repository and protected against misuse.
Besides strict access controls, it’s a good idea to implement on-site encryption for sensitive data that does not need to be accessed very often, and keep regular backups of all your sensitive data.
Data loss prevention systems (DLP) are highly effective methods of ensuring data security, which detect data compromise and exfiltration. They are important for ensuring GDPR compliance, but they also tend to be enterprise-grade solutions, often far beyond the means of small and medium businesses.
Equally important as data protection during storage is protection during transit. Especially with the rise of remote work and networkless companies, the threat surface becomes very large. Companies should seek to reduce the threat surface by employing encryption, such as provided by a cloud VPN.
The benefit of a cloud VPN over HTTPS is that the VPN conceals the identity of the communicating parties, not just the payload, further decreasing the target silhouette.
Endpoint and mobile device security
It is common knowledge that every device connecting to the corporate network should have an up-to-date antivirus software and have the patches installed.
But the zero trust network architecture takes this a step further.
Zero trust solutions carry out device posture checks, which are basically tests that assess a device’s fitness for accessing the secured IT environment. This involves checking the device for known vulnerabilities, up-to-dateness of the OS, verifying the status of malware protection, or the security of the network through which it is connecting.
Device posture checks prevent intrusion via unsecured devices, which is a common attack vector for cybercriminals.
Monitoring and incident response
Zero trust does not apply just to removing implicit trust in users. Security admins should never trust that their infrastructure is completely secure – “assume breach” is a phrase that is sometimes used to describe this.
Constant monitoring of activity and spotting suspicious behaviors is an essential component of zero trust, and companies should deploy technology that gives them visibility.
A relatively accessible yet effective method are intrusion detection systems (IDS) that monitor traffic passing between users and systems and pick out patterns characteristic of network-borne threats.
Similarly, log analysis systems are also very powerful and reliable means of threat hunting that come in a wide price range, being accessible to enterprises and small businesses alike. Also, Network detection and response (NDR) with anomaly detection is capable of detecting a broad range of threats operating within the network, but these are complex tools and usually expensive.
At the very least, all businesses should have some kind of web/DNS filter to detect and block access to malicious and phishing sites. Such filters are widely available at a reasonable price.
Employee education
Last but not least, all employees should be properly trained on the security measures.
This includes training employees in the proper use of authentication methods, access control measures, data security measures, and any other security measures that have been implemented.
Additionally, employees should be regularly trained in spotting and reporting phishing emails and suspicious activity.
Barriers to deploying zero trust
If zero trust is so cool, why doesn’t everyone do it? A zero trust architecture won’t deploy itself, and there are some common hurdles that businesses need to overcome.
- Cost – Implementing a zero trust architecture requires investing in several security technologies and services.
- Complexity – Managing user access and redesigning policies can be a complex task for some businesses.
- Change management – When businesses adopt a new architecture, their existing processes and policies need to change. This is difficult to manage and requires extra effort. Also, admins have to cope with resistance from employees, who used to have access everywhere and now they don’t.
- Lack of expertise – Implementing zero trust architecture requires a specialized skill set that not all organizations have.
- Integration – The new security technologies have to fit in with existing infrastructures and systems.
How to overcome these barriers?
Fortunately, modern zero-trust solutions, like GoodAccess, provide networkless zero-trust technology as a service.
We have bundled network encryption, threat protection, robust access controls, MFA, and application-level visibility into a SaaS service that is easy to deploy and use even if you don’t have a trained IT specialist on staff.
You can try all of its features for 14 days for free here. If you need any assistance, our specialists are on standby to help you.
Conclusion
By implementing zero trust architecture you can greatly enhance your organization's security posture, but this will involve a shift from traditional perimeter-based security to a model that focuses on securing individual resources and data. It involves strict access control, continuous monitoring, and granular segmentation of resources.
To implement zero trust successfully, you must have a clear understanding of your network and data assets, implement strict access controls, deploy continuous monitoring and detection systems, and carry out regular company-wide training on your security practices.
While implementing zero trust may seem daunting, the benefits are significant. With the right strategy, technology, and culture, organizations can strengthen their security posture and better protect their critical assets.