What is Zero Trust?

Tennessee Williams once said, “We have to distrust each other.  It is our only defense against betrayal”.  This is the foundational idea of Zero Trust.  It eliminates the concept that a simple password can ensure identity, or that users will act responsibly and can be trusted implicitly.  Zero Trust assumes that a breach is either imminent or has already occurred.   Therefore, every user, device, and connection must be verified continually.  With today’s threat landscape, trust is a vulnerability you cannot afford.   

The concept of Zero Trust has been around since 2010 when Forrester Research created the idea of never trust and always verify.  It is designed to protect your data, network, and users by leveraging network segmentation, preventing lateral movement, simplifying access control, and creating automated security responses.

Why Should We Implement Zero Trust?

Defend the perimeters, or trust but verify, is the approach historically most have taken to implement security.  Meaning, once inside the network it is not a threat and cleared to access data and systems.  However, in this model it only takes one set of compromised credentials to have a security incident on your hands.  Often, this type of incident is what we are seeing in the news.

Your networks are not as isolated as they once were.  Now, there are applications on-prem and in the cloud.  More than ever before, systems like phones, A/V, IoT devices, and security are using the network.  Users can be anyone in the supply chain from employees to partners and customers.  They may be accessing resources from different devices all over the globe.  You can no longer secure a perimeter that has no perimeter.

Bad actors thrive in an environment where they can achieve undetected lateral movement. After gaining access by impersonating a legitimate user they move through the network in search of sensitive data, and high-value assets. If necessary, they will attempt to elevate their privileges for more network control or access.  The bad actors will then take the assets they were looking for, release a payload, or both.  This can happen within minutes, or when unable to detect the lateral movement and the bad actor has significant dwell time, can happen over weeks or months.

How to Implement Zero Trust

Use the COVID-19 pandemic to your advantage.  Nearly everyone has had to change the way they are conducting business.  Part of that change was moving the network or parts of the network outside of the normal perimeter.  Implementing Zero Trust to secure the network should now be your top priority.

As with most implementations, Zero Trust is a gradual process and adoption due to the granularity of the framework.   You can achieve rapid and large risk reductions by starting with identity and device security.

Zero Trust for Users and Devices

Users are often the weakest link in security and the source of many breaches.  Investing in and implementing identity and access management will help significantly.  This can be done through Multi-Factor Authentication (MFA) or Single Sign On (SSO).  Applying the least privilege concept in addition will ensure a user only has access to what they need to do their job.

Devices can be anything from a pc, laptop, or tablet to a VoiP phone, mobile phone or IoT device.  These devices create a myriad of entry points to the network.  To make them less of a challenge to secure, create micro perimeters to isolate types of devices from each other and different parts of the network.  Harden devices by keeping them up to date with firmware.  If you have a bring your own device (BYOD) policy, be sure it is enforced with a product that requires users to keep their device updated and secured.

Zero Trust for Workloads

The workload is your entire application stack.  This is everything from your line of business applications, customer facing software, storage, even SaaS applications provided by other vendors.   Treat it like the threat vector it can be.  Patch what you can, use controls where applicable and choose vendors that implement Zero Trust in their products.

Zero Trust for the Network

Bad actors need to have some lateral movement to steal data and release payloads.  Make it as difficult for them as possible by putting boundaries around the resources.  Segment or isolate systems from each other.  Restrict network traffic and use firewalls to help augment cloud security where you can.

Zero Trust for Data

Protecting your data begins with identifying what is sensitive, where it is located, and how you could defend it. Once you understand the threats your data has, you can map the acceptable routes for your data to enter and exit your organization.  Then, apply those insights to crate policies and controls. 

Zero Trust Moving Forward

When you have implemented controls for the users, devices, workloads, networks, and the data, it is essential to monitor it all.  The only way to know if or when you have an issue is to look for one.  Don’t assume your network is safe.  Put automated responses in place that enforce the polices that have been created.    The more automation you can put into place, the less time you will need to spend managing the security infrastructure.  This means you will have more time to spend building and enabling the business.