What is a Zero Trust?
It is important for all organizations to protect their internal data because the loss of that sensitive information could negatively affect organizations’ operations, reputation, and also to the privacy of their users. As stated in the 2019 Verizon Data Breach Investigations Report, internal actors were involved for 34% of data breaches in both public and private entities. This type of data breaches may be done by internal employees with malicious intentions or it just may be happened because of human errors. Still many organizations use traditional castle-and-moat security architecture while assuming that, all activities within the internal network can be trusted, therefore, enabling unrestricted access of network resources for internal users. This approach may be still effective to stop external security threats. But, as per Verizon’s report, organizations cannot depend on that architecture any longer. Moreover, once outside intruders penetrate the perimeter of traditional networks then, they can access all internal information without any further barriers. Nowadays corporate data stores in different storage locations such as in-house servers, clouds, etc., so it’s challenging to define the perimeters for the organization’s networks. Users also allow accessing these internal data from remote locations using multiple devices; hence this castle-and-moat approach causes many problems. Therefore, the new security model requires protecting both the network perimeter and all internal infrastructures.
As an alternative to risky traditional security models, Zero Trust Architecture first appeared in 2010. John Kindervag, the principal analyst at Forrester Research Inc., introduced this new security model to fight against modern cyber threats. Oppose to the castle-and-moat model, Zero Trust deploys the strict identity verification on both internal and external attempts to access the network resources. “Never trust, always verify” is the core principle behind this security model and all users and applications that try to access data consider as potential non-secure entities until undergoing a proper verification process.
Why is Zero Trust?
Organizations are highly focused on the protection of their data assets and spend a huge amount of money to prevent security threats. An increasing number of cyber-attacks will lead organizations to discover more effective security models. Cybersecurity Ventures, a research firm, predicts cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. As an effective model to reduce the cybercrimes, Zero Trust architecture comes to the mainstream in IT world. Zero Trust never introduces any specific technology. But, as a security strategy, it makes use of the existing technologies such as Micro-segmentation, Multi-factor authentication, Identity, and access management, Log and packet analytics, Orchestration, Automation, etc. Once an organization decides to adopt this architecture, they need to implement a security model according to their requirements using existing technologies such as mentioned above.
Attackers’ intention is not merely infiltrated the corporate firewalls; they target the valuable assets of the organization too. The Zero Trust approach uses micro-segmentation to restrict the lateral movement and access data across the network. In this way, it can be controlled the internal users’ movement across the network as well. For example, a user is authorized to access a certain part of the network, but he couldn’t access another part without verifying his identity again.
Multi-Factor Authentication (MFA) has tightened the identity verification procedures by requesting multiple credentials. Not just the username and password, MFA requires additional credentials such as code generated from a smartphone, answer to a security question, hardware token, fingerprint, facial recognition, etc. This type of authentication mechanism surely limits the lateral movement of attackers through the network.
Implementing Zero Trust
The decision to transforms the existing security model to Zero Trust could be a costly process, because, to get the full benefits of Zero Trust, organizations want to transform their entire security infrastructure to this new model. Also, it will take some time for organizations to complete the adaptation of the model. But, many organizations are planned to move to Zero Trust by the end of the year.
John Kindervag describes that; Zero Trust is based on three main principles,
- All resources must be accessed in a secure manner, regardless of location.
- Access control is on a need-to-know basis and is strictly enforced.
- Organizations must inspect and log all traffic to verify users are doing the right thing.
As an alternative to the traditional perimeter-based security model which only authenticates the access to networks at the perimeter, Zero Trust suggests implementing micro-perimeters around the organization's valuable data assets. Before that, it needs to identify their sensitive data assets and check where the data stored, who is going to use these data, etc. For example, Forrester uses its own model called simplified data classification model and it categorizes data as public, internal, and confidential. The next step is mapping the flow of data. To do that, it needs to monitor how data traffic moves across the network and how users, applications, and data storages interact with data. Network engineers can further analyze the existing model and optimize data flow.
After categorized the data assets and mapping the flow, micro-perimeters can be implemented around the segments. Both external and internal network traffics need to be inspected and logs should be maintained for further analysis of data. This will avoid malicious activities and ensure a well-protected network environment. Further improvements in this model can be lead to automation and orchestration.
Google is among the first companies to adopt the Zero Trust architecture. After a series of cyber-attacks called Operation Aurora which occurred in 2009, the company initiated to transform its security architecture to a more secure phase. In 2014, Google had launched BeyondCorp as its own Zero Trust framework for company security. The main objective of their move was to allow employees to work securely from any location without the need for a traditional VPN. They have shifted the access controls from network perimeters to employees and devices. Gartner’s CARTA is another implementation of Zero Trust and Mobileiron has introduced the industry’s first mobile-centric zero-trust security platform.
