What Is Zero Trust Security?
Zero Trust Security, also referred to as Zero Trust Networks or Zero Trust Architecture, is a security concept founded on the simple principle that you should not trust anything, inside or outside your network, to have access to your systems without continuous verification.
Underpinning Zero Trust Security is the idea that every user needs to be authenticated when they access your network – and that when users are granted access, they should only extend to the systems that they absolutely need. This minimizes both the risk of attack, and the extent of successful attacks.
Implementing this involves segmenting data into small ‘zones’ to reduce the risk of data loss, and limiting access to that data, so that individual groups and employees can only access the data they need to (least privilege-access). It also means limiting the number of devices that can connect to your network, as each new device ultimately represents another point of failure or risk.
When we talk about ‘Zero Trust Security solutions’, we aren’t necessarily discussing a particular type of technology that achieves this goal – but referring more generally to security solutions that help you achieve the holistic goal of verifying the identity of everyone who has access to your network.
In practice, Zero Trust security involves using user authentication and access management solutions to verify every single person, device and connection that attempts to access your business network – no matter where they are inside or outside the business network. This means using Multi-Factor Authentication, VPNs and Endpoint Management to manage and control user access.
Zero Trust Security is different to traditional security outlooks, which typically viewed your business networks as a castle. The castle’s high walls are your cybersecurity solutions, keeping external threats like malware and phishing from reaching the citizens inside.
But as we learnt from Game of Thrones, what’s inside the castle can be just as nasty as what’s outside. Insider threats, social engineering attacks and gaps in security systems mean that we can’t assume anything in our network is safe.
It’s also rare that a modern business network is located all in one place. Cloud technologies, remote working and hybrid technologies mean that our networks are now spread out, with people and devices connecting from all over the world. This makes it impossible to protect all of your business data by thinking of it as one central point to protect.
For this reason, many organizations, including Microsoft and Google, have implemented a Zero Trust security model, and security providers such as Cisco have designed security solutions designed to achieve a Zero Trust security approach.
Implementing a Zero Trust security model, and identifying Zero Trust solutions that can help you to execute that model, is one of the best ways of ensuring your organization is in a position to meet these new security challenges.
Where Has Zero Trust Security Come From?
The Zero Trust security model we know today was designed in 2010 by John Kindervag, who was the Principal Analyst for global research firm Forrester. But the concept goes back almost 15 years earlier than that, when it was coined by Stephen Paul March in his doctoral thesis on computational cybersecurity.
Zero Trust networks were seen as the ideal, but difficult to execute and measure. Starting in 2009, Google began working on “BeyondCorp”, it’s implementation of the Zero Trust security model, working alongside Forrester’s analyst.
In the following decade, Zero Trust security became increasingly prevalent, especially with the rise of smartphones, cloud-based technologies and software-as-a-service. By 2019, Gartner was recommending that businesses implement Zero-Trust solutions as a component of their security strategy.
Today, almost all of the leading IT providers have adopted a Zero Trust Security model for their solutions, and many cybersecurity vendors offer Zero Trust Security solutions for their enterprise and SMB customers.
The COVID-19 pandemic and the resulting move to home working for much of the world’s population has accelerated the need and business drive to implement Zero Trust Security. In Forrester’s recent ‘Zero Trust Security Playbook for 2021’, they recommended Zero Trust Security as the best way to unify network and security infrastructure, while protecting a remote workforce.
Does Your Business Need Zero Trust Security?
In the modern workplace, applications and data are not centralized in one location. Instead, people, devices and connections are spread out and each employee holds the key to multiple points of entry to your business data.
To ensure that only trusted users can access systems, security processes typically require users to verify their identity with a username and password, and perhaps a secondary form of identification, like a biometric scan or a randomly generated one-time passcode.
However, this alone is not enough to protect against data breaches. Social engineering attacks such as phishing and spear-phishing, and the increasing threat of data breaches from insiders, mean that you cannot assume anyone connected to your network is safe.
The average cost of being hit with a data breach in 2020 was $3.86 million USD according to the Ponemon Institute, with 52% of data breaches caused by a malicious cyberattack.
Zero Trust Security solutions help to mitigate against data breaches, by allowing organizations to continuously monitor network activity and automatically detect suspicious user behavior, prompting users to give further verification if needed, or preventing them from accessing certain software.
Zero Trust solutions can also help you to better manage user permissions, as one of the central components of a Zero Trust security model is that users should only ever have access to the data they absolutely need to – and data should be as segmented as possible to avoid widespread data breaches.
What Are The Technologies Behind Zero Trust Solutions?
As we mentioned previously, Zero Trust security solutions don’t necessarily refer to any specific types of technology, security solution or type of product. Instead, it refers to a range of holistic technologies and processes, designed to help organizations reduce the risk of data breaches by managing user identities and minimizing individual access to data.
There are a range of cybersecurity technologies that can help organizations to implement a Zero Trust security solution. Products and technologies that are designed to help organizations to achieve these aims can be categorized as Zero Trust Security Solutions.
These technologies include multifactor authentication, VPNs, identity and access management, data encryption, privileged access management, user permissions and adaptive authentication for users.
These solutions are designed to govern user access, ensuring that only verified users can access your systems, and continuously validating their identity, rather than giving everyone with a password access to your systems. These solutions also help to monitor user traffic and behavior, and can help to segment your network – splitting access to different departments and individual users into groups to limit user access to sensitive data.
It’s likely that your organization is already using one or more of these technologies to govern access to data; they are critical to staying protected against sophisticated cybersecurity threats.
As implementing Zero-Trust Networks have been recommended widely across the security industry, many vendors have launched Zero Trust security solutions, designed to help organizations to implement the technologies they need to stay secure.
What Features Should You Look For In A Zero Trust Solution?
If you’re considering implementing a Zero Trust Security solution for your organization, there are a number of key features, you should look for.
User Authentication And Access Management
The first and one of the most important features is user authentication and access management. This compromises a broad set of features and technologies that allow you to continuously verify user permissions and prevent unauthorized users from gaining access to your data.
In a typical security environment, once a user has logged into their account, they would be able to access any data within it as long as they remained authorized to do so. With systems like adaptive authentication in place, user behavior is continuously monitored, and if any unusual activity is detected, users are prompted to verify their identity with additional factors, which can include biometric controls and one-time-passcodes.
This means if users attempt to access data when they are in unusual locations, outside of working hours, or on new devices, they will be asked for additional levels of verifications to limit the risk of data breaches and successful phishing attacks.
Policy Enforcement And Network Segmentation
The second important feature to look for is the ability to create policies and segment data to limit the risk of data loss. One of the central philosophies underpinning Zero Trust is segmenting data and access to that data – to limit the extent of data breaches in the case of unauthorized access.
Zero Trust solutions can help you to implement this, by allowing your admins to create systems, processes and policies to govern who has access to data, where data is stored, create groups and departments, and restrict access on an individual user level.
This is a crucial set of features to minimize the risk of phishing and account compromise. It limits the amount of data that any malicious users can access if they are able to breach you company accounts and gives your IT admins important control over data access and user privileges.
Reporting And Monitoring Of Traffic And User Behavior
The final feature to look for in Zero Trust security solution is an extensive range of reports and automated alerting when suspicious user behavior is detected. This is important both to proactively detect any signs of account compromise or malicious network activity.
It’s important that your Zero Trust security solutions provide detailed visibility into users, devices and components across your entire network environment, so you can better react to threats and track security risks.
The best solutions will provide detailed logs, reports and automate alerts that detail who has accessed data, alert you to suspicious behavior and give you the tools you need to better detect and respond to threats.
How Can You Implement A Zero Trust Network For Your Organization?
Despite the emergence of a number of technologies and solutions designed to help you implement Zero Trust security, it’s important to remember that Zero Trust is a process designed to work across your entire network infrastructure.
The US National Institute of Standards and Technology (NIST), in its 2020 standards for Zero Trust architecture, defines Zero Trust as an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
In their report, they outline that “Implementing a ZTA is a journey rather than a wholesale replacement of infrastructure or processes. An organization should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect its highest value data assets.”
NIST outlines seven steps for organizations looking to implement Zero Trust Security solutions. These are:
- Identifying Actors on The Enterprise.
- Identifying Assets on The Enterprise.
- Identifying Key Processes and Evaluate Risks Associated with Executing Process.
- Formulating Policies for the ZTA Candidate.
- Identifying Candidate Solutions.
- Initial Deployment and Monitoring.
- Expanding the ZTA.
You can read NIST’s full 2020 report for establishing Zero Trust in your organization here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf