What is Zero Trust?
There is no one-size-fits-all solution for security so the best way to lessen the threat surface is to implement a zero trust architecture. To determine if pursuing a zero trust architecture is the right move for your organization, you need to understand its purpose, benefits and challenges.
Traditional attempts to protect the perimeter have shown that they are no match for today’s increasingly sophisticated threat actors. After all, humans are still the weakest link; it’s far too easy for someone to fall victim to a phishing attack, granting access to an internal network.
While zero trust has been an intimidating topic for many organizations due to the well-known challenges associated with implementing such an approach into an existing organization’s frequently complex network, the benefits shouldn’t be overlooked. Even the Federal Government is recognizing the importance of this approach as indicated in the recent Executive Order on Cybersecurity from President Biden which states, “The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model…”.
To determine if pursuing a zero trust architecture is the right move for your organization, you need to understand its purpose, benefits and challenges.
What is Zero Trust?
Zero trust is a collection of concepts and ideas that are designed with the principle of least privilege for information systems. Basically, it’s about restricting access to resources to only the people who need them.
Every time a user wants to access specific data or a specific resource, the user will need to authenticate and prove who they are. For example, if a user needs to read the details from a document to do a portion of their job, they will only be granted privileges to read the document; they will not be able to edit or modify that document in any way.
This restriction around privileges is done intentionally. After all, a zero trust architecture uses zero trust principles to manage workflow and is designed to assume that an internal network is already infected with various threats. This is a unique mental hurdle for many organizations since most people just assume that an internal network is protected.
So how do you start implementing a zero trust architecture into your own network?
The Gold Standard of Zero Trust: NIST 800-207
Organizations looking to implement a zero trust architecture need to first identify the framework they want to follow. The NIST Special Publication 800-207 Zero Trust Architecture is widely referred to as the “gold standard” of zero trust. It is, perhaps, the most thorough framework an organization can follow to implement a true zero trust architecture.
According to NIST 800-207, “zero trust (ZT) is the term for “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
The transition to a zero trust architecture is a significant task that cannot be achieved by simply updating or implementing new network security solutions. For that reason, many organizations pursue zero trust architecture in phases, oftentimes having components of zero trust incorporated in the organization’s infrastructure paired with perimeter-based security solutions.
The Benefits of Zero Trust
The greatest benefit of a zero trust architecture is obviously security. But there are three distinct components within network security that are worth highlighting.
1. Lessening the Threat Surface
Implementing a zero trust architecture is similar to implementing a brick wall against a traditional attack. This approach requires constant authentication, measurement, and verification to ensure the users who are granted access are who they say they are, and that they don’t abuse the access they’ve been given.
2. Visibility and Accountability
If organizations follow proper guidance, they should have logging and monitoring in place to know when anomalies happen. Though this is not a unique element to zero trust, limiting user access and accurately logging and monitoring activities allows organizations to gain greater visibility into user activities.
3. Securing the Remote Workforce
Clearly, the rapid shift to a remote workforce was both unprecedented and unexpected. Also unexpected was the speed with which new security concerns arose as a result of the increased presence of a distributed workforce, where employees began accessing the organization’s internal network from wherever they chose to work.
Consider, for example, if a user’s laptop was infected and they connected to the organization’s internal network through the virtual private network (VPN). With a zero trust architecture, it wouldn’t be as easy for the infected machine to infect the network because even the internal network is not automatically treated as an implicitly trusted network.
Based on this short list, it may seem like a no-brainer to implement a zero trust architecture into your organization, but there are some challenges to consider.
The Challenges of Zero Trust
The challenges around implementing zero trust architecture largely revolve around user experience and expertise.
Productivity and Performance
When it comes to productivity and performance, a zero trust architecture can unintentionally impact a user’s ability to get their job done. It can be tricky to find the delicate balance between locking down your assets as tight as possible and making employees unproductive. After all, humans are the weakest link when it comes to network security. Limiting each user’s ability to interact with organizational data and information according to least privilege principles makes sense, until it prevents them from getting their job done in a timely and efficient manner.
Implementation Expertise
One of the biggest challenges organizations encounter with implementing a zero trust architecture is the amount of time and deep security knowledge required to implement it, especially for an already established organization.
A deep understanding of how an organization’s network operates and how the business runs is just the beginning. To effectively implement a zero trust architecture an organization must think ten steps ahead. For example, you’d need to think about the architecture in use today, how it can be modified while in use, and what long-term changes would need to take place.
Troubleshooting
Part of implementation planning is troubleshooting. Before a zero trust architecture is even implemented, the security team needs to consider all the possible scenarios that could require troubleshooting.
What if something stops working when zero trust is implemented? Who has enough functional knowledge of every component within an organization’s network to effectively troubleshoot something if or when something stops working?
Ultimately, this highly specialized skillset requires someone who is technically aware and geared toward managing and troubleshooting a zero trust environment.
What Zero Trust Steps Can you Take Today
Organizations have become increasingly complex making traditional network security solutions less effective on their own. This, coupled with the increasing sophistication of threat actors, illustrates a very real need to explore an approach that lessens the threat surface.
I strongly believe it’s time for organizations to start having zero trust conversations and think about what it would look like to begin the migration process.
To do so most effectively, leverage an existing methodology or framework, like NIST 800-207, as a blueprint for pursuing your zero trust mission. Create a checklist and a Q&A test plan to ensure you understand what the implementation could look like.
And remember, hacks happen from gaps that are often overlooked. Whatever framework you decide to pursue for your zero trust mission, follow it completely.