When it comes to network security, most organisations still rely on the perimeter-centric strategy. Anything inside the secured perimeter is considered to be safe by default, and only outsiders are untrusted. So anyone with valid credentials can access such a network.
However, according to a research by Ponemon, the number of credential theft incidents has nearly doubled in the last two years. Furthermore, since 2016, the average number of cybersecurity incidents caused by malicious insiders has increased by 53 percent. And in 2019, insider threats and credential theft are likely to remain the main risk factors for enterprise cybersecurity. As a result, trusting everyone within your network’s borders just because they are already inside is unsafe. And here’s when a zero trust security model comes into play.
So, what’s a zero trust architecture? Basically, it’s a network architecture that’s rooted in a simple idea: never trust, always verify. The concept of a zero trust model was first offered by security specialists from Forrester Research back in 2010. At first, this concept was targeted mostly on the application level but today, zero trust approach is widely used for securing entire networks as well.
Trusting no one is the key
There are several reasons why the use of a zero trust architecture is critical for ensuring an appropriate level of enterprise cybersecurity. First, as we mentioned earlier, data breaches caused by insiders are on the rise, so insider threat prevention should be your top priority.
Secondly, there are many things that don’t fit a classic perimeter-centric model, including:
- Cloud computing – In contrast to traditional networks, cloud computing doesn’t have a static perimeter and can’t be contained.
- Shadow IT – More and more companies implement the Bring Your Own Device (BYOD) policy, allowing their employees to connect their personal devices to the corporate network. Plus, in many organisations, employees tend to use their preferred third-party software and applications instead of the ones recommended by the corporate IT department. Monitoring and managing such devices and applications, as well as ensuring their security, is a real challenge.
- The Internet of Things (IoT) – IoT used multiple sensors on different physical objects. And just like in the case with BYOD, it’s difficult to monitor, control, and update all these sensors in a timely manner.
In contrast to classic perimeter-centric networks, a zero trust network secures actual users, systems, and devices, and not a general perimeter. In order to get access to anything, the source of the request should be first authorised and verified. Such tools as identity and access management (IAM), multi-factor authentication (MFA), and single sign-on (SSO) can help you ensure the needed level of user identity verification. Privileged account and session management (PASM) tools with help ensure better protection of the accounts with elevated privileges.
Plus, instead of traditional zoning, zero trust security model uses a micro-segmentation approach, when virtualised computers are segmented from the users. As a result, even if one account or server was compromised, the rest of the network will remain unaffected.
Four steps towards building a zero trust network architecture
When it comes to deploying a zero trust approach, you have two options:
- Buy an out-of-the-box zero trust solution
- Build a personal zero trust network architecture from scratch
The first option may appear to be tempting, but finding a particular solution that fits your business’s needs and interests perfectly isn’t that easy. However, you can use their zero trust architecture examples for creating your own cybersecurity policy of zero trust.
Designing a zero trust network from scratch, on the other hand, gives you additional flexibility and freedom. By combining different tools and solutions, you can create a network sample that fits your current needs perfectly, and change it easily whenever you need.
Now, let’s take a closer look at the main stages of building a zero trust network architecture. Zero trust network design is a complex process that includes four main stages:
- Identify your critical data
- Determine source identity
- Determine device trust
- Apply contextual access control
Identify your critical data. First and foremost, you need to distinguish critical data and system from the regular ones. Apply additional access controls to the data and assets that have the highest value for your organization.
Determine source identity. Evaluating source identity is the key to assigning an appropriate level of authorization for each user and device attempting to access your network. Use modern IMA capabilities such as MFA and SSO to add an additional level of identity verification when needed.
Determine device trust. In a zero trust security model, all devices are split into two major categories: managed and unmanaged. Managed devices are the ones that were sanctioned by the corporate IT department and can be easily monitored, controlled, and updated by the organisation’s security specialists. Unmanaged devices, in turn, are the personal devices of the company’s employees or subcontractors that have access to the corporate network. In a zero trust network, the system should be able to distinguish managed devices from the unmanaged ones and grant appropriate access permissions to each group.
Apply contextual access control. With the right IAM solution in place, it’s time to think about applying context-based access policies. You can use attribute-based access controls (ABAC) and role-based access controls (RBAC) for ensuring that your network users are granted appropriate access permissions.
Your goal is to gain full visibility across your network and be able to see which users access what data and systems. Such factors as user location, timing, and device context are also important for applying the appropriate access policies in every particular case.
It’s important to deploy zero trust security model from the top down, starting from the most valuable targets within your network and then moving to the less sensitive data and assets.
The zero trust network architecture is an interesting alternative to traditional security models. Basically, it’s a mindset that forces you to put cybersecurity to the top and be extremely pragmatic about trusting not only outsiders but insiders as well.
By deploying a zero trust approach, you can improve the protection of your network and take a few more steps towards preventing serious data breaches caused by malicious insiders, phishing attacks, or malware.