Zero Trust: Never Trust, Always Verify

Zero Trust Network Access (ZTNA) is a powerful security framework that can help organizations improve their security posture and reduce their risk of cyber attacks. By adopting a zero-trust approach, organizations can take a proactive stance against potential threats and ensure that their sensitive data and resources remain protected at all times.

What is Zero Trust?

ZTNA aims to provide access control and security to resources based on the identity of the user or device, rather than relying on the traditional perimeter-based security model. The ZTNA model assumes that all devices, networks and applications are inherently untrusted and, therefore, requires that every access request be verified and authenticated before granting access.

Zero trust is a set of security architecture design principles and strategy based on the assume breach philosophy. In assuming breach, the mindset is that a threat actor is both inside and outside the network at all times, and no implicit trust is granted to anyone. This model focuses on protecting critical assets in real-time through granular least-privilege access that is granted based on decision/risk criteria, defining enhanced micro- and macro- network protections and improving signal detections across the enterprise networks. Other key threat uses cases include ransomware and supply chain attacks, which both involve compromised identities and unmanaged devices.

Problem Model: Castle and Moat Security

In contrast, the Castle-Moat approach is a security model that borrows its name from the architectural design of castles in medieval times. Just as castles were designed to protect the people and valuables inside, the Castle-Moat approach is designed to protect the network and the data inside. In this approach, the network is divided into two main zones: the inside (or trusted zone) and the outside (or untrusted zone). These two zones are separated by a “moat,” which is essentially a secure perimeter that filters all incoming traffic and only allows authorized access to the inside.

The Castle-Moat model was designed to provide a high level of security by preventing unauthorized access to the network while also enabling authorized users and devices to access the resources they need. By creating a secure perimeter around the network and enforcing strict access controls, this approach could help protect against a wide range of cyber threats, including phishing, malware and unauthorized access.

However, once threats got inside a network they were left invisible, uninspected and free to morph and move wherever they choose—successfully extracting sensitive, valuable business data. Some of the most well-known insider breaches showed Castle-Moat was no longer sufficient for the current threat landscape.

Benefits of a Zero Trust Network Architecture

One of the key benefits of ZTNA is that it enables organizations to provide secure access to resources for remote workers, third-party vendors and other external parties without compromising the security of their network. This is particularly important in today’s distributed and remote workforce, where employees often access corporate resources from outside the traditional corporate network perimeter.

Implementing a ZTNA model requires a significant shift in mindset and a comprehensive approach to security that encompasses both technology and people. Organizations that adopt this approach must be willing to invest in the necessary infrastructure and tools to support it, as well as to provide training and education for their employees on how to use the new security model effectively.

What is the NIST Guideline for Zero Trust?

The National Institute of Standards and Technology (NIST) published a Special Publication in August 2020, titled “Zero Trust Architecture,” which provides guidelines for implementing a zero trust security model in organizations. Key points from the publication include:

1. Zero trust is an approach to security that assumes that all networks, devices and users are potentially hostile and must be authenticated and authorized before being granted access to resources.
2. The NIST guidelines for implementing zero trust include five key components: identify, protect, detect, respond and recover.
3. The identify component involves identifying all devices and users on the network, classifying them based on their trustworthiness, and granting access based on that classification.
4. The protect component involves implementing strong access controls, such as multifactor authentication, encryption and network segmentation, to prevent unauthorized access.
5. The detect component involves continuous monitoring of network traffic and user behavior for signs of malicious activity, such as unauthorized access attempts or data exfiltration.
6. The respond component involves responding quickly and effectively to security incidents, such as by isolating affected systems and limiting the spread of malware.
7. The recover component involves restoring normal operations as quickly as possible after a security incident, and learning from the incident to improve security in the future.

The NIST zero trust guidelines provide a framework for organizations to adopt a more proactive and comprehensive approach to cybersecurity, by assuming that all users and devices are potentially malicious and taking steps to mitigate those risks.

Conclusion

Overall, ZTNA is an effective way to build resilience in the face of increasingly scary threats. The objective is to prevent as many attacks as possible, while limiting the damage from the ones that inevitably will get through even the best defenses. Organizations cannot afford to let malicious actors shut down their operations, and implementing zero trust helps ensures that business can go on as usual, even in the face of a successful attack.

About the Author:

Dion Jiles is an information technology (IT) security manager on the network security team at Voya Financial. Voya is a leading health, wealth and investment company that provides products, solutions and technologies that help Americans become well planned, well invested and well protected.

Image credit: laddawan