The security models of the past are based on the assumption that once someone has gained access to the internal network, that person can be trusted and all of his or her actions are allowed.
This statement is false because:
1. Employees utilize personal devices for business use
2. Applications that operate in the cloud do not exist within the network's perimeters.
3. Vendors who sell their products or services to your company require access to your network.
4. There is also the possibility of having internal threats.
In contrast, the assumption behind the Zero-Trust Security Model is "never trust, always verify." Zero-Trust helps organizations reduce the risk of breaches by limiting how much an attacker can gain access to or control once they have successfully accessed your organization through an account compromise.
The Core Principles of Zero-Trust Security Model are:
1. Verify Explicitly
A. All requests must be authenticated and authorized.
B. Implement multi-factor authentication (MFA) for all users.
C. Verify device health, location of the user, and identity of the user.
2. Least Privilege Access
A. Only give the necessary permissions to users and applications.
B. Create an expired access and limit the sessions of all users.
3. Assume Breach
A. Always monitor all network traffic.
B. Log and continuously analyze user behavior.
C. Limit the ability of attackers to move laterally by segmenting the network.
Real World Example
1. Google BeyondCorp has implemented a zero trust model as its employees were accessing apps from multiple locations and devices. The use of VPNs has also been eliminated, and now internal apps have a greater level of security.
2. Microsoft has adopted the zero trust model across all of its internal and cloud assets, using methods such as continuous verification and conditional access policies to reduce the number of successful account compromises.
3. In the finance sector, banks have segmented their access to payment systems and required multi-factor authentication (MFA) for all administrative actions. As a result, a phishing attack perpetrated by an insider of the bank was blocked because the attacker did not meet the necessary requirements of the zero trust model.
These examples of zero trust demonstrate that while zero trust will not eliminate the occurrence of an attack, it will greatly reduce the effects of said attack.
How Zero Trust Decreases the Risk of a Breach
1. Limits lateral movement: Once an account is compromised, it can only access determined resources.
2. Recognizes anomalies early: By utilizing conditional policies, zero trust will indicate any unusual activity.
3. Helps protect sensitive information: Accessing sensitive information will depend on the individual's identity, the condition of their device, and the overall context of their activity.
4. Minimizes the risk of an insider attack: There is no longer a permanent “trusted network” on which an employee can operate.
Tools to Achieve Zero Trust
1. Identity and Access Management (IAM) - Okta, Azure Active Directory (AD), Ping Identity
2. Endpoint Detection and Response (EDR) - CrowdStrike, SentinelOne
3. Network Segmentation/Microsegmentation - Illumio, VMware NSX
4. Zero Trust Cloud Gateways - Zscaler, Netskope
5. Monitoring and Analytics - Splunk, Elastic Security, Microsoft Sentinel
These tools allow organizations to continually verify user identity; enforce security policies; and monitor user actions.
Example of a Zero Trust use case
1. User attempts to log in from a non-standard location
2. A conditional access policy kicks in and requires a second factor of authentication
3. Device checks indicate that the operating system is no longer supported or maintained
4. Device will be prohibited from accessing resources until it is brought into compliance with organizational requirements
5. Security logs will record attempt for auditing and/or analytics purposes
Even if a cybercriminal had the credentials, they would not succeed because they were never granted trust in the first place.
Implementation Tips
1. Prioritize deploying Zero-Trust on critical applications and services over the entire network.
2. Identify high-value assets and sensitive data.
3. Gradually implement Least Privilege Access (LPA) and Segmentation.
4. Continuously monitor, log, and adapt policies.
5. Educate users about the zero trust security model.
It's essential to view zero-trust as an overall strategy and set of tools, rather than simply as a single product.
Key Takeaways
1. The majority of breaches take place because we continue to assume trust in the traditional way
2. Zero-trust decreases risk through continual verification of requests, limiting access to information
3. Conditional policies, multi-factor authentication (MFA), and segmentation are all critical components of implementing a zero-trust security model
4. Although tools are available to implement a zero-trust architecture, culture and processes are the most critical aspects of a successful implementation
5. Start small with deployments on critical assets and work to expand as necessary