Learn how you can leverage the Zero Trust Model to better protect your organization.
The Changing Business Landscape
The Covid-19 pandemic has made working from home the new norm, which has made it clear that the traditional concept of a well-defined network perimeter can’t be relied upon anymore for cybersecurity. A perimeter-centric defense where everyone inside the organization’s zone of control is trusted and anyone outside is malicious has become irrelevant. Organizations have adapted to the new economic landscape, in part, by adopting Cloud-based solutions. With the rise of SaaS applications and the influx of Bring-Your-Own-Device (BYOD) policies, cybercriminals have a greatly expanded attack surface. The locus of control has moved from the network to the Internet, which means organizations have to evolve beyond a network-centric model for securing their data and systems. This is where the Zero Trust security model comes into play, meaning there is no implicit trust granted to systems or users based solely on their physical or network location.
[feature_box style=”10″ only_advanced=”There%20are%20no%20title%20options%20for%20the%20choosen%20style” alignment=”center”]
Before you continue reading, how about following us on LinkedIn?
Zero Trust Model Defined
The Zero Trust concept is based on the principle that organizations should not trust anything automatically regardless of whether it is inside or outside its network perimeter. The Zero Trust model replaces the traditional perimeter-centric security concept. It ensures dynamic enforcement of access decisions based on users’ identity, device, and context. Zero Trust shifts the focus from protecting the corporate network to protecting individual resources. Authentication and authorization become discrete functions that are performed before any access to an enterprise resource is allowed.
Coined by Forrester Research analyst John Kindervag in 2009, the Zero Trust concept requires that all network traffic be treated as hostile and not be trusted. The Zero Trust model requires that security professionals verify and secure all resources by invalidating all forms of implicit trust and resulting entitlements. This concept of “never trust, always verify” quickly gained prominence as large organizations, such as Google, adopted Zero Trust to secure their infrastructures.
In order to implement an effective Zero Trust strategy, organizations leverage a broad set of existing technologies and approaches such as Multifactor Authentication, Privileged Access Management (PAM), and Network Segmentation with the user’s identity at the center. Additionally, governance policies such as the Principle of Least Privilege also play a key role in managing entitlement creep and protecting the CIA triad.
Identity Becomes the New Perimeter
The foundational principle of the Zero Trust model is establishing a single, valid identity for each user and device through an enterprise-class Identity and Access Management platform. This step includes evaluating the identity of each resource (person, system, or device) and assigning the appropriate level of authorization before access is granted to sensitive resources. Managing the initial authentication is not enough; Zero Trust requires users to re-authenticate every time through continuously adaptive authentication. Continuously adaptive authentication evaluates the user’s behavior and context to ensure that someone else has not assumed control of the session and the proper user is authenticated. Last but not least, there is an audit trail for every access request and every transaction, which supports a forensic analysis for better incident detection and response.
Context is Key
For a Zero Trust strategy to be effective, the full context of a session should be considered to determine the overall risk. In addition to the user’s identity, the state of their device, the applications they are using, and the sensitivity of the data they are trying to access also play a key role. Identity Governance and Authentication controls ensure the identity of the user. Through device management, it can be confirmed that the user’s device is not compromised. Data Security and network micro-segmentation limit the user’s access to the data. By analyzing this information, the context can then be defined to enable the right user, under the right condition, to have the right access to the right data.
Where do we go from here?
The pandemic has accelerated the move to Cloud and remote work across most industries. In this new environment, it makes sense to start moving toward a Zero Trust model to address security risks and prevent cyber attacks. Organizations with on-premise data centers have the most work to do, while organizations that have adopted a Cloud-first strategy will already have some Zero Trust capabilities in place out of necessity. Clearly, some organizations will find the process easier than others.
Zero Trust requires discipline, beginning with a willingness to mature the access management infrastructure and supporting processes. That said, it is a program and not a project, where capabilities must evolve over time to adapt to threats, mitigate/eliminate new risks, and create a secure environment. The journey begins with Identity Management and is supported by strong authentication (MFA) and more advanced solutions for privileged accounts (PAM).
The success of your Zero Trust program will hinge on the strength of the organization’s leadership. If senior leaders are committed to solving the security challenges inherent to our Cloud-centric/remote access world, they will avoid costly breaches and ultimately save their organizations money in the long run.
This article was written by Sajid Shafique, Cybersecurity Analyst at Idenhaus Consulting.
Follow @Idenhaus on Twitter and subscribe to our Identity Management biweekly or our healthcare IT biweekly newsletter.
Idenhaus is honored to be featured in the Top 10 Identity Governance and Administration Consulting/Service Companies of 2019.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us