Modern technology environments have become increasingly complex. This, as you might imagine, has had a wide-ranging impact on our organizations, IT teams, and priorities, especially when it comes to security.
The proliferation of cloud services, Internet of Things (IoT) devices, and the shift to mobile and remote work has eliminated the traditional corporate security perimeter. As a result, organizations can no longer rely on the “castle-and-moat” model as a basis for an effective security strategy. That model relied on the notion that an organization’s network had a clearly identified security perimeter to establish a trust boundary. By default, users and devices within the trust boundary were implicitly trusted and allowed access to any organizational resources, while anything external was considered untrustworthy, requiring authentication to gain access.
Zero Trust is a security strategy intended to overcome the challenges posed by the modern technology environment. The primary concept of Zero Trust is that users and devices should not be trusted implicitly, even if they are connected to a private internal network controlled by the organization. Instead, access is based on the principle of “never trust, always verify,” where identity and permissions are continuously re-verified. Zero Trust doesn’t have to be all or nothing, organizations can roll it out in steps and phases to address individual use cases and goals.
“Zero trust operates on the assumption that threats can lurk anywhere (even within your organization). Therefore, every user, device, and network flow is treated as potentially compromised and must be verified and vetted before granting access.”
– Justin Giardina, Chief Technology Officer, 11:11 Systems
The term “Zero Trust” was introduced in 2010 by Forrester Analyst John Kindervag in the white paper, “No More Chewy Centers: The Zero Trust Model Of Information Security.” To facilitate the ability for enterprises to adopt a Zero Trust architecture, the National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-207 in 2020, which provided further guidance regarding Zero Trust concepts, use cases, logical components, and deployment models.
Fundamentally, Zero Trust is based on three core principles:
- Assume breach — Organizations should assume there is a malicious presence inside their environment at all times and implement security controls to minimize its impact. This means that all access should be performed securely and use end-to-end encryption, segmentation should be used to minimize access, and all activity should be logged.
- Least privilege — Verified users and devices should be granted the minimum permissions necessary to perform their function for the shortest amount of time possible.
- Explicit verification — Authenticate and authorize based on all data points available, including user or device identity, device health, data sensitivity, location, and anomalies.
In SP 800-207, NIST outlined seven core tenets to assist organizations with the practical application of a Zero Trust architecture:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications, and uses it to improve its security posture.
Organizations today face a vast number of risks, whether from unwitting or malicious insiders, motivated ransomware gangs and cybercriminals, or nation states. In our experience, organizations can mitigate these risks by adopting and implementing a Zero Trust architecture. In a recent 11:11 Systems blog post Justin Giardina, Chief Technology Officer, said “Zero trust operates on the assumption that threats can lurk anywhere (even within your own organization). Therefore, every user, device and network flow is treated as potentially compromised and must be verified and vetted before granting access.” While this may seem extreme in today’s cyber-risk climate it really isn’t.
For example, by only providing users and devices with the minimum permissions needed to perform their tasks, your organization can drastically reduce its attack surface. Segmenting internal networks and limiting access to assets makes it more difficult for malicious actors to move laterally through organizational resources. Continuous monitoring provides increased visibility into all traffic and activity, enhancing an organization’s ability to detect and respond to anomalous and malicious activity more quickly.
Additional benefits provided by the adoption of a Zero Trust architecture include: reducing the potential scope and impact of a successful attack and supporting security and privacy initiatives and compliance. It’s important to remember that Zero Trust is a journey, begin by addressing an identified use case and expand from there.
For more information on Zero Trust and how 11:11 Systems can help, check out these additional resources:
- Webinar – Securing Cloud with Zero Trust