3 Jun 2021

Zero Trust Security

Zero Trust Security
The old network  security model of “inside means trusted” and “outside means untrusted” no-longer works with users accessing network and applications whether connected directly or remotely. This has led to the concept of Zero Trust being introduced. Zero Trust is a concept that helps prevent successful data breaches by eliminating the concept of trust from an organisation's network  architecture. The Zero Trust model recognises that trust is a vulnerability.

What is Zero Trust? 

Zero Trust is a security concept centered on the belief that organisations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control. No single specific technology is associated with zero trust architecture; it is a holistic approach to network security that incorporates several different principles and technologies.

Zero Trust also known as Perimeter-less Security assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as users in any location. Execution of this framework combines advanced technologies such as multi factor authentication, identity and access management (IAM), identity protection, Endpoint Verification, Micro-segmentation, Least-privilege Access and next-generation endpoint security technology to verify the user’s identity and maintain system security. Zero Trust extended also requires consideration of encryption of data, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.

With traditional IT network security it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. Once on the network, users including malicious individuals are are free to move laterally and access or ex-filtrate whatever data. Zero Trust cut off all access until the network knows who you are and whether you’re authorised.

Zero Trust Architecture

Protection begins by identifying your protect surface, which is based on data, applications, assets, or services, commonly referenced by the acronym DAAS:

  1. Data: Which data do you have to protect?
  2. Applications: Which applications have sensitive information?
  3. Assets: What are your most sensitive assets?
  4. Services: Which services can a bad actor exploit in an attempt to interrupt normal IT operation?

With Zero Trust, you identify the network’s most critical and valuable data, assets, applications and services, how traffic moves across the organisation. Understanding who the users are, which applications they are accessing and how they are connecting is the only way to determine and enforce policy that ensures secure access to data. The right users need to have access to the right applications and data from wherever they are located.

Zero Trust architecture therefore requires organisations to continuously monitor and validate that a user and their device has the right privileges and attributes. It requires that the organisation know all of their service and privileged accounts, and can establish controls about what and where they connect. One-time validation simply won’t suffice, because threats and user attributes are all subject to change

Zero Trust Access (ZTA)

ZTA is about managing access to who and what is on your network through Role-based access control, thus implementing a least access policy that grants the user the minimum level of network access required for their role and removing any ability to access or see other parts of the network.

ZTA also applies to devices like network printers which have no credentials to identify themselves. Network Access Control (NAC) solutions can be used to control access granting enough network access rights to perform their role 

Only by knowing who a user is and the appropriate level of access will be granted based on their role. Is the user an employee, a guest, or a contractor? What is their role and what network access rights does that role entitle them to?

Zero Trust Network Access (ZTNA)

Due to the rise in remote working, ZTNA is a way of controlling access to applications regardless of where the user or the application resides. The application may reside in a corporate data center, in a private cloud, or on the public internet and the user may be for instance on a corporate network or working from home. 

With ZTNA no user or device can be trusted to access anything until authenticated and authorised unlike the traditional VPN which trusts anyone that passes the gateway at network perimeter. 

ZTNA imposes point-to-point secure access over an encrypted channel that is restricted to a set of source and destination devices only. This access must be governed using multi-factor authentication, authorisation and adequate logging and alerting controls. ZTNA is especially needed when remote access and management is a necessity for your business.