The Trend Toward A Zero Trust Model for Security

A zero trust architecture is a model for network security that calls for every user to be checked and validated against the access they are allowed in the system and the risk around the functions and data they are trying to access. Rather than establish a perimeter around the network and protect it with firewalls and passwords, a zero trust architecture establishes a continuous process of reaffirming trust in the user’s identity as that user moves through the system — at every point of access. 

Zero trust is now considered the aspirational ideal for any security professional who wants to sleep well at night. But the term threatens to become an empty buzzword if it is considered a one-time exercise in defense building, warns Thom Bailey, Senior Director, Strategy & Evangelism at Mimecast. 

“It has to be approached as a philosophy,” says Bailey. “It’s less a thing than it is a way of being.” 

History of Zero Trust Security              

The philosophy of zero trust security springs from the work of the Jericho Forum, part of a global standards organization known as the Open Group. In 2003, the Jericho Forum was set up to “de-perimeterize” security. It issued the original zero trust principles in 2007 as a series of “commandments” based on the assumption that security has to be specific to each asset in a network.[1] The name “zero trust” was coined in 2010 by then-Forrester Research analyst John Kindervag to define the model.[2]

How Does a Zero Trust Model Work?             

Rather than establish a security perimeter around a network and trust any user who can log into it, a zero trust model assumes any user identity can be compromised. It uses multifactor authentication (MFA) to improve security beyond the user name and password combination and applies a “least privilege” principle, giving the user the least access possible at every turn, and requiring additional validation before stepping up access privileges.

Zero trust security establishes trust every time a user tries to access an asset in the system by checking the asset against the user’s profile, the sensitivity of the asset being accessed and the context of the activity, such as the user’s location or electronic device, or whether that user’s job should even require that level of access. If the context cues don’t match, the user may be asked to revalidate their identity before proceeding. 

Benefits of a Zero Trust Framework 

While there is no 100% effective protection, zero trust security has become popular because it addresses many of the challenges and demands that affect security at most organizations today: 

• It can handle complexity: Today’s hybrid and multicloud operations are becoming increasingly complex; nearly half of U.S. organizations use two or three infrastructure-as-a-service (IaaS) clouds to stay nimble and competitive.[3] The demands of agile operations require the ability to pivot and migrate data among environments quickly and securely, and by establishing a zero trust framework, an organization can protect its assets, whether they are held on-premises, in the cloud or in hybrid environments. 
• It can handle regulation: With the growth of cybersecurity laws and regulations, such as the California Consumer Privacy Act (CCPA) in the U.S. and Europe’s General Data Protection Regulation (GDPR), organizations are increasingly under pressure to prove they are properly securing personal information held in their networks. Zero trust, as its name implies, fills the bill, even as regulators add more security requirements.  Additionally, in heavily regulated sectors such as financial services, defense contracting and healthcare, data security concerns are exploding along with the size of the data stores most organizations are now maintaining. Again, zero trust can get ahead of regulatory concerns by skipping straight to the tightest standard. 
• It can handle partnerships: Supply chain attacks have become a concern for a reason: More businesses are giving vendors and partners access to their networks, which increases their vulnerability to attacks such as ransomware or denial of service (DoS) channeled through those companies. Small businesses, which may not have the resources to maintain strong security, are particularly vulnerable to becoming unwitting partners of cybercriminals and facilitating attacks on larger, more profitable targets. Establishing a zero trust framework puts those vulnerable partners in a stronger defensive position. 

Core Principles of Zero Trust 

Zero trust principles acknowledge that silos in organizations have become porous and that work travels from one silo to another, so security needs to follow those workflows to keep all users safe, says Bailey. 

A zero trust approach is based on some core requirements: 

• Continual validation: As its name suggests, a zero trust model trusts no one. Every user must constantly be challenged by a check running in the background that matches the user to the activity, that user’s access and the level of risk before allowing them to continue across the network. Every connection is a closed loop that must be reopened as the user moves to another asset in the system, whether it is data, apps or other digital resources. 
• Reduced attack surface: Since no security protection is ever 100%, any zero trust architecture has to first assume that malicious access will happen and then find a way to limit the “blast radius” should an attacker breach the system. A commitment to least-privilege access is one way to make that happen; it limits how far a bad actor can get once inside the network. Email filters that either block or white-list email addresses can also help by keeping suspect emails from getting to their intended targets and by quarantining risky files until they are scanned and validated. 
• Individual context-based access: Access policies need to factor in the context of user activity — the geolocation, device used, resource being accessed and other factors — in real time and adapt as needs and functions change. “Say someone logs in from Boston, where he lives, and 20 minutes later he logs on from Singapore,” posits Bailey. Such “impossible travel” is a tipoff of malicious activity. Zero trust security is meant to address the many ways and places people work today and “how we address them coming and going,” he says.

How to Implement a Zero Trust Security Model       

Zero trust architecture has to be approached as a philosophy — as a mature and sophisticated way for organizations to look at their environment, says Bailey. Any single security technology can be only one part of the whole. Organizations need to pull together a zero trust model by integrating multiple vendors’ tools. 

“Think about it like defensive driving. You need to know where your mirrors are, understand speed traps or red light cameras or if children are walking home from school,” he says. “It’s very difficult for any one vendor to be highly prescriptive around zero trust, because we’re only one piece — maybe we’re the brakes, or the right-hand mirror or the taillight.” 

A few zero trust best practices can help: 

• Know your assets: It’s hard to protect what no one knows exists. An audit of existing assets is always a good first step before creating those individual access policies that form the basis of zero trust architecture. Knowing the resources in the network and their levels of risk enables access policies that match the security measure to the risk and avoid leaving important assets unprotected — or conversely, create so much user friction that they impede day-to-day work. 
• Mitigate and optimize: Hope for the best, but prepare for the worst and create access policies and emergency plans that fit your levels of risk and operational needs. While following the principle of reducing attack surfaces, organizations need to adopt a least-privilege access policy and compartmentalize their assets to prevent an attacker from moving across the system freely. Plan with cloud vendors to extend those protections beyond the on-premises network. 
• Automate as much as you can: The constant validation and user authentication that’s required for true zero trust security is too onerous for manual processing. Validating devices, matching users to their behavior and crosschecking the context to the user requires effective technology. Artificial intelligence and machine learning are proving to be useful tools to carry out behavioral analytics and match usage patterns and device identities to authenticate users without causing friction that interferes with business operations.  

The Bottom Line 

For today’s organizations, faced with increased cyberthreats and demands for agility and speed, zero trust security offers a way to manage cyber risk. But a true zero trust model requires an ongoing commitment from the organization and support from a number of emerging technologies to make it happen. Read how Mimecast uses AI, a key enabler of any zero trust approach.

[1] “Commandments,” Jericho Forum 

[2] “A Look Back at Zero Trust: Never Trust, Always Verify,” Forrester 

[3] “Cisco Describes Hybrid Clud ‘New Normal,’ Touts Cloud Operating Model for Success,” Virtualization and Cloud Review