Zero Trust Security assumes that your security is always breached. When it comes to business, whom do you trust? Maybe the answer should be a stark, “Nobody.” Letting your guard down is a recipe for disaster in any organization that collects, stores, manages, and analyzes data.
The information technology infrastructure that companies rely on to do business is only as good as its weakest point. Imagine the vulnerability that BYOD (Bring your own device) policy poses for enterprises. For many organizations, security is focused at the perimeter, with the idea of keeping attackers outside the network and only letting authorized people enjoy access from within the system. This turns out to not be the safest method to ensure data security, though.
In addition to the practical need to maintain control over data, there are legal issues to contend with. For example, companies must protect sensitive information on criminals who steal to commit identity theft and fraud.
Otherwise, you might be liable to be sued by those affected. What’s worse, the public relations fallout could have customers leaving you in droves. And if you fail to protect your intellectual property, you put your competitive edge at risk.
Even the military establishment recognizes a growing need to protect and restrict access to sensitive data, in their case focusing on the battlefield instead of the boardroom.
Accordingly, information technology professionals in the government are preparing to transition to zero trust security. “Today, the Army has a perimeter security-based network that will eventually be replaced with zero-trust security,” according to NETCOM deputy commander Patrick Dedham in a report from Army News Service.
Ongoing cyberspace threats to penetrate networks should inspire prudent CIOs and other stakeholders in companies to develop zero trust security for safeguarding their precious data assets.
Getting Started With Zero-Trust Security
Zero trust security is particularly crucial today because people access data in a variety of ways, from mobile access via smartphones, tablets, and laptops, using local servers as well as cloud environments. More are working from home these days to adhere to social distancing regulations during the coronavirus pandemic.
In a zero-trust security environment, you assume there has already been a breach of your system. You verify every data request as if it came from an open network. As Microsoft put it, you “never trust, always verify.”
An important principle of zero trust security is that the system must always authenticate people who want to use it.
Data points to gather continuously include the person’s identity, location, and the state of health of the device they’re using (Is it a compromised device with malware? Is the operating system up to date/patched with security fixes?
The system will monitor for anomalies on the network, the workload level, and how data is being classified. Zero trust security also checks on firmware versions on devices attempting to connect and the types of endpoint hardware used.
All requests to access data are authenticated and authorized, and the communication has been encrypted both ways for better security.
To put things in perspective, it’s useful to consider Edward Snowden’s case, who had a security level rating that gave him system administrator privileges inside the National Security Agency, enabling full access to confidential, secret data.
Snowden was a government contractor who copied secret documents detailing information on America’s relationships with various allies and how much information the government was collecting on citizens in secret, which were then released to the media.
According to the Defense Innovation Board, if zero trust security rules of access had been applied to Snowden, he would not have been able to copy the secret documents.
But instead, Snowden was granted high-level permission to look at and download classified files. “This method of blind trust in users and devices inside the perimeter of the network is not sustainable and will continue to put national security information and operations at risk until it is resolved.” Indeed, such blind trust has no place in companies and underscores just how important it is that organizations do more to improve their security protocols.
Techniques for Enforcing Zero-Trust Security
There are four main techniques involved in zero-trust security implementations:
* Multi-factor Authentication: Often referred to as MFA, this is a method to validate users, involving at least two separate pieces of information before authentication.
This could consist of a series of security questions, the ability to answer a logic puzzle, or to confirm receipt of an access code sent to the user by text message or email.
* Least-privilege Access: To minimize potential damage from a data breach, the zero trust security-enabled system will be programmed to grant the lowest possible level of access to users.
If a user has no business accessing certain data types, there is no reason to provide more privileges. A benefit here is that if the system does sustain a hacker breach, movement is restricted across the network, giving fewer surfaces to attack.
* Ongoing, Real-time Monitoring: A hostile user could gain access to the network at any time, so a zero-trust security setup will aim to monitor users and their access attempts continually. With 24/7/365 monitoring, in the event of an attack, the faster you know about the intrusion, the quicker you can respond and protect the network.
* Microsegmentation: An evolution of the perimeter approach to security, micro-segmentation involves slicing users’ access needs into groups or based on what location they’re working from (such as headquarters or while working from a home office). This helps to keep people from moving laterally beyond the data they’re supposed to be working with.
Potential Challenges With a No Trust Security Approach
Getting buy-in from fellow stakeholders is just part of the potential challenge of deploying a zero-trust security solution in your organization. Assuming everyone is soon onboard, you’ll need to be prepared for some obstacles.
Chief among them is the possibility you have legacy applications that won’t integrate well with the new system, as pointed out by Crowdstrike. Mainframe and HR systems are typically not included in zero trust architecture. An issue is a cost and time needed to re-architect systems to engage in ongoing identity verification needed to trust internal users and continue their work.
The same situation may exist for your existing security tools, which themselves may require upgrading before the system can be fully integrated.
Finally, organizations can run into trouble during zero trust security deployment when they cannot view all individuals on the network or apply access protocols.
Legacy system setups, devices that have not been patched in years with security updates, and too much privilege assigned to users all can make for a bumpy road to zero trust. Working with consultants who know and follow current industry best practices will go a long way in your favor.
Trust No One is the Best Policy for Enterprise Security
Safeguarding intellectual property, protecting sensitive, private information you collect on individuals, and shoring up your network so that only authorized people can access data should be high up on the list of your priorities.
It’s best to develop a zero-trust security plan and implement it as soon as possible. After all, old-fashioned security approaches that focus merely on the perimeter defense of the network instead of assuming the threat are already inside can leave an organization defenseless. Whether you develop a zero trust security plan using your own team or with the help of third-party IT professionals, it’s certainly a task that merits your due consideration.