Zero Trust – A short intro

Why Current Trust Models and Approaches Are Broken,

There’s an old saying in information security: “We want our network to be like an M&M, with a hard crunchy outside and a soft chewy center.” This philosophy is widespread today, accompanied by the mantra “trust but verify.”  This mantra and M&M philosophy of information security is based on trust and the assumption that malicious individuals cannot pass the “hard crunchy outside.”

The thought process around this philosophy was that additional internal security measures were unnecessary because it was unlikely that an intruder would be able to get sustained access to a network, and it was also unlikely that they would be able to move from area to area once in an organization.

In today’s new threat landscape, this M&M and “trust but verify” model of information security is no longer an effective way of enforcing security. For an example mobile technology is more susceptible to theft and human error than traditional technology. A “trust but verify” approach does not compensate for these types of intrusions because the threat would come from what is a “trusted source.” In many cases, by the time organizations realizes that the source is no longer trusted, it is often too late.

Zero Trust Concept

Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” This means every access request is fully authenticated, authorized, and encrypted before granting access. Micro-segmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time.

A few basic steps a business can use to adapt their security posture to zero trust:

 

Segment the network

This is a fundamental part of zero trust networking which eliminates the possibility that an attacker who gains access to one secure area can automatically gain access to others. Traditional cybersecurity has a single boundary of trust: The edge of the enterprise network and in zero trust there are lots of security boundaries throughout a segmented network. Users have to constantly request access to areas they need to be, and if there isn’t an absolute need for them to be there then security keeps them out.

Implement access management and identity verification

Roles for employees need to be tightly controlled, and different roles should have clearly defined responsibilities that keep them restricted to certain segments of a network. Least privilege concept should be used. Users should at least use one two factor authentication method.

Extend the principle of least privilege to the firewall

The traffic users and assets generate after connecting to the network should be a matter of concern. Establish firewall rules that restrict network traffic between segments to only those absolutely needed to accomplish tasks. It’s better to have to unblock a port later on than to leave it open from the get-go and leave an open path for an attacker.

Firewalls should be contextually aware of traffic

Rule-based firewall setups aren’t enough: What if a legitimate app is hijacked for nefarious purposes, or a DNS spoof sends a user to a malicious webpage? To prevent problems like those it’s essential to make sure your firewall is looking at all inbound and outbound traffic to ensure it looks legitimate for an app’s purpose as well as checking it against blacklists, DNS rules, and other data.

Gather and analyze security log events

Zero Trust requires constant analysis to find its weaknesses and determine where to reinforce its capabilities and using a SEIM software is recommended.

References: https://csrc.nist.gov/publications/detail/sp/800-207/archive/2020-02-13

 

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.