Appgate CybersecurityNovember 15, 2019
What Is Zero Trust?
The Zero Trust model has taken the industry by storm and redefined how organizations should approach cyber security. Having a grasp on what Zero Trust entails and understanding its importance, will ensure your are a step ahead of the rest.
The days of well-defined network perimeters, centralized IT, and offices are gone. The new reality is a digital enterprise landscape without perimeters in which customers, employees, and partners can connect from any location: a business that is everywhere. Outdated security models built on a trust but verify approach are no longer adequate and are, in fact, dangerous, easily exploited, and unnecessarily complex.
What is Zero Trust?
Zero Trust is a paradigm shift toward a never trust, extensively verify mindset — whether a user is privileged or not. According to Jason Garbis, Appgate VP of Products, and Co-Chair, Software-Defined Perimeter working group with the Cloud Security Alliance, “Zero Trust takes a different approach from traditional security — it never grants any type of access, either at a network or application layer — based on assumed trust. It requires that trust be earned through proactive device introspection, identity validation, and contextual analysis that is continuously re-evaluated using a contextual, risk-based approach”.
The traditional network security model is based on the concept of a "castle and moat" analogy. The castle represents the organization's internal network, fortified against outsiders with a strong perimeter defense (the moat). Under this model, once an outsider crosses the moat (e.g., by hacking through the firewall), they have free reign to attack the organization's internal network.
In contrast, the Zero Trust model does not rely on perimeter defenses. Instead, it requires all users and devices to be authenticated and authorized before they are granted access to any resources. This "verify first" approach eliminates the need for a perimeter defense, because there is no perimeter. All devices and users are treated as untrusted, whether inside or outside the organization's network.
There are many benefits to adopting a Zero Trust model. Perhaps the most important is that it makes it much more difficult for attackers to gain a foothold in an organization's network. Zero Trust forces attackers to go through the same process as legitimate users by requiring all devices and users to be authenticated and authorized. This makes it much harder for them to access sensitive data or systems because they must first obtain the proper credentials.
In addition, Zero Trust models are often more scalable than traditional network security models. Because there is no perimeter to defend, there is no need for costly and complex perimeter security solutions. This can make it easier to add new users and devices to the system without worrying about the impact on security.
Finally, Zero Trust models tend to be more flexible than traditional network security models. Because there is no perimeter, organizations are not constrained by the exact network boundaries. This allows them to easily extend their network to include partners, suppliers, and other third parties without worrying about the security implications.
What is the History of Zero Trust?
When the theory for the approach was first presented, an analyst at Forrester Research Inc. coined the term "Zero Trust" in 2010, when the model for the idea was first introduced. Google introduced Zero Trust security several years ago, which sparked a growing desire in the tech industry to implement it. Gartner, worldwide research and consulting company, identified Zero Trust security access as an essential component of secure access service edge (SASE) solutions in 2019. The history of Zero Trust is one of continued refinement and expansion as businesses strive to find better ways to protect their data and networks. As the world becomes increasingly connected, it's likely that Zero Trust will continue to play an essential role in keeping information safe.
NIST 800-207 and Zero Trust
NIST 800-207 is the most vendor-neutral, all-encompassing standard, with applications in any sector. For a cloud-first, work from anywhere strategy, the NIST standard guarantees compatibility, and protection against contemporary assaults for most businesses. In May 2021, to combat the growing number of high-profile security breaches, the Biden administration released an executive order requiring that U.S. federal agencies follow NIST 800-207 as a vital component of the Zero Trust model implementation. The standard has undergone substantial validation and input from various vendors, commercial customers, and government agency stakeholders, which is why many private businesses view it as the defacto standard for business.
The Zero Trust promise is based on three key security concepts:
- Secure Access – Zero Trust requires an identity-centric approach to authentication. Rather than a simple yes or no to confirm user access based on whether the IP address has privileges, it is dependent on the contextual variables surrounding a user’s access request.
Take a look as Jason discusses the topic in-depth on stage at the 2019 CSA Summit.
- Least Privilege – Once secure access is permitted to a user, the scope of that trust will continue to be limited. Users and devices are permitted to access only approved resources while everything else remains invisible and inaccessible.
With Optiv we discuss reducing attack surface and preventing lateral movement in this webinar.
- Visibility – In order to arm your analysts with timely and accurate data, your Zero Trust efforts should include the ability to view access request details for all North/South and East/West network traffic, empowering your SOC to make quick decisions for faster remediation and identify blind spots.
How Zero Trust Works: Understanding the Five Zero Trust Attack Surfaces
Zero Trust protection can be evaluated across five typical attack surfaces:
- People Users are extensively verified by Zero Trust based on contextual variables, device security posture, and multi- factor authentication, only permitting conditional access to approved resources.
- Workloads The Zero Trust model requires making server ports invisible to prying eyes and further unifies privileged access to and between all heterogeneous environments, automating security to scale with workloads.
- Networks Zero Trust is able to limit access with network segmentation and confines lateral movement, keeping unauthorized resources invisible, across all environments. It ensures all access is trusted by continuously authenticating users and devices.
- Devices With a Zero Trust approach, networks are restricted entry by isolating BYOD and IoT devices to prevent lateral movement. For user devices, it neutralizes attacks and evaluates device security posture as criteria for secure access to workloads and data.
- Data Providing encrypted 1:1 tunnels to secure data flows, Zero Trust security limits and controls access to sensitive databases, and emulates data exfiltration techniques to unearth vulnerabilities before adversaries can take advantage.
Getting Started with a Zero Trust Model
Zero Trust is a transformation of your security operations and supporting technology stack. The market today is ripe with vendors promising Zero Trust, and a glance at any industry trade show floor offers a first-hand view of the crowded nature of the cybersecurity marketplace.
When designing a Zero Trust architecture, security and IT teams should focus on creating a system that does not rely on a single point of authentication. This strategy will inform how you design your architecture, as you will need to create multiple layers of security that can be used to verify users and devices. Zero Trust delivered as a service can be used to provide this level of protection, and Gartner recommends leveraging this approach. This strategy can help you protect your data and resources while reducing reliance on a single point of authentication.
Adopting a Zero Trust Model
Now that you can answer, “What is Zero Trust?” it’s time to consider moving to a Zero Trust model. We urge our customers to adopt a focused approach to Zero Trust, where priorities take precedent over pizazz. Our Zero Trust framework takes a straightforward approach that addresses critical flaws and complexity in today’s security organizations:
- Reducing the Attack Surface
- Securing Access to Critical Systems
- Neutralizing Adversaries
Since significant advancements in IT has left security in the dust, it is natural to want to accelerate your journey to Zero Trust. The Appgate SDP, offers a better approach to Network Security to replace or augment legacy solutions incapable of achieving Zero Trust. If you are serious about Zero Trust, we invite you to explore Appgate SDP, take it for a Test Drive or schedule time with an expert.