Zero Trust Architecture explained

September 29, 2020 | Nick Cavalancia

This blog was written by a third party author.

With the increase in frequency, sophistication, and cost of cyberattacks, the global focus on cybersecurity is at an all-time high. However, the goalposts for those tasked with protecting businesses have shifted. Hackers have a growing number of ways they can compromise a business and are frequently looking to move laterally within an organization, using credentialed (and often elevated) access. On top of this, insider threats are on the rise where trusted users take advantage of their access for nefarious purpose. 

This means that the tried-and-tested concept of perimeter-based security and defenses (where anything located on the corporate network it is assumed to be trusted) is no longer enough. Security teams need to shift their thinking from the perimeter to the authentication and access of resources. This means looking at methods of both restricting access and monitoring access requests to ensure those utilizing the environment are doing so appropriately.

This is where a Zero Trust Architecture comes in.

What is Zero Trust Architecture?

Zero Trust Architecture should be a core part of a company’s cybersecurity planning, combining identify, access policy, authentication, and more. The concept of Zero Trust is “never trust, always verify”, which effectively means assuming that all devices and users represent a potential threat and cannot be trusted until they can be properly authenticated. Once authenticated users are allowed access only to the bare minimum, they need to perform their job efficiently. Therefore, if a device (or user account) is compromised, Zero Trust aims to ensure that the damage is either mitigated (by not allowing access) or, at worst, is limited in scope.

The concept of Zero Trust has been growing over the past decade; however, the challenge has been implementing it without sacrificing user experience and productivity. Zero Trust Architecture relies heavily on some critical capabilities – namely identity management, asset management, application authentication, network segmentation, and threat intelligence. The technologies needed to achieve these were once only available to larger organizations but are now readily available in the mainstream.

How can an organization implement Zero Trust Architecture?

Successfully implementing a Zero Trust Architecture means going beyond rolling out a series of integrated tools and technologies, which are supported by a set of operational policies and authentication requirements. This has to be a strategic initiative that supports the formation of the Zero Trust architecture outside of a tool and technologies acquisition.

The latter should outline what Zero Trust will look like as it relates to authorization to specific resources both on-premises and in the cloud, as well as how Zero Trust technologies will interact with data, threat intelligence, public key infrastructure, identity management, and vulnerability management systems. Once this foundation has been established, companies can determine how further to define their Zero Trust Architecture; for example, using software-defined perimeters, micro-segmentation, by identity, or a combination therein.

In terms of setting user policy, understating accountability, authority, and capability are critical to establishing the level of trust of an individual user. The implementation of a trust algorithm can involve a score-based approach, as well as contextual based or an approach involving certain criteria that must first be met.

When it comes to rolling out the technology to support your Zero Trust environment, it’s advisable to run a pilot program first. This will allow you to get the kinks out, adjust KPIs and teach you how to operate in a ZTA overall with limited impact to your business.  Pilot programs should focus on the least sensitive data elements first before moving on to the more mission-critical crown jewel systems and networks.

An established Zero Trust environment will require on-going monitoring and analysis, with the goal being to automate the dynamically adjusting of established policy based on current activity and emerging threats. Monitoring can also be used to determine whether the resources dedicated to your Zero Trust Architecture are able to handle the activity load and identify those parts of the ZTA that require attention. This is critical to ensure a proper defense via automation and to ensure an effective Zero Trust state continually remains in place.

Benefits of Zero Trust Architecture

Implementing a Zero Trust Architecture will bring a number of key benefits for all businesses, including:

  • Reduced threat surface
  • Maximized use and authority of authentication
  • Increased visibility into all user activity
  • The ability to dynamically provide access based on current use case
  • Reduce an attacker’s ability to move laterally within your organization
  • Limit possibility for data exfiltration
  • Protection against both internal and external threats
  • Lowered reliance on point solutions designed to detect/stop specific types of threat activity
  • Improved overall security posture both on-premises and in the cloud

Comparing Zero Trust to NIST and other frameworks

Cybersecurity Frameworks, such as the one developed by the U.S. Government’s National Institute of Standards and Technology (NIST), provide organizations with a set of cybersecurity activities and outcomes to specifically manage cybersecurity risk, along with standards, guidelines, and best practices to help organizations achieve their desired outcomes.

In contrast, a Zero Trust Architecture focuses on implementing Zero Trust principles in an effort to specifically achieve a state where every access request (including the user and device making the request, as well as the asset or resource being requested) is scrutinized, and access is allowed on a per session basis. This ensures the entire environment remains in a state where no access is granted, until it is properly authenticated.

NIST has a Zero Trust Architecture framework – still in draft status at time of publishing – that is based on their recently released Zero Trust Architecture definition.

While the ultimate goal of even a Zero Trust Architecture mirrors that of, say, the NIST cybersecurity framework (in that they both desire to minimize the risk of cyberthreat), a Zero Trust Architecture seeks to specifically set certain technologies and workflows in place to control the process of authentication, analysis, and access, whereas frameworks seek to provide general guidance on how organizations could implement better cybersecurity.

Nick Cavalancia

About the Author: Nick Cavalancia

Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 25 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, Master CNI. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.

Read more posts from Nick Cavalancia ›

TAGS:

‹ BACK TO ALL BLOGS