Zero Trust
Zero Trust is a security model and a cybersecurity and system management strategy based on the belief that threats exist inside and outside organizational network boundaries. Zero Trust declares that users, devices, and network components should not be implicitly trusted based on their location within the network. Towards this end, Zero Trust combines comprehensive security monitoring with risk-based access controls and automation with security orchestration and response (SOAR). This model is data-centric. Zero Trust allows the least privileged access to be applied for every access permission.
Zero Trust has moved into the forefront of cybersecurity strategy. The reasons are compelling – a Zero Trust architecture can help reduce data breaches and overall risk. The history of Zero Trust begins over ten years ago with John Kindervag of Forrester Research’s term, which is distilled down to trusting no one on your networks and verifying everyone at every network, data, and application access.
Never trust – always verify!
Organizations should stop trusting packets as if they were people!
Before Zero Trust, most existing networks only distinguished between those inside the on-premise network and those outside. It was the classic castle and moat architecture. Once successfully logged into a VPN session, you were typically granted full internal network access privileges to applications and data stores.
Today, events have been driven by digital transformation. The digital transformation’s impact has seen the classic defense-in-depth cybersecurity perimeter fall. We see successful cyberattacks in the weekly news, telling us that this notion of defending a perimeter no longer works. The perimeter as we know it has dissolved.
Complexity is part of the problem. The complexity has destroyed the ability to define a trusted internal network. In addition, the rapid moves to the cloud and remote work further accelerated by the pandemic and the use of personal devices, the deployment of internet of things (IoT) devices, and the broad-scale proliferation of mobile devices increased the attack surfaces tremendously. The digital transformation, coupled with the rapid growth in cyberattacks promulgated by organized crime and dangerous nation-states, has caused Zero Trust to emerge as a leading cybersecurity strategy to help mitigate and reduce risk.
So, What is Zero Trust?
Zero Trust includes several basic foundational rules. They include:
- Data should be carefully identified and continuously protected.
- The movement of data must be well understood so that the micro-networks that defend it can be clearly defined.
- Finally, security controls must be integrated with SOAR to speed up response and growth in the future.
- Visibility, monitoring, and extensive logging are required to detect malicious or anomalous activity on your networks and then analyze it with advanced tools such as AI/ML.
- Access to all resources should require weighted and balanced decisions based upon multiple factors to allow access to resources and applications. We call this contextual access. Contextual access balances the user as authenticated, the user location, behavior, time of day, the trustworthiness of the device (endpoint) being used, and other factors to assign the most appropriate levels of Trust for that request.
Zero Trust places a heavy responsibility on comprehensive authentication. Standalone passwords are gone – we need tokens, biometrics, or devices such as a security token for full capability Zero Trust authentication. Security policy has also evolved. For example, it is not enough to grant you access to resources, applications, and data based on your login device. Nor is accessing through the VPN to provide that access, either.
The Experts endorse Zero Trust
Zero Trust has been endorsed by the most capable security organizations in the world. The National Security Agency stepped up in 2021 and published solid guidance recommending using Zero Trust. NSA noted that “NSA strongly recommends that a Zero Trust security model be considered for critical networks to include National Security Systems (NSS), Department of Defense (DoD) networks, and Defense Industrial Base (DIB) systems. However, integrating these principles within certain environments can become complicated, especially within a large enterprise. To address these challenges, NSA is developing additional guidance to organize, guide, and simplify the Zero Trust design approach.”
In early 2022 the U.S. White House, Executive Office of the President, further endorsed the use of Zero Trust Cybersecurity Principles. The White House published a memo that “sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns.”
To net it out, the memo stated that a “transition to a “zero trust” approach to security provides a defensible architecture … as described in the Department of Defense Zero Trust Reference Architecture, 3. “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in the philosophy of how we secure our infrastructure, networks, and data, from verification once at the perimeter to continual verification of each user, device, application, and transaction.”
The White House memo further declared,” Federal applications cannot rely on network perimeter protections to guard against unauthorized access. Users should log into applications rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero trust maturity model.”
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.