- What is Zero Trust
It was 2010 when term “Zero Trust” was coined by John Kindervag, a thought-leader in Cyber Security industry with a motto of “never trust, always verify”. Many high-tech organizations like Google analyzed the benefits of Zero Trust security and announced its adoption a few years later.
Zero Trust is a security framework of eliminating implicit trust from entities whether inside or outside of organization’s environment by authenticating, authorizing, and continuously validating them for security at each stage, to grant and keep access to application and data.
Zero Trust security includes several implementation models including Zero Trust Architecture (ZTA), Zero Trust Network Access (ZTNA), and Zero Trust Edge (ZTE) that are described below in brief. However, all these models are built around the same core concepts of Zero Trust security.
Zero Trust Architecture (ZTA): ZTA is the most popular security model for implementing Zero Trust. It renders security by eliminating implicit trust for all users whether inside or outside of organization’s network and continuously validating every stage of communication. In 2020 Zero Trust Architecture (ZTA) was accentuated with release of NIST publication 800 – 271 on the topic. The publication describes various approaches that can adopted for ZTA based on Identity Governance, Micro-Segmentation, and Software Defined Network. Furthermore, the publication describes the ZTA use-cases, associated threats, and migration approach for ZTA.
Zero Trust Network Access (ZTNA): Leveraging ZTNA model organizations can provide secure remote access to applications by creating identity and context based logical access boundaries based on access controls policies. Unlike VPN that grants access to entire corporate network, ZTNA defaults to deny and provides only explicit access to selected applications or services. In ZTNA user’s remote access request for application is authenticated via Identity Provider/Trust Brokers and assessed for risk based on various contextual parameters to result in approval or denial.
Zero Trust Edge (ZTE): ZTE is the refinement of Secure Access Services Edge (SASE), latter was introduced by Gartner, it combines the network and security functions in a cloud-based model. Secure access service edge (SASE) and Zero Trust edge (ZTE) share common principles and goals such as the consolidation of network functionality and cloud-delivered security. However, they differ in their emphasis and approach. ZTE considers every network transaction as risky regardless of nature or origin; emphasizing on zero-trust it amalgamates security solutions like ZTNA, Security Web Gateway, CASB, IDS/IPS, and Sandbox to provide a more secure access to application and data.
- How Zero Trust Works
Zero Trust Security works following the security principles enumerated below:
- Continuous Monitoring and Validation: Monitor the access of resources all the time with reverification of access continually and as the risk level changes.
- Identity Verification: Stringent verification of user identity against authoritative user repository or identity provider.
- Strong Authentication: Dynamic authentication values in addition to passwords to grant authorized access to users.
- Access Control: Verify the authorization of entity to access the requested resource as well ensuring the entity is not compromised.
- Least Privilege: Users have restricted access limited to what they need to perform in their roles and responsibilities.
- Limit Attack Surface: Implement no implicit access to entire network with users, applications, and systems getting access to specific applications/systems. Micro-Segmentation is a good example of this principle.
- Why organizations should embrace zero trust
With evolving threat landscape, IT environments going borderless, and users connecting to corporate environment from anywhere, zero-trust has become a security imperative. Zero Trust may not be a silver bullet to eliminate all cyber threats from an enterprise environment. However, it substantially reduces the risks and curb the impact of cyber-attacks. Zero trust principles are relevant for all organizations with digital footprint regardless of their size albeit the type and scale of zero trust implementation may vary with organization sector and size respectively. To enumerate, below mentioned are some compelling reasons for why organizations are increasingly adopting Zero Trust:
Enhanced Security Posture: significantly reduced risk levels with verification of all access requests with continuous monitoring, attack surface limitation, and minimizing the damage.
Improved Remote Workforce Security: Traditional network security is insufficient to secure proliferating remote work culture. Zero Trust can render advance level of security to access requirements irrespective of user location.
Protection from Insider Threat: As zero trust doesn’t trust even internal users by default, it minimizes the potential of insiders to do malicious activities deliberately or inadvertently.
Curtail Blast Radius: Even with strong security defense breaches may occur, with zero trust the compromise can be significantly reduced by blocking lateral movement of attacker.
Regulatory and Compliance Requirements: Organizations may have several security obligations under regulations and compliances applicable to them, most of them mandate strong access controls and data protection. As Zero Trust implies no implicit trust and continuous verification, it can be a significant constituent in meeting the relevant security requirements.
- Key Pillars of Zero Trust
There are 5 key pillars of zero trust as described by CISA (Cybersecurity and Infrastructure Agency) of USA in their publication, Zero Trust Maturity Model2, initially released in September 2021 and updated in version 2.0 of the publication released in April 2023.
Identity: The foundation pillar, ensuring only authorized users and devices can access corporate resources. Identity verification, multi-factor authentication (MFA), role-based access control (RBAC), and identity risk assessment are keys tools IAM tools.
Device Security: To achieve and maintain high degree of zero trust it is imperative for organizations to ensure the devices connecting to corporate resources are secured in parameters of compliance to security standards/policy, threat detection and prevention, management of devices, inventory control, posture assessment, and risk management.
Networks: Lesser the implicit trusted network segments higher the maturity of Zero Trust in networking parameter. The maturity level can be assessed progressing with ordered implementation of macro segmentation, network resiliency, data encryption, dynamic network configurations, risk-aware network access/network access control, and micro-segmentation.
Application and Workloads: This pillar entails Zero Trust in parameters of security integrated hosting and access of applications. Security methodologies like separate production and non-production environments, static and dynamic security testing, CI/CD pipelines for formal code deployment, integrated threat protection in application workflows, application availability in public networks with continuously authorized access, and immutable workloads determine the maturity of Zero Trust in the realm of applications and system workloads.
Data: Probably the most crucial asset of your organization. Implementation of key data security controls like minimal to full encryption of data, manual to automated inventory and categorization of data, redundant data stores, DLP implementation, data labelling, and dynamic access controls can determine the maturity of Zero Trust in the data security of organization.
- Disadvantages of Zero Trust
After highlighting the key advantages of Zero Trust for an organization is section 3, let’s look at some its challenges and if it is worth the investment and resources.
Implementation Complexity: Implementing Zero Trust to an appropriate maturity level may be a challenging task as it requires comprehensive understanding of existing networks, applications, and user workflows. Beside it may entail implementation of additional advanced security controls which may have compatibility issues with legacy systems.
User Experience: Additional or enhanced identity and access management controls employed as part of Zero Trust implementation may lead to user frustration if not implemented effectively. Consequently, this can lead to resistance in Zero Trust adoption and users might try to bypass security controls thereby adding additional threat exposure to organization.
Resource Strain: Implementation and maintenance of Zero Trust may be resource intensive as it requires significant additional man hours to do the required job leading to strain on IT resources.
False Positives: Stringent security controls as part of Zero Trust can lead to false positive events of legitimate users denied access with their activities flagged as suspicious.
- How to Overcome Zero Trust Challenges
The issues in adopting a Zero Trust security model can be mitigated with careful planning and organized implementation techniques, here are some measures:
Staggered Implementation: Adopt zero trust model in phases instead of a big-bang approach to ensure agile implementation and smooth transition, significantly alleviating the risk of disruption.
Optimize User Experience: Adopt user friendly and seamless authentication technologies like single sign-on (SSO), adaptive authentication, and context-based access controls to minimize friction while maintaining strong security.
Training and Communication: Build user awareness campaigns for Zero Trust Model; impart trainings about new user authentication and access controls technologies and workflows.
Capacity Planning: Spend significant time in planning Zero Trust implementation. Carefully determine and plan for resources required to implement and maintain Zero Trust model.
Continuous Fine-Tuning: Regularly review your Zero Trust model to meet your security goals. Optimize pertinent security technologies by regular fine-tuning to reduce false positives.
- Zero Trust Adoption and Roadmap
Zero trust is a priority for most of the organizations as part their journey to mitigate security risks and improve security posture. Most of the mid-size to large organizations have some form of zero trust strategy in place. However, only a few of them have been able to implement effectively. Gartner has predicted that by 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place.
As zero trust significantly contributes to alleviate risks and improving security posture, its adoption by organizations will prevail around world. With relevant security professionals gaining better understanding on zero trust and associated technology, security companies making advancements in their zero-trust offerings, its adoption is expected to grow significantly in future.
References:
1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
2 https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf
About the Author
Ashish Arora is AVP – Network Security in Chubb. He has more than 18 years of experience in planning, design, consulting, and implementation of Cyber Security Solutions and Services.
He is experienced in building Multi-Tenant Cyber SaaS platforms in public clouds, bringing enhanced security, cost optimization, and performance efficiency to organizations’ overall security. He has built curated security solutions for hybrid environments spanning across Private and Public Clouds as well.
Ashish has industry leading certifications in Security domain like CISSP and CCSP. He keeps himself abreast with evolving threat landscape and techniques to mitigate them. He enjoys participating in various security conferences and industry events.
Ashish can be reached via email at [email protected], LinkedIn at https://www.linkedin.com/in/ashish-arora-856a231a/, and at the company website https://www.chubb.com/.