Zero Trust Architecture: What It Is and How to Implement It
The problem with traditional security strategies is that they’re based on the idea that threats only come from outside your organization. They often allow certain kinds of “trusted” data to flow freely, potentially leading to compliance failures, compromised networks, or worse.
The truth is, security threats can come from outside and inside your network perimeter. That’s why government and military agencies and commercial organizations alike have shifted to a Zero Trust model for network security. Here’s what that means and how to apply it for your organization.
What is Zero Trust architecture?
Zero Trust is a security model that maintains strict access to all resources inside and outside the network perimeter. By default, a Zero Trust architecture will “deny” all traffic unless otherwise specified. In the words of a term coined by Forrester Research: “never trust, always verify.” The following best practices are all part of creating a Zero Trust security approach for your company.
Multi-Factor Authentication requires more than one source of identification.
Implementing Multi-Factor Authentication (MFA) is a low-complexity, user-friendly way to increase network security. MFA requires users to present two or more pieces of evidence, called factors, for identity before access is granted. Factors are considered something you have, (like a code from a mobile device), something you know (like a password), or something you are (like a fingerprint or face recognition). MFA alone reduces the likelihood that bad actors will exploit your access simply by getting ahold of your password.
Minimum-security standards for networked devices ensure everyone stays updated.
Do employees at your company use personal laptops and other devices to access network resources? Many do. The problem is, those devices may be carrying malicious code capable of infecting other devices throughout the network once users connect to the corporate VPN.
Placing minimum security standards on all network devices will ensure that each device has security updates and current anti-virus software before allowing access to the network. This simple step can help prevent an attack from spreading—saving you headaches and money down the road.
Least privilege means allowing minimum system resources needed for a given function.
One of the most important principles of a Zero Trust security approach is limiting access, or “least privilege.” The National Institute of Standards and Technology (NIST) explains that least privilege in a security architecture means that each entity is granted the minimum system resources and authorizations needed to perform its function.
Implementing this principle requires a strong security policy. In addition, that policy should be frequently audited and reevaluated to ensure access is appropriately assigned. Network users with excessive access can be vulnerable to privilege escalation attacks because of their unnecessary access to auxiliary data and applications. One well-known attack attributed to privilege escalation affected fifty-six million credit card customers in the 2014 Home Depot breach.
Isolate network traffic with segmentation.
Network segmentation requires separating different types of traffic from each other, splitting the network into smaller pieces to lessen the impact of any potential intrusion. Segmenting traffic this way can help protect critical company data. In fact, some data is required to be isolated by law. For example, environments dealing with credit card information must maintain PCI/DDS compliance, which requires that credit card information be segmented from other traffic types. (Learn more about data privacy laws here.)
Segmentation essentially reduces the attack surface and helps prevent intruders from moving laterally inside your environment. To implement segmentation in your network, you’ll need to determine which traffic to isolate, and which kinds of traffic will need to be allowed between segments.
Your Zero Trust architecture will require continued attention.
Zero Trust can go a long way toward your overall security-focused culture. Implementing Zero Trust gives managerial and technical staff the means to securely make changes to their network environments based on business needs. But these practices are only as good as the training given to users and IT staff. What’s more, your networks need constant monitoring, regular re-evaluation, and strong security policies.