Zero Trust - Never Trust, Always Verify
How can you best secure your computers systems in today’s world? “Trust no one or anything — and always verify.” This the basic idea behind zero trust, a new way to look at computer security. Zero trust works on the assumption that your networks are already breached, your computers are already compromised, and all users are potential risks.
Traditional systems security for years has followed the Trust but verify method in which once users are logged into a system then they are automatically trusted. The emphasis there is on protecting internal systems and information from outside attackers by using firewalls and passwords.
Unfortunately, as technology and attackers have grown more sophisticated, the Trust but verify method has become harder to maintain and less effective. Organizations have had to change their approaches to systems security in order to accommodate traveling users, users that work from home, users that bring in their own devices, as well as cloud-based software, other repositories, and more. The traditional boundaries of a network perimeter are drastically changing.
With the growth of cloud computing, organizations are very globally connected; and their digital information is stored and used in private and public clouds of data and applications. Conventional boundaries for an organization’s network have expanded and become ever more obscure, opening the potential for cybersecurity problems. Zero trust offers a new way of viewing our computers and information that may make securing them easier.
With zero trust, implicit trust is eliminated, and continuous verification is required. By always assuming that a security breach has likely already occurred, a zero trust system will constantly limit access to only what is needed while continuously looking for malicious activity. Zero trust can reduce an organization’s risk from data breaches, ransomware, and insider threats. While zero trust is clearly more restrictive, it can simplify an organization’s cybersecurity defensive posture and provide a more easily secured system environment to better protect the organization’s data and assets.
In a security breach, trust is a vulnerability that is exploited. By eliminating trust as an issue, an organization’s systems become more secure and data breaches are prevented. However, this lack of trust doesn’t mean you don’t trust your users, instead it is akin to requiring users to use a key card every time they access a building.
Zero trust recognizes the reality that today’s computer systems are hostile places. Yet, zero trust is a not a product or an application. It is a set of principles that help you define a cybersecurity strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.
The first step with zero trust, as with any new method or technology, is to understand how it addresses your organization’s unique business problems. What outcomes do you expect? How does zero trust address your needs? Without understanding your business needs and problems first, any new method or technology will ultimately fail.
Building zero trust
Migrating to a zero trust model can be done gradually, which is a benefit for smaller organizations that cannot afford a large initial investment. According to the US National Institute of Standards and Technology (NIST), many organizations may continue operating their newer zero trust in tandem with their older perimeter-based systems for years. To plan and architect your zero trust network, the following initial steps are suggested:
Start by building leadership trust — You need to seek understanding, support, and input from your firm’s leadership. Management support is critical to a successful transition to zero trust.
Define your most vulnerable attack surfaces — Start by identifying your biggest risk areas both now and in the foreseeable future, and work to apply initial zero trust initiatives that encompass processes, people, and your existing technology. Moving gradually will keep your firm from becoming overwhelmed with implementing new technology and policies across entire systems.
Map how your data flows — Document how your data moves around your devices, applications, and assets. It is essential to understand this data flow. Who is using it? Where is it coming from? To identify which data flows should not be trusted, you need to know which are critical to your firm and should be allowed. This mapping of data flow is the key to making zero trust work.
Harden your identity management — Users are the weakest link in any security system. Review your user authentication process and implement multi-factor authentication and tougher password policies to harden your identity management. Also, implement and regularly review login names and make sure they match active users.
Assign minimum rights (least privilege) — Review how your systems and data are secured and assign the minimum rights to the minimum number of accounts needed to access data or systems. The default access should be no access.
Whom do you trust? — Build a whitelist of who to trust. This includes users, devices, applications, processes, and network traffic.
Micro-segment your security — Dividing your security into smaller segments allows you to minimize any damage in case of a breach or compromise of any one area.
Define your zero trust policies — After you have architected your new system, write the needed policies to match. Defining who, what, when, where, why, and how for every user, device, and network that gains access to your system.
Monitoring is critical — As you build your zero trust system, it is critical to have an aggressive monitoring system in place. For zero trust to be effective you will need to continuously monitor access and look for any area where trust should be revoked and any unwanted access and be identified.
Zero trust is a journey that will take years to complete. “Never trust, always verify” is a fundamental shift in how we currently think about security, but it is a necessary shift. Security breaches are on the rise, and our old paradigms of security are not working as more devices come online and local networks evolve to cloud networks. Our data is increasingly at risk, and zero trust is a new and more effective way to protect ourselves.
_________________
Originally published in the online Thomson Reuters publication Practice Innovations on October 21, 2022.