Cybersecurity Structures 101: A Guide to Understanding Zero Trust

Zero Trust is an approach to cybersecurity where the concept of inherent trust in networks, applications and services is removed by default.

Instead of automatically assuming inherent trust in an account from the moment the user has logged in, until they have logged out, Zero Trust security requires additional authentication when taking actions within the environment too.

Core to Zero Trust is the concept of ‘never trust, always verify.’ It is based around the idea that the network should be treated as if it has been compromised and therefore hostile. That means any security policy which is based on inherently trusting accounts or devices should be removed and instead, that trust must be earned.

This differs to traditional IT security, which commonly uses the ‘castle and moat’ model of cyber defence. When this model is deployed, security controls are applied at the perimeter, like walls, gates and a moat which would make it difficult for unwanted guests to make their way into the heart of the castle. The interior of the castle – or the network – is protected by making it difficult for the attacker to get in the first place.

However, if an attacker is successful in breaching these defences, be it by climbing over the castle walls, or hacking into a computer network, suddenly there are no additional lines of defences, and they can move around within the castle – or network – as they please.

Zero Trust aims to change that by building extra barriers and requesting additional verification when the user takes new actions, even if they’re explicitly permitted to be within the perimeter.

Read more: John Kindervag on Dispelling Zero Trust Misconceptions

Perhaps the fundamental concept behind Zero Trust is to treat the network as if it is already compromised by a cyber-attack, data breach or any other form of unauthorised intruders.

Meaning, the approach to security that would be taken in the event of a data breach or cyber-attack should be applied at all times.

By taking this approach to network security, it creates the strongest chance of avoiding a real incident or breach. Meanwhile, in the event of cybersecurity incident or data breach occurring, the organisation and the security team already have procedures to defend against or at least the potential damage caused by malicious intruders.

Verification should be deployed to authenticate a user at every stage of their journey through the network – for example, when they move from using one application to another – and preferably with several layers of security to ensure the strongest authorisation checks possible are in place.

Examples range from ensuring that multi-factor authentication (MFA) is applied to all accounts, to requiring users access specific authorised device for certain applications and services.

The principle of explicit verification means that even if an attacker has the correct credentials allowing them into the account, the extra layers of defence will prevent them from being able to use that access to move laterally within the network. Meanwhile, with the correct cybersecurity procedures in place, suspicious activity by the attacker will be flagged.

The concept of least privilege access means that even if the user is authorised, they only have they permissions they absolutely must have to use the data, applications or services required as part of their role.

For example, a regular user account shouldn’t be equipped with admin privileges, because those privileges could be abused, either by the user, or an unauthorised intruder who has gained access to their account. Meanwhile, a user doesn’t need access to confidential information or sensitive services shouldn’t be provided with automatic access.

This can be reenforced by the concept of Just-In-Time (JIT) access, a security control which limits elevated privileges, granting them only when needed and for a limited time. The time limit can range from minutes to hours and when it is reached access is automatically revoked.

This helps to ensure that even if a malicious user gains access to a system, they do not have unlimited time inside and is once again.

Applying the concept of Zero Trust security across the network can be a powerful approach to defending against cyber threats. However, Zero Trust is not a specific out-of-the-box product or service which can be installed then forgotten about. Rather, Zero Trust is an ongoing approach to designing and implementing a cybersecurity strategy for the organisation which must be able to evolve and adapt with the business needs and the threat landscape.

As discussed, Zero Trust isn’t an out-of-the-box solution like anti-virus software, it’s an ongoing approach to cybersecurity strategy. But there are cybersecurity tools and procedures which can be applied to help provide a Zero Trust approach to security. These include:

Identity-based authentication: identity and access management (IAM) tools, single sign-on (SSO) solutions and multifactor authentication (MFA).

Device management: All employee devices should be compliant with zero trust policies, reliant on verification of the user before they can use the device, based on the principles of JIT and JEA. When cloud services are used, any device which hasn’t been audited and authorised to access services should be denied network access.

Network segmentation: When a Zero Trust model is applied the network is segmented. Users are only provided with access to the sections of the network which require the resources they need and each time they move from one segment of the network to the other, they must authenticate and verify their identity. By applying this strategy, it ensures that in the event of a breach, an attacker doesn’t have automatic access to the entire network.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?