Zero Trust security and the Enterprise

Zero Trust security is a concept based on the central principle of "don’t trust anyone", i.e. firms should not automatically trust anyone, either insiders or outsiders. The firms should always verify everything and everyone before granting access to the respective systems.

The concept was envisaged in 2010 by John Kindervag, an analyst at Forrester Research. According to a Cybersecurity ventures report, cybercrimes will cost the world around $6 trillion by 2021 and the frequent data breach incidents have created urgency towards adapting stable security methodology.

The urgency is even more serious because firms are spending more and more on cybersecurity, but the cases and projected losses are rising.

Zero Trust Security

The core idea of zero trust stems from the notion that the insiders in the organization presents the same level of risk as the outsiders. In fact, all major data breaches have been caused by the insiders. Traditional security measures like Firewalls, VPNs etc. are becoming obsolete and there have been incidents everyday of hackers bypassing the established security measures.

Zero Trust is a strategic initiative that protects you against data intrusions by eradicating the notion of trust from your network architecture. Zero Trust encompasses network segmentation and prevents lateral movement to provide 7 layers of secure protection. This way, it also simplifies granular user-access control.

The Zero Trust model understands that trust is a weakness. Inside the network, hackers (including malicious insiders) are free to exploit and steal the information that they are not authorized to access. It is also important to note that the target location of the attack is usually not the point of infiltration.

The Forrester Wave™: Privileged Identity Management, Q4 2018 , states that Zero Trust is not about introducing trust in a system, but eliminating trust altogether.

A Zero Trust Architecture

In Zero Trust, you need to first recognize a “protect surface.” The protect surface will consist of the network’s most strategic and useful data, assets, applications and solutions. In addition, organizations implementing the architecture will have unique “protect surfaces”. Below are the most basic qualities of protect surfaces:

a. Protect surfaces only consists of the most critical of company’s operational assets

b. Protect surface is smaller in magnitude of the attack surface.

c. Protect surface is always knowable.

After you have recognized your protect surface, you need to study the movement of traffic in your organization with respect to this “protect surface”. This comprises of understanding the users, the applications they are using and the way they are connected. When you have the data then you can enforce the policies that can establish a secure access to your data. Then you need to co-relate this data with your company’s infrastructure, services and the users. The idea is to leverage the data to establish a micro-perimeter around the ‘protect surface’ and put up necessary controls. This micro perimeter traverses with the protect surface, even if it changes. The micro-perimeter can be created by establishing a segmentation gateway, also known as the next-generation firewall. Its job would be to only allow known/allowed traffic and legitimate application to access the ‘protect surface’.

The segmentation gateway offers granular visibility into network traffic. It also implements additional layers of authentication and access control with granular Layer 7 policy. This policy is defined by the Kipling Method, which describes Zero Trust policy, built on who, what, when, where, why and how.

Zero Trust policy determines who can leave or enter the micro-perimeter at any instant of time. This gives added security to your “protect surface” by restricting unauthorized users and preventing extraction of sensitive data.

After the Zero Trust policy is built around the protect surface, you continue to monitor it in real time. This can also allow you to identify additional assets that can be included in “protect surface”. In addition, real-time data can also give you inputs on ‘interdependencies which are not yet accounted for and the different ways you can improve security policy.

Zero Trust and the Enterprise

Zero Trust is independent of locations. Now a days, users, devices, applications and platforms are everywhere and this is the reason, it is not possible to enforce ‘Zero Trust’ on just one location. It must be spread to the entire work environment and access must be sent to only the right users. It is also worthy to note that the access needs to be heavily localized i.e. applications, platforms etc. need to have separate access even for the same user.

Users also access sensitive workloads and systems in unsecure Wifi setups such as coffee shops etc. In order to enhance protection, Zero Trust entails uniform visibility, execution and control that can be delivered through the secure servers of cloud. A software-defined perimeter can deliver secure access to users, irrespective to their location or the devices they are using. Zero Trust security also ensures that you have secure access irrespective of where the workload/data is hosted (public/private/hybrid cloud or SaaS apps).

Workloads of an enterprise can be highly dynamic, and they can traverse between different data centers and cloud types. With Zero Trust, you can monitor the security activities and interdependence across users, devices, networks, applications and data. Plus, segmentation gateways can traffic the activities in the security network to stop any malicious attack. They can also administer granular access between your on-premises systems and data centers and multi-cloud environments.

Zero Trust Deployment

Deploying Zero Trust is not expensive or complex. In fact, Zero Trust is built on your existing security and network architecture; this allows you to keep the technologies that are already placed in your infrastructure. It is also important to understand that Zero Trust policy does not recommend any specific product(s) that you need to deploy as part of the architecture. The policy is also very easily to deploy and maintain. The core five step methodologies to govern such policy are listed below:

1. Establish the protect surface

2. Map the transaction flows around the protect surface

3. Create a Zero Trust architecture

4. Establish a Zero Trust policy

5. Monitor, maintain and audit the policy

In a nutshell, an effective Zero Trust environment comprises of a protect surface which is shielded by a Creative Zero Trust environment that itself consists of a micro-perimeter enforced at Layer 7 by using Kipling Method policy via segmentation gateway.

Realizing a Zero Trust Architecture

Firms can use Zero Trust to gain visibility and milieu for all traffic pertaining to user, device, location and application, etc. It also allows you to thoroughly investigate internal traffic, as all major serious breaches have been done by the insiders. In order to gain traffic visibility, Zero Trust needs to go through advanced firewall and decryption capabilities. The advanced firewall technology empowers micro-segmentation of perimeters, and acts as border police for your firm organization. Zero Trust architecture uses two-factor authentications to secure your external as well as internal traffic and enables you to verify your users more accurately.

Conclusion

You can use Zero Trust approach to examine your business processes including users, data and ; data flows, the associated risks. The approach can help you set policy roles which can be and set policy rules that can be updated automatically, and allow you to calculate risks and iterations. ISSQUARED’s ORSUS IAM is a seamless and secure identity and access governance solution, which integrates zero trust approach in its architecture. It is a proven product and trusted by top companies. Reach out to one of the ORSUS experts here to get more information.