What Does Using a Zero Trust Model Mean for Your Security?
Internal security threats and the misuse of credentials are a serious problem today; the numbers don’t lie. According to SpyCloud’s 2020 report, the company recovered a whopping 1.5 billion credentials that were stolen via 854 breaches (or successful, unauthorized attempts by cybercriminals to reach restricted data areas).
This was an increase of 33 percent from the previous year. There’s also the issue of users with legitimate network access who want to damage or steal data and impact other users. So, what’s the solution?
That’s where the zero trust model comes in. It doesn’t discriminate between internal or external requests. Instead, it ensures that only those with clearance at each level can access that level’s data. Here’s why more companies are making the move to this security model and what it offers for businesses of all sizes.
What is the zero trust model?
The zero trust model requires verification from internal and external connections before it “trusts” the user. It does away with the reactive approach and assumes there is no traditional network edge. It also assumes there is a threat even from requests made from within the corporate firewall and requires verification for each request. The term “zero trust model” was invented by John Kindervag, a Forrester Research analyst and trusted industry leader.
How is the zero trust model different?
Unlike the model of “trust but verify,” zero trust uses “never trust, always verify.” With previous security models, only requests from outside the trusted network or firewall required authentication. Zero trust, however, assumes every request is a potential threat and requires full authentication, authorization, and encryption.
This security model tracks the data it uses throughout the process, analyzes the data, puts it to work in real time to identify, then responds to active threats. This analytics-based approach helps stop threats as they happen, even new ones not commonly known by security software or tools.
Why zero trust was created
More than ever before, our data is shared remotely. While general access to the network was enough for an employee in the past, remote work and cloud-based infrastructure require data access from outside the company firewall. With an increase in the sharing of sensitive data, there are new risks to thwart every day.
The stats back up the threat assessment. According to Verizon, “More than 80% of hacking breaches involve brute force or the use of lost or stolen credentials.”
What are the zero trust principles?
As companies look for ways to keep users with the right passwords (and the wrong intentions) from accessing certain systems, zero trust becomes an attractive model.
All good security models are made of foundational principles, zero trust’s own principles are what make it so different from previous approaches. Here are the four core components of this model.
1. Review all default user access controls
There are no trusted sources in a zero trust model, so everyone is a suspect until proven harmless. Each request goes through the process of authentication, authorization, and encryption with no exceptions.
2. Prevent unauthorized requests
Being proactive is the hallmark of zero trust. This approach includes identity protection, device discovery, and multi-factor authentication (MFA). Each request also receives least-privileged access or the lowest level possible. Users can only access what they need, which limits damages in the case of a breach.
Microsegmentation is one way of partitioning off parts of the network through separate access points, and it ensures a single breach is contained and doesn’t go beyond each microsegment. By implementing this or other protection measures, you can help mitigate damage and prevent far-reaching harm.
3. Use real-time monitoring
Instead of waiting for reports of what happened, zero trust relies on real-time data to warn you of potential threats. It quickly identifies and mitigates bad actors, greatly reducing the “breakout time.” This is the window between when the first machine is compromised and when other systems are accessed. Knowing how to handle each type of breach can save seconds when it matters most.
4. Create a strategy, then adapt
A zero trust approach won’t fix everything on its own, because it’s part of an overall strategy that includes endpoint monitoring and response. As a result, you also may need to upgrade any obsolete tech that can’t align with zero trust models.
Additional tasks include installing patches and firmware upgrades. Work with your vendors to stay on top of new updates as they roll out. Create a schedule for maintenance and updates, and figure out early who’s responsible for communicating patches, upgrades, or other upkeep tasks to the employees who need to know about them.
How to reach zero trust
Knowing everything above, reaching zero trust may require a lot of work and a significant investment by your organization. However, experts highly recommend a move toward this type of security. Whether you implement strategy this year or the next, consider these steps.
1. Know what it is
Zero trust architecture isn’t a plug-and-play solution you can purchase, download, and implement in a day. You need full buy-in from all partners within the organization and a commitment to doing what it takes to make it happen.
Plan out the entire process in advance of jumping in, and get the full cost of what it will take, including time and resources. Also assess any legacy systems, devices, or software solutions that you need to replace.
2. Understand how it affects your users
Take the time to think about what the change will mean for your employees or clients, and weigh each task against how it will affect your target audience. The continual verification may be off-putting at first, especially to those who don’t understand the benefits.
Prioritize the highest concerns against those that may alienate customers and won’t provide optimal benefits. Then, plan out a consistent experience that creates the same look and feel of verification and authentication across all of your applications and users.
3. Pick the right infrastructure
There’s no single solution to reach zero trust. Microsegmentation, software-defined perimeters (SDPs), and zero trust proxies each have their strengths, so familiarize yourself with each before you make any decisions.
- Microsegmentation categorizes assets, applications, and users into groups, with a firewall between them. It can be difficult to scale but it’s also been around in one form or another for years, meaning there may be more documentation and help available.
- An SDP lets businesses create on-demand IP tunnels that users pass through following authentication and verification. Users don’t even see outside their network perimeter, but security may be difficult once the tunnel opens.
- Zero trust proxies combine the best of the previous two methods and add payload analysis. It is a scalable option that you can deploy incrementally.
4. Bolster verification and validation
Leave behind everything you know about security. With zero trust network access, you must reexamine apps, users, and endpoints. It will enhance all passwords and add verification steps for all users, including vendors, clients, employees, and IT partners.
You must also add verification for individual devices to this plan, which may require you to upgrade to more secure equipment if it’s outdated and can’t support the new goals. Jail-broken devices or those that bypass patches or encryption requirements won’t have access to the network, either.
5. Expect challenges
Zero trust is not an easy fix, and you must maintain it as new threats happen. Here are some common and predictable obstacles to zero trust security:
- The cost to update legacy apps, network resources, and authentication protocols may be high, which may make it difficult to earn buy-in from decision-makers.
- Not all industry regulatory groups have adopted zero trust, so it’s difficult to be both compliant with industry best practices and adept at secure methods.
- You measure the success of zero trust by lack of attacks or breaches, which may be difficult to quantify and tie to a measurable ROI than a metric that exists – and is therefore measurable.
A significant mindset change happens with zero trust. Not everyone will be ready, but the time will come when this method becomes the norm. By embracing it early, you could be at the forefront of your industry.
Bottom line
The zero trust model is a newer approach to security, and it requires a mindset shift at all levels of an organization. Keep in mind that by the time you and your partners research and develop a plan, it will be just in time to make a difference. While it may feel like you are an early adopter now, moving to zero trust is a significant push forward in an era where “trust, but verify” just won’t cut it much longer.
Reach out to your cloud services or platform provider or network administrator for ideas on how to move forward on zero trust security. After you assess your current tech habits and future needs, you can create a plan that’s unique to your company and poised to keep all of your devices, applications, and data safe.
About the Author: Linsey Knerl is a contributing writer for HP Tech@Work. Linsey is a Midwest-based author, public speaker, and member of the ASJA. She has a passion for helping consumers and small business owners do more with their resources via the latest tech solutions.
