What is a Zero Trust Policy and Why Should You Adopt It?

Posted by BulletVPN on 16 04 2020.

When former Forrester analyst John Kindervag proposed the Zero Trust model for implementing an overall cyber-security strategy in 2010, he was barely planning for this security framework to become one of the most widely adopted within a less than a decade. The growing number of targeted cyber-attacks and the resulting data leaks that cost companies in the range of billions of dollars a year, as well as the increasing number of ransomware infections, led to the broad adoption of the Zero Trust model in the past few years. The core concept behind a Zero Trust policy is to trust no one – both insiders and outsiders – as users behind your firewall can be as dangerous a threat as malicious actors outside. So, what is a Zero Trust Policy? What kinds of examples are there? Why should you adopt one? Find out in this comprehensive guide.

What is a Zero Trust Model?

A Zero Trust framework highlights the importance of not trusting anyone and anything inside your organization’s perimeter. It is in stark contrast with the old concept of securing your perimeter against cyber threats from outside and then treating all insiders as secure.

Under the Zero Trust model, you should check and verify everything that is trying to connect to your systems. Thus, you need to always know who is attempting to connect to what. Not to mention if valid credentials and authorizations are in place for both company users and third parties.

The problem with the past security models in which the focus was on defending the perimeter and considering safe the internal systems once access is granted, lies with the fact that this model enables bad actors to move with relative freedom across internal systems once they have penetrated the perimeter defenses. As a result, a large number of “data theft and data leaking” accidents occurred across a variety of industries. This affected hundreds and thousands of companies.

Today’s hybrid corporate networks in which a mix of on-premises, cloud-based, and on-demand solutions are working together does not allow for taking an approach that considers internal systems safe. Instead, a Zero Trust-like model is required to make sure all your connections are safe. Also, it helps ensure that data is not leaking to unauthorized accounts or by unauthorized accounts. You can see how Google’s Zero Trust implementation works in the chart below.

Source: Google BeyondCorp

As seen here, for an organization to successfully adopt a Zero Trust cyber-security strategy, it should address eventual issues across a number of key areas. What are they? Here’s what you need to know.

Key Areas for Zero Trust Frameworks

Nothing about your business-critical and secondary systems is outside the scope of a working Zero Trust framework. And, since data is the most precious digital asset, Zero Trust focuses on protecting your data. This tops the list of key areas Zero Trust is dealing with.

• Data in Zero Trust: A strategy to protect data requires your organization to first identify where sensitive data resides across the network. Next, you need to define access rights for data. Then, you must monitor data access in order to detect threats and respond adequately.
• Networks in Zero Trust: Networks are the primary attack vector, and Zero Trust deals with them by restricting access to your networks through advanced firewall features and isolating business-critical networking components.
• People in Zero Trust: Insiders are another common attack vector, and Zero Trust tries to solve the problem by implementing strict user access rights – inside and outside the perimeter – and defining who can access what data and from where.
• Workloads in Zero Trust: Workloads comprise all the applications and software that customers and partners use to do business with you. As third-party apps are another common attack vector, Zero Trust deals with unpatched and outdated software to protect your networks and data.
• Devices in Zero Trust: Zero Trust involves a policy for having control over any device users are attaching to an end-point device across your connected systems – from USB drives through smart devices to devices attached to remote computers.

Evidently, monitoring and controlling all these key areas is beyond human ability. Therefore, the automation of processes and procedures is a core element of a Zero Trust implementation. Another essential element is the use of analytical tools for detecting unknown threats and analyzing user behavior. It helps identify weak points and remediate security risks early.

How to Adopt a Zero Trust Policy?

Adoption of Zero Trust policy requires your organization to adhere to three basic principles for securing your digital assets. These are:

• Authenticate and verify access to anything,
• Enforce a least privilege access model,
• Monitor and check everything.

These principles might seem quite simple and easy to adopt. Still, real-life examples show that organizations often do not implement them in full or leave security holes resulting in data breaches. Below you can see a roadmap for adopting a Zero Trust policy by Microsoft. But bear in mind that it deals only with top-layer issues while any specific implementation involves many additional technical and logical details to consider.

Microsoft’s Zero Trust Adoption Roadmap

Source: Microsoft

So, how you adopt a Zero Trust model for cyber-security that is based on the above three principles? First, consider it as a threat to all access requests by all users and thus authenticate and verify access rights every time a user attempts to access a shared file, an application, or a data storage device. Authentication applies to resources both inside your on-premises network and resources stored remotely and in the cloud.

Second, adopt a least privilege access model. This permits each user to have access only to the resources he/she needs to perform his/her immediate job. Apart from user access rights, you also need to set proper administrative privileges. They deal with who can do what within a system once he/she has been granted access.

Finally, you must monitor and log all essential activities system-wide if you are to identify threats immediately. With that, you can also detect suspicious or abnormal activities, and respond to threats in progress.

Having such a complex yet working system in place is a challenge. However, adopting a simplified Zero Trust model is achievable for smaller organizations as well. What you need is to focus on adoption and adherence to the core principles of Zero Trust and build on them.

Concluding Words

Adoption of a sort of a Zero Trust framework is becoming an urgency for a growing number of businesses. Networks are now more complex, and data is accessible through various connection channels and devices. Even a smart-home network should incorporate some of the Zero Trust principles. That’s because these networks are usually accessible from outside, and you can attach different portable devices to them.

Deciding whether, when, and how to adopt a Zero Trust security policy involves small and large organizations alike. That goes specifically to when implementation costs are concerned. Actually, you don’t need expensive software and hardware if you are to secure a home- or small-office network.

The only thing you should do is to adopt and stick to the core Zero Trust principles of authorizing any connection before granting access. Avoid assigning unnecessarily elevated administrative rights to any user. As a result, you will also be able to spot unusual system activities. Not to mention access requests when they occur within your IT ecosystem.