The term Zero Trust originated with Forrester Research, a leading industry analyst group, in 2009 and the strategy has gained increasing acceptance and adoption amidst the recent torrent of publicly visible cyberattacks. The core of Forrester’s hypothesis was that the fundamental basis of current network architectures and cyber defense thinking was no longer viable. The idea that all internal networks should be considered trusted while external networks should be untrusted was fundamentally wrong. Forrester’s baseline assertion was that all networks and, by implication, all users should be considered untrusted.
Evident in 2009 and increasingly more so today, is the fact that current cyber defense strategies seemed to be failing at an increasing rate. Today we know that cyberattackers are able to penetrate just about any enterprise, and they often spend many months within the networks, performing reconnaissance and planning their attacks. The key assumption has been that you can keep attackers out - but this just won’t work anymore. You should instead assume that attackers will successfully penetrate the perimeter defense and will gain complete access to your internal networks.
The move to the cloud has also accelerated the movement to Zero Trust. It has extended our vulnerable attack surfaces in many ways; too much is outside of our control, often depending on the security and management of outside vendors. The wide variety of these platforms extends our expectations for security protection to the providers of platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS). Each of these cloud environments bring additional vulnerabilities to your extended enterprise, including unauthorized access by cloud personnel, misconfiguration through to complex vulnerabilities in application program interfaces, Java containers, and much more.
Zero Trust best practices and the technologies that support them can be added to your defense in depth deployment, to harden and support your current ecosystem. With a Zero Trust strategy, there is no need to replace your existing infrastructure, only to complement it. Zero Trust also enables your security operations center (SOC) team to focus on the important threats and eliminates much of the noise that distracts them in their day-to-day activity.
Zero Trust is straightforward to implement. You need to define and adopt key Zero Trust policies that align with your current defense in depth deployment. You then need to make decisions about operations, procedures, and best practices and then select and deploy the new technologies required.
This is a partial example of a core set of Zero Trust policies that might fit your organization. It is summarized and abbreviated for purposes of illustrating this article:
- Policy 1: Zero Trust does not allow any access to internal servers, databases, applications, or servers until the identity of the user passes muster by strong authentication and until specific access to the assets requested is correctly authorized.
- Sub Policy 1A. Zero Trust requires the mandatory use of 2-factor authentication to access any corporate application systems, without exception, through SMS TXT validation for departmental users.
- Sub Policy 1B. Zero trust requires the mandatory use of 2-factor authentication, for access, through the use of a Hardware Token, for managers and executives.
- Sub Policy 1C. Zero Trust requires that User Entity and Behavior Analytics (UEBA) be deployed.
- Policy 2: Zero Trust requires that physical devices and platforms which access corporate resources are authenticated by certificate or other means.
- Policy 3: Zero Trust allows a user access to the bare minimum they need to perform their job or least privileged activity through the use of network segmentation, limiting authenticated users to the minimum lateral movement they require to access the necessary resources to perform their jobs.
- Policy 4: Zero Trust requires that data should be stored in encrypted formats to the greatest extent practical, with the location of the data and the location of the data encryption keys in separate physical locations.
- Sub Policy 4A. Data should be encrypted end-to-end whenever possible. This includes when the data is in transit (through the network), in use (on the client device), and at rest (in the database).
- Sub Policy 4B. The data encryption keys must be highly protected and never be provided to any external vendor or cloud vendor.
- Sub Policy 4C. Data should be encrypted at the edge of the enterprise such that data which is in the cloud is, at all times, fully encrypted and protected.
You can see that building out a Zero Trust strategy results in an environment which is much more robust and capable of stopping many of the attackers that seek to compromise your on-premises networks and clouds. Further, when cyberattackers do successfully penetrate your networks, Zero Trust will help reduce the time to breach detection, substantially limit or eliminate their ability to cause damage or steal data and help to promptly mitigate the attack so you can resume normal operations. It enables you to expand incrementally upon the frameworks you have deployed with defense in depth and to build in the protections and resiliency required to meet the growing and challenging cyberthreats that you face, both today and in the future.