What if instead of architecting networks with implied trust, organizations eliminated the need for trust completely? That’s the thinking behind Zero Trust networking, a security strategy that assumes no user or device is inherently trustworthy. Defaulting to trust and granting trusted entities unbridled access creates unnecessary risk because attackers can manipulate that trust for their own gain.
Zero Trust network architectures provide security from every direction, protecting against threats that originate both internally and externally. In essence, a Zero Trust network architecture validates every request to verify that access can be granted, and then continuously monitors how the access is being used. It is always poised to revoke those permissions should any traffic or activity pose a threat to the network’s security.
This article describes the concept of Zero Trust and explains how organizations can develop a Zero Trust network architecture. Alternatively, if you prefer your discussions a bit livelier, watch our on-demand webinar, "Zero Trust: The Most Overused, Misused, & Abused Cybersecurity Term Today" by clicking the banner:
What is a Zero Trust network?
Zero Trust is an IT security model that rejects the idea that entities operating within a system’s perimeter should be trusted implicitly. Instead, a Zero Trust architecture continuously verifies connections and identities regardless of whether or not they are connected inside the network's perimeter or have been verified before. Zero Trust denies requests by default, providing access only after developing sufficient confidence in the user, the device, and the network context.
In the past, security architects focused their efforts on protecting the network perimeter from malicious external activity. Perimeter-based strategies assumed traffic within the network was inherently trustworthy and traffic originating outside the network was not. But as corporate infrastructures have evolved and enterprise networks expand to include more diverse devices and distributed connections, the perimeter itself has become blurred.
At the same time, monitoring north-south traffic across a corporate firewall doesn’t protect against the damage attackers can do by moving east-west. Once they gain access to a network, attackers can use tactics like lateral movement to penetrate deeper and escalate privileges, often without resistance or detection.
Where does the term “Zero Trust” come from?
Since its inception, Zero Trust has accounted for the possibility that attacks can originate both inside and outside of a corporate network. As cyberattacks become more sophisticated and networks more distributed, it’s increasingly common for breaches to originate within a network, whether intentionally or through stolen or spoofed credentials, for example.
When former Forrester Research analyst John Kindervag developed the term “Zero Trust” in 2010, his suggestion that there was a pervasive security risk on both sides of the network perimeter was groundbreaking. Instead of the adage “trust but verify,” the Zero Trust model adopted a new foundational motto: “never trust, always verify”.
How can organizations implement Zero Trust?
Zero Trust cannot be achieved through any single product or solution; it’s an overarching strategic paradigm. Implementing a modern security model requires security architects to leverage a collection of tools and techniques that support a Zero Trust approach. These technologies are important for Zero Trust because they all work together to grant and deny access, reduce the potential for attacks, and minimize attackers’ opportunity to access sensitive data and cause damage if they do manage to compromise a network.
Zero Trust models help organizations focus on defending a defined attack surface, which contains the company’s most critical data, applications, assets, and services (DAAS). Changes to the definition of the network perimeter and the rapid expansion of the attack surface are some of the challenges that led to Zero Trust in the first place; developing a detailed, comprehensive understanding of all the devices and moving parts that exist within your network helps address those issues. Detailed network knowledge helps understand what you can and cannot protect against, therefore increasing awareness and confidence in your ability to respond to security incidents.
Identity and access management
Identity and access management (IAM) tools allow security teams to track and monitor access to all devices, users, and credentials within their ecosystem. Developing an understanding of regular login behaviors and network usage makes it easier to define outliers and identify potential abuse, triggering identity checks and further authentication measures when appropriate. In turn, IAM also reduces response time and cuts down time to mitigate when breaches do occur.
Least privilege access
With least privilege principles in place, users are never granted blanket access. Instead, they are only permitted to access or use the parts of a network they need at any given time. Usage controls are also an effective way to limit what users can do with the data they have gained access to. Organizations should review privileges regularly and revoke access as soon as it’s no longer required. Operating with least privilege access protects sensitive data by minimizing users’ individual exposure.
Multi-factor authentication (MFA) is a widely accepted method of Zero Trust verification. Instead of just asking for a password, MFA requires multiple proof points in order to authenticate a user’s identity. For example, when someone attempts to log in to a service with a username and password, they might receive a code (through another application or on a different device) that they have to input in order to prove their identity and gain access. This application of MFA is incredibly popular and has already become ubiquitous in the general public.
Modern developments like the broad diversity and distribution of today’s device fleets, increased network traffic, and greater computing power have challenged perimeter-based security models. Microsegmentation has taken over, achieving Zero Trust by implementing a more granular approach to security. Instead of isolating subnets through network segmentation, microsegmentation creates a mini-perimeter around each highly-defined zone, or even individual endpoints, in order to secure it individually.
Network-based, hypervisor-based, and host-based microsegmentation are all potential implementations of this concept. Then there’s edge microsegmentation, a hybrid of network- and host-based microsegmentation, where security technology is applied at the edge of each endpoint.
Zero Trust is an iterative approach to security, meaning that organizations can and should constantly be improving their network architecture to follow Zero Trust principles. Logging and monitoring traffic will help security teams ensure that every device with network access has been fully authenticated and authorized. These techniques minimize the network’s attack surface, reduce risk, and improve organizations’ ability to prevent, detect, and remediate attacks.
Zero Trust networks and the future of security
In summary, Zero Trust networking assumes a modus operandi of “never trust, but always verify”. Zero Trust demands that anyone and anything requesting network access must provide multiple pieces of evidence corroborating their identity. Within a Zero Trust network architecture, even users and devices that have been granted access can only use what is absolutely necessary for their purposes. And finally, Zero Trust networks log and monitor usage so that if access is abused in any way, it can be revoked immediately.
Zero Trust is a powerful and dynamic security strategy that can keep pace with modern IT environments, where employees spread across the world can work from the office on Monday, their living room on Wednesday, and a train station on Friday. Byos is dedicated to helping protect organizations and their employees from the security risks that come with remote work and distributed teams by enabling Zero Trust architectures through hardware-based edge microsegmentation. The patented Byos μGateway creates a microsegment around each individual endpoint, providing an external layer of security and supporting Zero Trust principles at the edge. Ready to learn more? Get in touch with us today