Deploying a zero trust security philosophy is crucial to minimizing the risk of a data breach. Government security teams worldwide recognize the increase in advanced persistent threats and are moving to zero trust principles—a trend that is already forcing the private sector to follow suit.
In this post, we will review the key elements of zero trust architecture and how an organization can deploy a zero-trust model with minimal disruption to operations.
Fundamental principles of zero trust
In the United States, the National Institute of Standards and Technology (NIST) created a zero trust model that assumes the network is compromised and that a threat actor has access to the environment. Zero trust takes that assumption and then builds controls that require the user to authenticate, on a continuous basis, to access sensitive data. Data is encrypted at rest and in transit, and the device being used is checked to make sure that it has the appropriate security posture before access is granted. These standards comprise the zero trust philosophy.
Zero trust does not rely on a single technology, and no one vendor can provide every tool needed to implement a zero trust architecture for your organization. Think of zero trust as a security design that must be deployed across the entire digital estate to protect the sensitive or confidential data of your employees, partners, clients, customers, and users.
Never assume trust
Zero trust starts with the assumption that your organization has or will be compromised. No single user inside or outside of your company is granted unlimited trust. The principle of least privilege is used in a zero-trust network. Not only is access granted in the minimal way, it is always authenticated with multiple factors (MFA).
Verify every user and device
In a zero-trust network, each request for access must be authorized and authenticated—whether it comes from a device, application, data operation, or user. These authorizations must be assessed in the right context. Questions about the data—is it confidential or sensitive?— user location, the health of the end-user device, and the current threat environment are evaluated before access is granted.
Restricted access
Data is encrypted at each state—in transit and at rest. Networks are segmented to prevent lateral movement by cybercriminals. If a breach is detected, you want to be able to limit the blast radius, to contain the exposure and minimize the damage.
Maintain maximum visibility
Finally, security teams must continuously monitor all resources to maintain visibility into network access, user credentials, and device posture.
Where to start implementing a zero trust foundation
To begin, you need a sound governance foundation—you need the security policies and processes of your company to require continuous monitoring and enforcement of your zero trust network access controls.
Next, to make the assessment continuous, you want to implement automation and orchestration to make zero trust a benefit to your employees and ease the friction in your network. Automation is key in a high-volume network, and it can produce a stabler foundation that can create a secure posture.
Building on the first two foundational layers, you gain visibility into your overall environment with advanced analytics and threat detection. Gaining insight and visibility into each pillar of zero trust is incredibly important when funneling data through the policy engine (automation) and governance layers.
Pillars of zero trust
The U.S. Cybersecurity and Infrastructure Agency (CISA) defines the pillars of zero trust as identity, devices, networks, applications, workloads, and data. This framework is also echoed by the Canadian Centre for Cybersecurity.
- Identity is any device or user that needs authentication.
- Devices include any equipment that can connect to a network (smartphones, laptops, printers, IoT devices, etc.). A device that cannot link to a network is not a threat.
- Networks are defined as the overall IT environment and include devices (as defined above), network infrastructure, and network architecture.
- Applications and workloads consist of applications and processes that access your enterprise data on-prem and in the Cloud.
- Data is all sensitive information that must be protected by zero trust.
Keys to implementing zero trust architecture
What is the process of implementing zero trust architecture based on the recommended NIST/CISA guidelines?
To gain access at the endpoint, users must go through a secure policy enforcement checkpoint such as a cloud-based firewall, cloud access security broker (CASB), or secure access service edge (SASE). The endpoint can be routed through Azure, Salesforce, or the open Internet if data loss protection is enforced.
To verify user or device identity, you must use an identity management solution such as Azure AD, Okta, or One Identity. Interrogate the device identity to confirm that it meets the posture, patches, and endpoint protection requirements using tools like Manage Engine and Microsoft Intune. Security analytics solutions such as CrowdStrike, Microsoft Defender, Microsoft Sentinel, and Splunk gain visibility and aggregate data into your SIM tool.
Firewall vendors such as Fortinet, Palo Alto Networks, Check Point, Microsoft Defender, Netskope, and Cisco can be utilized as policy enforcement checkpoints.
The cumulative result of these zero trust components is continual trust verification based on time and location data, endpoint validation, threat monitoring, and risk assessment.
The zero trust framework in the Cloud
The steps outlined below focus on Amazon Web Services (AWS), but this framework can be applied to any cloud platform, including Google and Azure. Zero trust architecture in the Cloud involves a three-phased approach.
The user accesses a front-end app firewall and enters the public subnet of the web tier. Next, the user passes through load balancing into the private subnet of the application tier. At last, the user arrives at the database backend (in this example, Aurora, Amazon S3, and Glacier).
- Segmentation is vital to mitigate the potential damage of a breach. In this example, segmentation is applied to the public and private subnet tiers. Security groups are also crucial to this architecture, functioning as a dynamic firewall. Static IP addresses are not always available, and security groups allow the applicable web tier servers to reach the application tier servers securely.
- Authentication utilizes TLS that runs through each communication with the assistance of Amazon’s Certificate Manager. Cognito also contributes to confirming the authentication of all users. AWS Identity and Access Management oversees role access and resources.
- Detection platforms such as Amazon CloudWatch monitor logs, and Guard Duty acquires threat intelligence as it emerges. Deploying these protocols merges all seven NIST tenants into a single application deployment.
Strengthening your security posture’s foundation
When implementing zero trust architecture, it is vital to solidify your organization’s security foundation by moving away from the castle and moat, perimeter-based security framework to the zero trust architecture that secures every user, device, and network resource, every time, regardless of location.
The guidelines from CISA and NIST are clear examples of a security architecture blueprint. It is vital to assess the maturity of your security efforts across the NIST pillars to see what is already working well within your organization and what you can build upon.
Identity is key to establish authentication of users and applications, using solutions such as Azure ID, Ping Identity, or Okta. Knowing where your data is and how sensitive it is another critical component of a zero trust framework. Managing sensitive data with a well-defined data classification policy guarantees that data is appropriately labeled and identified. Zero trust is a journey, not a product or technology; prioritizing and protecting organizational data is the goal.
Protect remote workers’ devices from where they work
With the prevalence of data breaches and cybercrime, it is paramount to implement zero trust not just at the office but also for workers who are at home or in remote work environments.
How can you strengthen your Work From Home (WFH) policy and stay safe with a distributed workforce?
- Begin with skepticism. Assume that no device, network, or connection is inherently secure.
- Routinely update your endpoints to the latest OS and patch applications with a robust patch management program or outsource that to a trusted partner.
- Utilize strong password best practices for every account and regularly change passwords at least once a year if you have MFA implemented.
- Deploy MFA whenever possible to create an additional barrier to compromise an account.
- Think twice about opening or downloading attachments. Double check that they are from a trusted source.
- Install a leading MDR solution and keep it updated.
- If possible, segment home networks by isolating smart devices from sensitive personal data, ensuring that successful breaches do not jeopardize your personal information.
Adopting zero trust practices in your day-to-day digital routines creates additional protections for both personal and organizational IT security.
Learn more about remote management of your critical systems.
Zero trust architecture with OnX Canada
With many zero trust solutions and tools emerging to fill cybersecurity gaps, partnering with an experienced IT security provider is more crucial than ever.
OnX has many offerings designed to further your zero trust maturity, including security assessments, architectural plans, bird’s eye view roadmaps, implementation, and ongoing security managed services. Utilizing a third-party security provider like OnX is crucial for most companies’ cyber threat prevention and management.
The cybersecurity experts at OnX are here to lead your organization through developing, implementing, and maintaining zero trust architecture. Get in touch to learn how zero trust can strengthen your company’s overall security posture.