Zero Trust Defined
Zero Trust is a security model that uses strict identity verification for every person or entity attempting to access network resources, regardless of whether the person or entity is in the office bound by the network perimeter or accessing the network remotely.
First introduced by analyst firm Forrester Research in 2010, Zero Trust architecture doesn't rely on one single technology. Instead, Zero Trust is a framework that can include a range of different technologies and best practices all centered around identity verification. For this reason, it can be thought of as a security philosophy rather than a definable security technology. This philosophy is often boiled down to, "never trust, always verify" whereas most traditional models can be described as "trust but verify."
Benefits of a Zero Trust Model
The key benefit of using a Zero Trust architecture is protection from all sides, particularly from within. Traditional security models such as defense-in-depth have historically focused protection on the network perimeter. These approaches are failing organizations where many of today’s breaches occur from within. Data exfiltration can be easy for someone who already has access to the network. To combat this, Zero Trust takes away access from anyone and everyone until the network can be certain who you are.
Other benefits include increased protection of data that may live outside the network. Today, most organizations keep some level of private data in the cloud. Taking the focus off the perimeter and placing it on identity verification gives Zero Trust the ability to protect data regardless of where it lives.
The Main Principles of a Zero Trust Network
Zero Trust, as its name suggests works on the principle that nothing should be trusted and should always be verified. Within this idea there are several technologies and best practices that make up a Zero Trust architecture. Here are a few of the main principles:
- Least-privilege access, which means only allowing access to the information someone needs. This reduces pathways typically used by malware and attackers and reduces the chances of internal data exfiltration.
- Micro-segmentation divides up a network into separate segments with different access credentials. This increases the means of protection and keeps bad actors from running rampant through the network even if one segment is breached.
- Multi-Factor Authentication (MFA) requires two or more ways to prove someone is who they say they are. Using an MFA tool provides reliable identity verification that is a must for any Zero Trust model.
- Risk-adaptive security controls are necessary in order to analyze human and entity behavior and identify potentially risky activities in near-real time. Gartner calls this Continuous Adaptive Risk and Trust Assessment (CARTA). Learn more about CARTA here.
How to Implement Zero Trust
There can be multiple approaches to the model but there are a few considerations almost everyone will need to include in order to implement an efficient Zero Trust architecture:
- Consider the technologies you will need to add to your current stack such as:
- Next Generation Firewall – you will need a tool that provides network protection, decrypts traffic, and can assist with micro-segmentation.
- Risk-Adaptive Security Tools – to apply adaptive controls your tools will need to support you. Forcepoint offers advanced risk-adaptive security with behavioral analytics at its core. Learn more about Dynamic Data Protection.
- Deploy Multi-Factor Authentication – there are several options and vendors for MFA, you just need to choose the right one for your organization. Check out Ping Identity’s MFA offering.
- Understand Access Needs – decide who needs access to what in your organization. Remember to grant the least privilege that someone needs and nothing extra.
- Consider Your Culture – at the macro level and at the granular security level a company’s culture will dictate the efficacy of any security model. In the case of Zero Trust where you understand the threats come from outside and within, a supportive and educated workforce is key.