Zero Trust Defined
Zero Trust is a security paradigm that combines strict identity verification and explicit permission for every person or entity attempting to access or use network resources, regardless of whether the person or entity is in “inside” an enterprise’s network perimeter or accessing that network remotely.
First introduced by analyst firm Forrester Research in 2010, the Zero Trust model doesn't rely on one single technology. Instead, Zero Trust is a framework that can include a range of different technologies and best practices all centered around reliably knowing who is trying to access or use data and whether they have explicit permission to do so. The philosophy behind it is often boiled down to, "never trust, always verify" whereas most traditional models can be described as "trust but verify."
Benefits of a Zero Trust Model
The key benefit of using a Zero Trust approach is protection from all sides, particularly from within. Traditional security models such as defense-in-depth have historically focused protection on the network perimeter. These approaches are failing organizations where many of today’s breaches occur from within, whether explicitly by employees or by threats that have infiltrated the network through email, browsers, VPN connections, and other means. Data exfiltration can be easy for someone who already has access to the network. To combat this, Zero Trust takes away access from anyone and everyone until the network can be certain who you are. Then, it continuously monitors how you’re using data and potentially revoking permissions to copy that data elsewhere.
The Main Principles of a Zero Trust Network
Zero Trust, as its name suggests works on the principle that nothing should be trusted and should always be verified. Within this idea there are several technologies and best practices that make up a Zero Trust approach. Here are a few of the main principles:
- Least-privilege access, which means only allowing access to the information each individual needs. This limits the ability of malware to jump from one system to another and reduces the chances of internal data exfiltration.
- Micro-segmentation divides up a network into separate segments with different access credentials. This increases the means of protection and keeps bad actors from running rampant through the network even if one segment is breached.
- Data usage controls limit what people can do with data once they are given access. Increasingly, this is done dynamically, such as revoking permission to copy already-downloaded data off to USB disk, email, or cloud apps.
Continuous monitoring examines how users and entities are interacting with data and even other systems. This help verify that people are who they claim to be and enables risk-adaptive security controls to automatically tailor enforcement based on people’s actions.
How to Implement Zero Trust
There can be multiple approaches to the model but there are a few considerations almost everyone will need to include in order to implement an efficient Zero Trust architecture:
- Consider the technologies you will need to add to your current stack such as:
- Next Generation Firewall – you will need a tool that provides network protection, decrypts traffic, and can assist with micro-segmentation.
- Zero Trust Network Access – new Zero Trust cloud services can give remote workers access to internal private apps without the complexities, bottlenecks, and risks of VPNs.
- Data Loss Prevention – DLP solutions enable you to go beyond merely controlling access to managing how your data is used.
- Continuous Monitoring – to always verify, you need to keep vigilant watch over what people and entities are doing with your systems and data. Forcepoint uniquely offers advanced user activity monitoring solutions that make data protection risk-adaptive, automatically personalizing what people are allowed to do based on their own actions.
- Understand Access Needs – decide who needs access to what in your organization. Remember to grant the least privilege that someone needs and nothing extra.
- Consider Your Culture – at the macro level and at the granular security level a company’s culture will dictate the efficacy of any security model. In the case of Zero Trust where you understand the threats come from outside and within, a supportive and educated workforce is key.