3 Zero Trust Principles

Not trusting your own environment, including employees, network and devices, seems an unpopular and unfair thought. However, the experience from many past breaches and attacks has thought us that this doesn't need to be the case.?In Zero Trust, you treat your office as a coffee shop. If your employees are connecting from a coffee shop, they have no access to your data unless they can pass defined authentication and health checks. Whether they are few?feet?away from your data center, or thousands of miles away, it makes no difference. All must pass through the security gates before being granted access.??

Forrester was one of the first firms to introduce this concept. Gartner calls it Secure Access Service Edge (SASE), others call it Zero Trust Edge, or ZTE. It is not a standard. Rather, every vendor has a different interpretation of it. According to?NIST's SP 800-207, the central component of Zero Trust is the Policy Enforcement Point, a centralized location for enforcing access control. The decision to grant access or not should is made by taking into consideration different inputs, called data sources. These include IdAM systems, endpoint monitoring tools, threat intelligence, SIEM, etc. Once a decision is made, it is valid only for a reduced timeframe. Therefore, the implementation must have a?continuous?assessment capability, where risk is continuously monitored and access is evaluated. Hence the need for increased automation in the collection and analysis of this information.??

Many consider trust as a new vulnerability. In?traditional?setups, where internal traffic is considered safe, trust is inherent, and therefore, it is a vulnerability inside the network. To mitigate that, the Zero Trust comes with few basic principles:?

• Do not trust the office location. You no longer assume that just because a connection is made inside the LAN, local to local, it must be allowed. Rather, many checks are implemented to logically isolate these resources as long as they are not verified. For example, once a user is present in the network, they will be placed in an exception network with access only to certain limited resources. But once their device is deemed secure and healthy, and they have passed authentication, they can be granted access to the office network through VPN.??
• Use dynamic policies?based on risk and other factors. Firewall rules that block or allow based on ports must be minimized and replaced with dynamic, ever changing policies. These could incorporate data from different sources to assess the risk that the resource presents. A positive security model is used to allow only known, legitimate resources.??
• Verify trust?continuously?by continuous monitoring and enforcement. The ZT model needs to be responsive to changes that happen on the resources. For example, as soon as a device has failed the health check, it should be placed in an isolation network. We can add automation to be able contact the user when this happens so they can rectify the anomaly.??

The main benefit of Zero Trust architecture consists in having a reduced risk by minimizing your attack surface. This helps keeping the network and the resources that use it in a healthy state.??