IT Security at a glance (Zero-Trust Model) – An Executive’s Quick Guide
IT Security at a glance (Zero-Trust Model) – An Executive’s Quick Guide
This guide is meant to give the board of directors and executive management a quick glance at what is meant by Zero-Trust Model as part of the Information Technology (IT) Security landscape, without going too much into IT jargon that tends to complicate simple concepts.
What is Zero-Trust Model?
Traditional security models operate on an outdated assumption that everything inside an organization’s network should be trusted. Under this outdated trust model, it is assumed that a user’s identity is not compromised and that all users act responsibly and can be trusted. With the Zero-Trust model this is recognized as a major vulnerability within the environment. Once on the network, users – including threat actors and malicious insiders – are free to move laterally and access whatever data they are not limited to.
Zero-Trust is a security model based on the principle of?maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. It is a model which is based on the principle of never trust – always verify. This security approach protects an organization by managing and granting access based on the continual verification of identities, devices and services.
What Zero-Trust is not
Zero-Trust is not a technology but a model with which an organization can beef up their security posture. Zero-Trust is not a replacement for a VPN. Moreover, Zero-Trust and a VPN might not even complement one another.
Zero-Trust consists of a set of technologies that facilitate constant trust evaluation and control of identities, devices and services.
What are the main Zero-Trust security Principles?
Zero-Trust continuously verifies user identity and privileges as well as device identity and security. Logins and connections time out periodically once established in order to force users and devices to be continuously re-verified.
Least privilege access means giving users only as much access as they need. This approach minimizes a user’s exposure to sensitive parts of the network where they are not supposed to be.
Implementation of least privilege involves careful management of user permissions and frequent review of user permissions.
This enforces strict controls on devices accessing the environment. The system needs to monitor how many devices are trying to access an organization’s network, ensure that every device that accesses the network have been authorized and assess all devices to make sure that they have not been compromised. ?
This is a practice of breaking up the security perimeter into small zones to maintain separate access for separate parts of the network and secure them individually. ?
Lateral movement is when an attacker moves within a network after gaining access to it. This can be difficult to detect even though an attacker’s entry point have been discovered because the attacker might have gone on to compromise other parts of the network.
Zero-Trust is designed to contain attackers so they cannot move laterally because of segmentation and the need to periodically re-establish the trust between the user and the network. ?
This requires more than one piece of evidence to authenticate a user, entering a password is no longer enough to gain access. The most commonly used method of MFA is 2-Factor authentication. With 2-Factor authentication users can send a code to another device like a mobile device where they need to input that code on top of having provided a password. This is providing two pieces of evidence that says you are who you say you are.
?What are the three main concepts of Zero-Trust?
?The three main concepts in a Zero-Trust network are:
领英推荐
The concept of least privilege is key in minimizing any security loopholes. This goes hand in hand with having Multifactor Authentication. Segmentation plays a key role in limiting the area within which the user is given permission to work in.
Device authentication and authorization is crucial in ensuring that only known devices can access the network.
Trust or trust score is a computed score where the application, device and the score itself are bonded to form an agent. A policy will then be applied to the agent in order to authorize the request.
Why do we need Zero-Trust?
?The environment in which we work and operate has changed significantly in the last few years, especially since the COVID-19 pandemic where most people were forced to work remotely. The manner in which we interact with each other and our devices has also changed. Some of the digital transformation initiatives have introduced unintended security loopholes that the traditional security architecture and solutions cannot address. The organization no longer has control over a closed network.
The increased use of cloud platforms that support a variety of devices and networks has provided us a more effective and flexible work environment, but it has also increased the chances of bad actors taking advantage of the upheaval to significantly increase user account infiltrations. This is mainly because traditional or legacy security solutions are limited in their ability to address cloud security. Legacy security solutions rely on a closed perimeter security model that assumes that all applications are delivered from the same network location and that all users are accessing those applications from the same entry point.
Zero-Trust provide security to anywhere and everywhere on whatever device you choose to use. It also provide an organizations the ability to secure both cloud and on-premises environments.
How do you build a Zero-Trust architecture?
Organizations must segregate systems and devices according to the type of access they allow and the categories of information that they process. These network segments can then serve as the trust boundaries that allow other security controls to enforce the zero trust philosophy.
Multifactor authentication provides added assurance of identity and protects against credential theft. Deploying role-based access control allows applications to limit access in a manner that enforces the principle of least privilege.
The created network segments should be locked down and access between segments or networks should be limited to only the traffic that is required to meet business needs. Note that least privilege is applicable to users, devices and networks.
Organizations should add application inspection technologies to their existing firewall deployments. This will ensure that traffic being passed over a connection has the appropriate content. For example, application context controls can verify that outbound Domain Name System (DNS) traffic actually corresponds to queries and responses and is not being abused by an attacker to steal sensitive information.
Implementation of a Security Information and Events Management (SIEM) solution will allow for a rapid correlation of massive quantities of security information and provide you with a centralized view into the data.
Zero-Trust is a security model based on the principle of?maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. The concept of Zero-Trust must not be seen in the literal sense that users are not trusted but rather as a model of modernized enhanced security. The bad actors are infiltrating our organizations and it is up to us to ensure that we secure our assets.
It's not a question of if, but when, a data breach will happen. Hackers grow more sophisticated in their attacks and threaten everything from intellectual property to financial information to your customers Personally Identifiable Information (PII).?The old model of the high, guarded perimeter with the trusted, internal network no longer functions as a secure model.?Zero-Trust offers a more comprehensive approach to today’s data security needs.?
“There are only two types of data that exist in your organization: data that someone wants to steal and everything else.” -?Forrester Research