Zero Trust in Cyber-security

What is zero trust?

Zero trust is a a model and a philosophy for how to think about and how to do security.

No one and no thing should be automatically trusted, be it inside or outside of the corporate network, even the network itself. Implicit trust based on network location, with static defenses like a traditional firewall, must be limited.

Eventually something needs to be trusted, but with zero trust, this trust is temporary and established dynamically from multiple sources of data, more than we’ve ever used in the past, and it is constantly re-evaluated.

We have plenty of experience with untrusted networks through our daily use of the internet. Computers that face the public internet are secured in a very different manner to those inside the traditional perimeter, requiring extra scrutiny and layers of defense to protect them from external threats.

The zero trust model guides you to treat all devices as if they were internet-facing and, instead of having one single perimeter, you must create micro perimeters, applying checks and controls around everything and between everything.

The core benefits of adopting zero trust

Adopting a zero trust model brings innumerable benefits, so, to make your life easier, we’ve picked out some of the core ones.

• Control of the entire IT estate
• From inside the office all the way to the cloud platforms you use. No more lack of control outside the corporate perimeter or struggles with remote users.
• Manage and secure all users in the same way
• By no longer seeing things as inside or outside the corporate perimeter, you can treat all users in the same way. This both simplifies IT security while also ensuring all devices and users are treated equally.
• Maintain security even when you don’t own/have full control over the infrastructure in use
• By using identity, location, device health, MFA, and overlaying monitoring and analysis, you’re still able to have strong security across any kind of environment, platform, or service.
• Drastically reduce the movement of malware or attackers
• Rather than having free rein of the entire network once they’re inside, attackers only have access to the bare minimum of systems the compromised user had access to. By continuing to distrust the authenticated user, checks will be in place between those systems, further limiting the ability to spread.

A summary of Zero Trust

Zero trust is a big idea, and there is a lot of evolving discussion around it. At its essence, we can condense the major concepts for zero trust into several proverbs that you should keep in mind along your journey.

There is no “inside” the network

Pretend that you’re running your entire business from an untrusted location, like a coffee shop’s public Wi-Fi, and that all your devices are connected directly to the most dangerous of all networks: the public internet. By imagining this as your reality, you’re forced to apply security in ways where you can’t rely on being behind a traditional corporate perimeter.

Trust nothing, verify everything

Assume that there are attackers both on the inside of your networks and on the outside and they are there all the time, constantly attacking. No user or device should be automatically trusted and should authenticate itself before a connection can even be considered.

Security should adapt in real time

The security policies you put in place to achieve zero trust should be dynamic and automatically change based on insight from as many sources of data from as many different technologies as possible. A static policy won’t protect you if that device has been compromised while that user is on it. If your policy also took into account device health, such as the identification of malicious behaviors, your policy could use this to dynamically adapt to the situation.

Principles of zero trust

Trust nothing. Ever. For when you trust nothing, you are forced to seek relevant security measures wherever there is a risk.

Verify everything. Do not assume that passing a check naturally affords trust. Having credentials doesn’t mean you are trustable. It just means you have credentials. And credentials can be stolen.

We can break this into four simple principles to keep in mind.

Always identify

You need a singular, authoritative source of identity and use it everywhere with Single Sign On (SSO). Everything should be authenticated, with multi-factor authentication (MFA). No matter where the user is, whatever they are trying to access, validate their credentials, validate they have their second (or third) factor, and regularly require re-authentication.

Always control

Apply controls and checks wherever they are needed and adopt and enforce the principle of least privilege – users should only have access to the bare minimum they need to perform their job. If there is a human resources system only used by German staff, then only the German staff should have access. No one else should have access, even if the risk of having access is deemed low.

Always analyze

Just because an authentication was successful, or access is granted to that user or device, doesn’t mean that it is trustable. Insider threats and malicious actors may gain access to valid credentials. Record all network and system activity and regularly analyze and inspect it to verify what occurs post authentication. SIEMs (security information and event management), EDR (endpoint detection and response) as well as MDR (managed detection and response) have emerged to serve exactly this need.

Always secure

Use an “inside out” approach to cybersecurity. You should focus on your important data and work your way out, identifying points of vulnerability along your data’s journey within your network from the moment it is created until the moment it is destroyed.

Once you’ve got a firm grasp of the principles of zero trust, you can begin to make the move towards it. You can read about this in the extended PDF version of the article.

How Sophos can help

While a single vendor cannot move your organization to a zero trust model, Sophos has a huge range of technologies to help you get there.

Listen to the Audio Version ?