To trust or not to trust? “Zero Trust” for maximum security By Neelesh Kripalani, Chief Technology Officer, Clover Infotech

Today’s organizations need a new security model that effectively adapts to the complexities of the modern environment, embraces the mobile workforce, and further protects people, devices, apps, and data irrespective of their location. This is where Zero Trust model comes in.

Zero Trust is extremely effective in reducing security incidents, as it implements the ‘deny all, allow some’ principle even within a trusted environment.

The original Zero Trust model of cybersecurity was developed by Forrester in 2010, but not fully embraced until Google successfully developed and implemented their version of Zero Trust, Beyond Corp, almost six years later. In 2019, Gartner, a global research and advisory firm, listed zero trust security access as a core component of secure access service edge (SASE) solutions.

To trust or not to trust?

In the Zero Trust paradigm, the answer is not to trust anyone. The Zero Trust approach to cybersecurity states that access should only be granted after a user is verified and only to the extent needed to perform a particular task.

“Zero Trust” explained

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. It also requires the ability to enforce granular policy controls based on the results of that health check. Basically, you cut off all access until the network knows who’s trying to connect. Don’t allow access to IP addresses, machines, etc. This approach depends on visibility into whether basic device and network security standards are met.

Simply put, based on the principle of verified trust (i.e. in order to trust, you must first verify), Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network.

Benefits of Zero Trust

Why ’Zero Trust’, you may ask. Without assumed trustworthiness, the network is more secure. If the organization is under cyber-attack, the virus can’t move laterally throughout the network since that movement is also regulated.

The ‘Zero Trust’ framework entails:

ü  Increased monitoring and alerting

ü  Improved end-user experience

ü  Enhanced data security

ü  Reduced time for breach detection

ü  Less vulnerability

ü  Streamlined compliance

Key technologies for Zero Trust model

1. Privileged Access Management (PAM) refers to systems that securely manage the accounts of users who have elevated permissions to critical, corporate resources.
2. Identity and Access Management (IAM), which is a framework of policies and technologies for ensuring that the right users have the appropriate access to technology resources.
3. Multi-factor Authentication (MFA) i.e. in addition to entering a password, users must also enter a code sent to another device, such as a mobile phone, thus providing two pieces of evidence that they are who they claim to be.
4. Network Detection and Response (NDR) solutions that enable organizations to monitor network traffic for suspicious behaviour and respond to the detection of cyber threats.
5. Micro-segmentation – A security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network in order to contain attacks.

What are the core principles of the Zero Trust model?

Principles of ‘Zero Trust’ are built on inherently not trusting users, devices, networks, and access to sensitive resources based on any single one of those identity types and their associated attributes.

1. Verify explicitly i.e. authenticated access to all resources based on all available data points, including user identity, location, device health etc.
2. Use least privilege-controlled access i.e. limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection
3. Assume breach and employ a variety of preventative techniques that touch on identity, endpoint, data, and application access

Challenges of Zero Trust

• Time and effort to set up is high as reorganizing policies within an existing framework can be a tedious task.
• Hybrid work model is a complex one to implement with several logistical hurdles. Adding Zero Trust at this time adds another layer of complexity.
• Legacy technology is holding back several organizations by hindering their digital transformation efforts. Typically, older legacy systems are not compatible with a Zero Trust model as they cannot offer the level of control, verification, or authentication that Zero Trust demands.
• Configuration challenges, especially with third-party tools/applications as not all of them provide means for deploying the principle of least privilege, which is the core of Zero Trust policy.

Wrapping up

Zero Trust is not easy to implement, but it’s achievable. Organizations don’t have to apply all of the Zero Trust principles simultaneously. They can start implementing a Zero Trust architecture with small steps such as proper user verification mechanisms and grant your users only the privileges they truly need at the moment.

The benefits of implementing a Zero Trust framework go far beyond security. It ranges from improving visibility, to increasing productivity and making better use of your IT resources. While it may not be a complete silver bullet, it gives a fair chance to organizations to contain security incidents before they become catastrophic breaches.