Zero Trust Architecture

An introduction to Zero Trust and what it means for cyber-security.

Introduction

Zero Trust Architecture is an alternative approach to information security where within a network, implicit trust is removed. Thus every interaction is validated and verified before being granted access. This strategy compensates for the fact the risk may already be inside the network. Outdated ideas and assumptions that one can trust a device, user or system inside the network are no longer valid in the modern day [1].

Instead ZTA aims to redefine cyber security by compensating for risks already inside the network. In older security models; this meant that malicious threat actors could move laterally or even vertically because of the implicit trust [1]. ZTA aims to rectify this loophole or flaw.

Zero Trust Principles

According to NIST 800-207, ZTA includes the core principles listed below:

  • Continuous Verification: Never trust, always verify; at all times for all resources, users, devices and systems. This means verification must be applied continuously; without fail.

  • Minimise the "blast radius": Minimise or reduce the impact of any breach (internal or external) occurs. This can be achieved, for example, by using the principle of least privilege, where accounts or users are granted the minimum required access to conduct the tasks necessary.

  • Automate context collection and response: Gather as much data as possible in order to make the best decisions (as long as it can be acted upon in real time). The sources used can include: user credentials, threat intelligence and endpoints [2].

Implementing Zero Trust

  • Zero Trust must be implemented properly. To do this, all users, devices, systems, services and networks must be known, evaluated and assessed. This will typically be accomplished via asset discovery. Determining what assets are of high value and are of risk is most important in developing appropriate measures to counteract any adverse events.

  • Once known, a risk assessment should be conducted. This will aid understanding which assets you want to help mitigate, protect, avoid or transfer. Not all assets are as easily transferable to ZTA (such as legacy services); instead one should opt for services which have inherent support zero trust [3].

  • Furthermore, where practical, standards should be used (such as OAuth 2.0, SAML) as they are common and verified to work [3].

Key Concepts

The main concept to remember is that the network should be treated as already compromised, and thus hostile. Trust is therefore removed from the network (until verified). Every request is continuously verified against policy or permissions. As a result monitoring will need to be increased along with detecting malicious activity by a threat actor. Removing trust from the network promotes greater confidence in the network [3].

Summary

  • ZTA is new way of implementing information security, and promotes greater levels of monitoring and detection of potentially malicious activity from within the network. Although it is imperative to acknowledge that maintaining cyber hygiene is important and not all assets may need transitioning to ZTA or have inherent support for it.

References

PreviousCybersecurityNextSoftware and Firmware Vulnerabilities

Last updated