Cyber threats continue to grow and attract significant attention from governments and industries alike. The dramatic increase in remote working and the explosion of connected devices adds to the challenge and has rendered traditional security approaches increasingly unacceptable.
This is all leading to a significant increase in the use of zero trust security measures. Fundamentally, it is crucial to understand that zero trust is not a single solution. It is an approach to security, where access to resources is not granted by default; instead, access is allowed by verifying and validating attributes associated with the entity requesting access. It is an approach that touches on many facets of an organization’s technology. Zero trust means nothing unless an organization has its foundation of security already implemented.
Broadly speaking, there are two main branches for zero trust – network controls and user controls. These two branches can, of course, be combined.
Network controls predominantly focus on network segmentation and breaks down those traditional trusted zones into smaller segments. However, the effectiveness depends on how well organizations maintain an accurate understanding of what devices need to talk to what. This is a challenge and an overhead to maintain. This is more common in on-prem environments where network segments can remain large. Micro-segmentation secures the machine-to-machine or process-to-process interactions at a much more granular level, especially as cloud services are adopted. Network segmentation and micro-segmentation are focused on application segmentation of critical applications within an environment.
"Broadly speaking, there are two main branches for zero trust - network controls and user controls"
The resources users need to access are much more dispersed and distributed, leaving limited options to segment the network; therefore, zero trust controls are predominantly driven by user identity and the attributes associated with that user. Strong authentication, risk adaptive authentication, and security posture checking are options to establish trust. Validation of the user expands beyond standard authentication and instead leverages additional attributes associated with the user. For example, the location they are connecting from and the security posture of the device they are using.
Fundamental to any zero trust approach are the entitlements on the resources being accessed. Suppose entitlements to data and applications are wrong, outdated, or overly permissive. In that case, organizations risk leaving their data exposed regardless of how effective or sophisticated their zero trust controls are.
The combination of a heightened adoption of cloud services and remote working in the “connected home,” companies are extending their corporate attack surface. They need to act quickly to rethink their approach to security. Security perimeters and network boundaries are being torn down as employees continuously interact and share data both on-prem and in the cloud. The cosy office, with physical security controls and the natural oversight which comes with it, has gone.
Visibility to access controls and what services an organization is consuming are immensely critical to a company’s security. As cloud services increase among remote employees, employers are often not even aware of the cloud services that have been adopted. If an employee is accessing a service that accomplishes the criteria to achieve a trusted status, but the user entitlements are incorrect, or the data is openly accessible to users of the service, then the service and data held in that service are still not secure. This can be a common misinterpretation of the security offered in cloud services and applications.
Companies should consider the following with adopting zero trust:
- What services are being consumed, and how do users and processes interact with them?
- How are identities and devices being managed within the environment, and are they consistently managed across all services?
- What attributes of these identities and devices can be leveraged to establish trust?
- What entitlements do those identities have, and are they correct?
- What processes do you operate to ensure identities, devices and entitlements remain current?
There are fundamentals that organizations will especially need to focus on to make zero trust initiatives effective. First, organizations should ensure they have full visibility of their data. Knowing what their data is, where it resides, who has access to it and how the data is protected. Second, companies should focus on their identity management. Third, it is vital to identify SaaS services being consumed throughout their organization and which identity governance and administration (IGA) controls protect services. Lastly, organizations should recognize that Secure Access Service Edge (SASE) will continue to be an essential piece of the puzzle as businesses look to secure their connectivity and access to cloud services.
Ultimately, organizations will find that these foundational controls and measures will determine if their adoption of zero trust successfully achieves their security goals.