TRUST NOTHING, SUSPECT EVERYTHING - SIX STEPS TO EFFECTIVE ZERO TRUST ARCHITECTURE
What is Zero Trust Architecture?
Traditional cyber security models have one core flaw which prevents them from being totally safe at any time. They assume that a business’s internal network can never be compromised and that all users in this area can therefore be trusted. However, the increased sophistication of cyber attacks - Guido Fawkes masks notwithstanding - has meant that no organisation can consider themselves truly safe. What’s more, firms need to be aware of internal exploitation – either on purpose or by accident – and safeguard against these threats. If they are left unprotected, there is no limit to the damage they can cause.
Zero Trust Architecture is, in essence, a solution to this problem. The approach can be summarised as trust no-one from inside or outside your organisation, until they have been verified, vetted and earned the trust of system administrators. In an interview with SecurityRoundTable.org, John Kindervag, the founder of the Zero Trust model describes it aptly: “In a Zero Trust world, there are no trusted devices, systems, or people. This doesn’t mean that people are fundamentally untrustworthy; it means that they generate data packets which appear to be coming from them–and sometimes it isn’t them... Instead of examining the user’s physical location or the originating network, a Zero Trust framework examines information about the device, its current state, and who is using it.”
There is never going to be a solution to totally secure a network, but the Zero Trust Model is arguably the closest that cyber security teams can get to, in terms of assurance. Zero trust architecture refers the root-and-branch cyber security throughout the organisation and how measures can be implemented to protect a business at every level.
What are the five principles of Zero Trust and how do Zero Trust Models work?
Rather than a traditional cyber security structure, which breaks networks into zones contained by firewalls, with varying levels of trust, a Zero Trust model operates in a significantly different way using the five key principles outlined in the infographic above. A control plane system supports the wider architecture (known as the data plane) and all requests for access must be made through the control plane, at which point authentication and authorisation are granted. Whether or not the request is granted can be decided by a number of more complex factors, such as device type, job role, purpose of access and even time of day or device location.
If approved, the control plane directly communicates with the data plane to allow the user or device access to their resources, managing the traffic in a single flow. Furthermore, for added security, the control plane can generate and administer details for confidential access, such as one-time-use login credentials or access keys, via a private encrypted communication with the user.
What are the benefits of Zero Trust Architecture?
Ultimately, the most important benefit of Zero Trust Architecture is that it removes the castle-and-moat mentality which had previously hampered organisations. Rather than just focusing on their perimeters and assuming internal stability, teams are forced to look inwardly for threats, improving the overall security in the network.
By implementing Zero Trust models, cyber security staff can also streamline their monitoring process, as most solutions are cloud-based and therefore the vendors will be able to constantly manage, support, upgrade, troubleshoot and patch systems to retain stability. Furthermore, by using the multi-factor authentication elements built into the control plane, users no longer have to keep complex passwords (no need to alpha-numeracise your sister’s cat’s name with an exclamation mark!) or re-authenticate their identity during long periods of work. Single-Sign-On (SSO) platforms can also be deployed for user traffic towards common resources, however they may need a different user account to access more confidential information.
Zero Trust models also allow absolute visibility over network traffic, meaning that all behaviour can be monitored and threats can be identified swiftly. As all requests need to be verified by the central control plane in the architecture, this approach also prevents confidential user, customer, product or service data from being taken to a command and control (C2) server outside your network. By preventing attackers from setting up a C2 network, cyber security teams can stop any malware that enters the system from storing data, or sending commands.
Why is it important to use a zero-trust model?
As more and more cyber security breaches come from inside organisations, it is increasingly important for businesses to guard against data breaches. As well as being costly to resolve - on average a data breach in 2017 cost $3.6 million for affected businesses - the negative publicity which can accompany it can decimate share prices, shatter consumer-business relationships and ultimately cripple organisations.
For businesses working with sensitive data, there is always the threat of someone unscrupulously behaving for personal profit. More commonly, however, accidental breaches occur and sensitive data is leaked because junior employees are awarded privileges which they should not have access to. The stats already exist to highlight the alarmingly frequency of this:
- Shred-It found that 47% of business leaders cited human error as the root cause of data breaches in their organisations.
- Netwrix’s 2017 IT Risks Report stated that 100% of Government workers surveyed believed their fellow employees were the most likely culprits during security breaches.
- The number of data breaches worldwide due to misconfigured databases increased by 424% between 2017 and 2018.
- In a survey conducted at the Black Hat Security Conference 2018, 84% of cyber attacks were accounted as human error.
It’s important to note that a ‘data breach’ here could be anything from one email address being shared, to a situation like Aadhar, India’s Government ID database, being breached in 2018, which resulted in 1.1 billion users’s names, bank accounts and personal identification numbers being leaked to the public.
Six Best Practise Behaviours For Organisations Using Zero Trust
Having a Zero Trust model in place is only useful if your staff understand the associated procedures and behaviours that are linked to it. Below, we’ve detailed six key elements you need to ensure your Zero Trust Architecture delivers its full potential.
1) Streamline your technologies, replacing legacy services with flexible, agile offerings – meaning you can build on strong foundations, stay compliant and adapt to any changes.
2) Educate your staff – make sure they understand their personal roles and responsibilities in terms of data. Zero Trust IS NOT a substitute for knowledge and common sense. Without the proper training, that new intern is going to keep opening those bogus emails from Netflix requesting bank details.
3) Segment your staff in line with administration and privilege levels, so control plane checks can be completed and access can be granted or denied quickly.
4) Track, manage and monitor all devices and users on your network to identify potential threats and breaches early.
5) Develop applications that account for your zero trust model – allowing you to seamlessly implement them when the time arrives.
6) Use Multi-Factor Authentication to manage access – and make sure you can wipe, lock or block stolen or lost devices, as well as compromised accounts.
Zero Trust Architecture has become increasingly popular since the phrase was first coined almost ten years ago and it is easy to see why. Although some staff may not like being viewed as a ‘threat’, with the right explanation people will soon understand why this model has everyone’s best interests at heart.
However, a Zero Trust model is not a blanket solution for good cyber security – the model can only be as effective as the staff implementing and enforcing it. For those reasons, developing the right team should precede any decisions about implementing Zero Trust policies in your organisation.
If you want to find out how to implement a Zero Trust model, or you want to find a new specialist to help manage this process, then contact Via Resource today.