Cloud applications and the mobile workforce have redefined the security perimeter. Employees are bringing their own devices and working remotely. Data is being accessed outside the corporate network and shared with external collaborators such as partners and vendors. Corporate applications and data are moving from on premises to hybrid and cloud environments. Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to corporate technology resources and services are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries.
Zero Trust Security Model
Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an uncontrolled network. Every access request is strongly authenticated, authorized within policy constraints and inspected for anomalies before granting access.
National Institute of Standards and Technology (NIST) has defined Zero Trust in terms of several basic tenets:
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.
- Assets should always act as if an attacker is present on the enterprise network.
Zero Trust requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur. In an ideal Zero Trust environment, the following behaviors are required:
- Identities are validated and secured with multifactor authentication everywhere. Using multifactor authentication eliminates password expirations and eventually will eliminate passwords. The added use of biometrics ensures strong authentication for user-backed identities.
- Devices are managed and validated as healthy. Device health validation is required. All device types and operating systems must meet a required minimum health state as a condition of access to any resource.
- Telemetry is pervasive. Pervasive data and telemetry are used to understand the current security state, identify gaps in coverage, validate the impact of new controls, and correlate data across all applications and services in the environment. Robust and standardized auditing, monitoring, and telemetry capabilities are core requirements across users, devices, applications, services, and access patterns.
- Least privilege access is enforced. Limit access to only the applications, services, and infrastructure required to perform the job function. Access solutions that provide broad access to networks without segmentation or are scoped to specific resources, such as broad access VPN, must be eliminated.
Microsoft has distilled these Zero Trust tenets into three principles that are applied across a comprehensive control plane to provide multiple layers of defense.
- Verify explicitly - Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access - Limit user access with Just In Time and Just Enough Access (JIT/JEA), risk based adaptive polices, and data protection to protect both data and productivity.
- Assume breach - Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses.
Organizations that operate with a Zero Trust mentality are more resilient, consistent, and responsive to new attacks. Since the complexity of Zero Trust further on we are going to summarize you the defense areas, the Zero Trust scope and phases and a practical guide to implementing the Zero Trust framework. A true end-to-end Zero Trust strategy not only makes it harder for attackers to get into the network but also minimizes potential blast radius by preventing lateral movement.
If you would like to see how protected your organization is, start the Zero Trust journey and receive suggestions for technical next steps, our experts are happy to help you. Softline has several experiences in technical guidance on deployment, integration, and development.