Zero trust is based on the idea of “never trust, always verify.” In essence, this means that every entity inside or outside a network is never implicitly trusted. Shifting away from a traditional perimeter-based security model and moving towards a zero trust architecture environment where continuous verification and authentication is the norm is a definite challenge. Consider the following essential zero trust best practices to guide policy decisions and network architecture.
Main Principles of Zero Trust
According to the National Institute of Standards and Technology, there are several key principles that make up zero trust architecture.
- Applications, infrastructure and data sources are classified as resources.
- Location of network communication doesn’t mean trust is granted. Communication should be secured from both enterprise-owned and non-enterprise owned networks.
- Access is granted to users after authentication, on a per-session basis and permissions given based on least privilege.
- Assets, users and services are monitored and take into consideration identity, behavior and environment before granting access.
- Robust monitoring and recording of devices and applications offers actionable data about the current state of resources.
- A constant cycle of authentication across identity, credentials and access management is strictly enforced.
- Information about the current security posture is constantly collected and evaluated for future improvements.
Why you should implement zero trust architecture
Many organizations often follow a perimeter-based or “defense-in-depth” model of security. This means that once a user or device has been granted access to a network, they are implicitly trusted, and their actions are not closely monitored.
However, with expanding attack surfaces, the traditional perimeter-based approach is no longer an effective solution to prevent breaches.
Zero trust architecture reduces the risk of breaches by asking all identities, devices and services on a network to authenticate and verify before granting access, and only allowing access to resources based on least privilege.
Zero Trust Best Practices
Zero trust can look different across organizations. However, in general there are a few key zero trust best practices to keep in mind that should help when implementing this architecture.
Understand current device, user, identity and services architecture
Mapping out current infrastructure is key to fully understanding the scope of an organization’s devices, data, user identities and third-party services. Who are the users? What devices are they using? What applications are they using? What kind of data are they accessing? Without an understanding of users, device endpoints or services and data they are accessing, it becomes much more difficult to determine an organization’s full potential attack surface.
The goal of any zero trust architecture is strike a balance between increased security and frictionless usage for users. Once the full scope of the organization’s architecture is identified, it becomes much easier to assign risk scores and thresholds for certain behaviors.
Establish strong identities
Every identity allowed on an organization’s network should have a traceable identity associated with it, and shouldn’t just consist of the traditional admin super user and enterprise user. There are a variety of user types across an organization that all require different levels of access to organizational resources. Establishing strong identities offers an avenue to authenticate and verify that users are accessing resources in accordance with set policies and permissions. This verification can be done in a variety of ways, including by using unified identity management systems.
In most cases, access should be granted based on the user’s identity, the context of the access request, and the risk score of the access request. Policies should be created and updated to reflect a user’s role, specific access needs and the context in which the user is accessing an asset. On occasion, additional verification is needed to ensure that the user is actually who they say they are. In these cases, access layers such as multi-factor authentication (MFA), biometrics or additional certification are necessary.
Beyond extra steps to verify user identities, authorization policies should be dynamic to adapt to changing circumstances, and leverage “just-in-time" privilege elevation.
For example, if a user requires temporary elevated privileges for a specific project, then those privileges could automatically expire and remove permissions when that project ends. Zero trust architecture allows for granular authorization rules that can respond to these types of necessary changes.
Monitor and audit
Monitoring and auditing activity is required to keep tabs on how devices, services, identities and data interact within an organization’s network and offers an opportunity to notice potential threats. However, the best way to spot a counterfeiter isn’t by looking at counterfeits. The best way to spot a counterfeiter is to know all the minute details of what is actually real.
In the same vein, if an organization doesn’t know what normal activity looks like, it becomes even more challenging to identify malicious activity. Monitoring and auditing traffic and keeping tabs on how devices, services, identities and data interact is one of the most effective ways to detect anomalous activity.
Monitoring deviations of baseline of expected behavior helps indicate when something is wrong. Real-time threat analytics and pattern analysis help to correlate device activity with network events, and are constantly evaluating whether that activity lines up with expected behavior and defined security policies. These tools give organizations context to detect anomalies and help catch suspicious activities.
Use network segmentation
In a traditional perimeter-based approach to security, once a user has been granted access to a network, they have permissions to move laterally through internal networks without the need for additional verification. In this security model, once an unauthorized user gains access through one network, they can potentially access lateral data and applications without too much trouble.
In a zero trust environment, network segmentation can limit the amount of damage an unauthorized user could potentially do in the event they gain access to an organization’s network.
Network segmentation isolates different applications, data and networks to individual spaces with limited entry and exit points, making it much harder for unauthorized users to move laterally to access additional information.
Defined security controls within a segmented network make breaching a network a much more challenging and less enticing task to would-be attackers.
At the end of the day, zero trust is an entire organization’s responsibility, and internal policies and activities must work in concert with any implemented technology.
For example, when somebody leaves an organization an automated immediate policy could have someone responsible to verify that that user no longer has access to systems. Sure, unified identity management systems can take that action automatically. However, someone after the fact should attest and review to ensure that access is no longer there. Whether that happens within 24 hours or two days later would be determined by organizational policy.
Though technology is often a main focus for organizations first pursuing a zero trust security strategy, successful implementation requires cooperation from every department. Though many may prefer to try and silo “zero trust” into IT, every department including operations, HR and management all play a part in maintaining a secure zero trust environment.
Transitioning to a zero trust environment can be a challenge. However, these zero trust best practices are highly recommended steps in an ongoing and evolving process. By starting out with these zero trust best practices in mind, your organization is equipped with a roadmap to successfully protect against potential breaches.