Zero trust: Your questions answered

What is it, how do you implement it, and why should you bother?

They say the most secure IT infrastructure is one that’s disconnected from the network, unplugged from a power source, and locked in a closet. Short of that, however, what options do you have for securing your company’s critical assets? One approach we’ve been hearing a lot about is “zero trust.” But what is it? An architecture? A security model? A mindset? A marketing buzzword? It’s actually all of the above, and one that merits deeper understanding.

Zero trust goes by many names. It’s also known as zero trust architecture (ZTA), zero trust network architecture (ZTNA), zero trust network access, or even perimeterless security. But the term “zero trust” has been used so much, it has also become a bit of a buzzword with an ambiguous definition, where the meaning seems to shift depending on which security vendor you’re talking to and what their “zero trust” solution looks like.

This blog will help clarify things. It breaks down the main principles, looks at the key benefits, and explores options for implementation based on industry best practices.

What is zero trust, and why should we bother?

Zero trust is actually pretty self-explanatory. Simply put, it means you “never trust, always verify.” By default, you don’t trust users and you don’t trust devices – even if they’re in the building, on the network, and behind the firewall. In fact, until proven otherwise, you assume every request is a breach, no matter of where it originated or what it’s trying to access. Until proven otherwise, you assume every user and device is malicious. Bottom line: You don’t make any assumptions about security, and you don’t take anything for granted.

If that sounds a little paranoid, bear in mind that cyberattack attempts on global corporate networks increased 50% from 2020 to 2021. More than 60% of security breaches in 2021 were the result of a web application attack, and more than 80% of those attacks could be attributed to stolen credentials. One study of penetration tests revealed that an external attacker can breach an organization’s network perimeter and gain access to local network resources 93% of the time. Given these cybersecurity realities and the risks they pose to companies of all sizes, zero trust seems like a small price to pay for cybersecurity. It’s not surprising that 80% of organizations have plans to embrace a zero-trust security strategy in 2022.

What does zero trust look like?

While zero trust strategies are going to reflect your specific business and environment, they employ several common principles:

  • Explicit verification: This means you authenticate, authorize, and end-to-end encrypt every request, whether from a user or from a device or other “non-person entity” (NPE). Microsoft’s guidance is to “authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.” RedHat’s default approach is to “deny-all” and “allow-by-exception.”
  • Least privileged access: This longstanding principle of security means you not only give users minimum necessary access to do their jobs, but you grant it for the least amount of time, revoking it as soon as it is no longer needed, such as at the end of a work shift. It’s both just-in-time (JIT) and just-enough access (JEA).
  • Micro-segmentation: This strategy takes network segmentation and security management to an even more granular level by isolating individual workloads and devices. This approach helps you contain a threat more quickly, preventing further spread across the network and minimizing the impact on operations.

But that’s really just scratching the surface. According to NIST, zero trust is “an evolving set of cybersecurity paradigms that . . . focus on users, assets, and resources” – and that are used to “plan industrial and enterprise infrastructure and workflows.” All data sources and computing services are considered resources, and all communication is secured regardless of location. In other words, there are a lot of moving parts.

How do you implement zero trust?

There is no shortage of industry frameworks for implementing a zero trust architecture. NIST provides general deployment models and use cases for zero trust, CISA has published a Zero Trust Maturity Model, and Forrester has published the Zero Trust eXtended (ZTX) Ecosystem information security model. Based on industry best practices such as the 18 CIS Critical Security Controls, these frameworks all provide similar guidance for the zero trust journey.

But because zero trust is about people and processes, not just technology, setting the stage at your organization is the first step toward successful implementation. That includes:

  • Combining hardware and software solutions that leverage automation to ensure consistent implementation and enforcement of zero trust policies
  • Choosing a vendor partner that can provide zero trust expertise and proven technologies
  • Taking usability into account to help ensure that user productivity doesn’t take a hit
  • Planning meticulously and testing rollouts to help ensure uninterrupted business operations
  • Training users on the core concepts – and the reasons why – to get buy-in across the entire organization

Ideally, your organization’s zero trust implementation is part of a larger, in-depth defense strategy – one that includes analytics and visibility that drive threat detection and improve defense and response. The objectivity and expertise of a vendor partner like Freeit can be particularly valuable for these kinds of projects, especially when it comes to uncovering your blind spots. Freeit can help augment the security capabilities and capacity of your team, helping you realize the full potential of a zero trust approach. Contact us today to learn more.