Zero Trust Model for Better Cyber-security

The best trust is no trust.

Zero trust is a cyber-security model that requires strict identity verification for every person or device trying to access an organization’s network, even if they are in the network perimeter.

Trust is a vulnerability

It is a comprehensive approach created by John Kindervag, the former Forrester Research analyst who is now a field chief technology officer in Palo alto Networks. It is based on the “never trust, always verify” principle, and focused on eliminating trust from an organization’s network instead of making it trusted. It assumes that no user or device, even if they sit within the network already, should be treated as secure by default, because this could allow a malicious player who accesses a company’s network using, for example, stolen credentials, to easily go through its virtual resources. Zero trust is not associated with any particular technology and does not require a radical re-build of existing infrastructure.

Zero trust must be applied across your entire IT environment. As it is increasingly common for employees to work from home, co-working spaces, public transport and many other places that are not protected as the organization’s office would be,  so it is critical to minimize risks resulting from increased mobility. The right users should have access to the right applications and data – and to nothing more. Zero trust requires high integrity, visibility and control that can be delivered directly on a mobile device or through the cloud.

IT environments are becoming not only more sophisticated and complex, but also more dynamic, with more tools, users and an overwhelming amount of data stored in different locations.

The best trust is no trust

The good news is that achieving zero trust is not complex. It is built upon existing architecture and deploying it is quite simple. To implement zero trust, an organization should follow five steps:

1. Identify the protect surface – most critical data, assets, applications and services in an organization’s network
2. Map the transaction flows
3. Build a zero trust architecture
4. Create zero trust policies and train users
5. Monitor and maintain the environment
   
   

As has already been noted, first you need to identify protection priorities, typically for whatever is most critical to your own organization’s needs. The second step is to identify what kind of traffic exists, and how it moves across the organization in relation to your protect surface, in order to understand who your users are, which applications they need, and how they connect. With this knowledge you will be able to determine and apply policies that ensure secure access to all data. Once you know and understand your most critical assets and interdependencies between them, you can create a micro-perimeter around your protect surface. This micro-perimeter can be created by deploying a segmentation gateway (known as a next-generation firewall) to make sure that only legitimate players and applications can access the protect surface. Thanks to the segmentation gateway, you are able to see “deeper” into traffic and enforce additional layers of inspection and access control with Layer 7 policy based on the Kipling Method (according to this approach, zero trust is based on who, what, when, where, why and how). The policy determines who can transit a perimeter and when, prevents access to the protect surface by  unauthorized users, and stops exfiltration and leakage of sensitive data.

The simpler, the better

Is zero trust a 21st century security model? People want to be connected everywhere, all the time. Status “active” in social media or Internet communicators is becoming default. What is more, private and professional areas intermingle as more companies use cloud-based virtual environments for their systems than traditional, physical in-house equipment, so employees can access business systems from their private devices. Also, we feel so familiar with the Internet and electronic devices that (despite awareness campaigns, training and warnings) we can get a false sense of security. Therefore, a dynamic model focused on eliminating trust and minimizing risk associated with human naivity can be the future.

Dagmara Skomra,
Product Manager at Comarch