Zero Trust – A Security Model

img blog Zero Trust A Security Model r1

In the last few articles, we’ve covered broad, sweeping topics about the state of the cybersecurity landscape in 2021 and 2022. Now, and in the coming weeks, we’re going to take a more focused, deep-dive approach to individual cyber security topics. 

We hope these bite-sized cyber topics, tips and best practices will be reviewed, addressed and/or implemented on a weekly basis. By continuously improving your cyber security protocols, your data, your clients, and ultimately your business, will be better protected from internal and external cyber threats. 

Today’s topic is Zero Trust. We’ll talk about: What it is, why it matters, and what you can do to implement Zero Trust as a company-wide practice. BTW, we’ve added some links to vague or confusings terms and acronyms. Let’s dive right in… 

According to excerpts from an article by VARONIS, “Zero Trust security has evolved into a holistic approach to cybersecurity that involves several technologies and processes. The goal of Zero Trust security is to protect the company from advanced cybersecurity threats and data breaches, while helping the company achieve compliance with [government standards and] future data privacy and security laws.

At the heart of Zero Trust is data security. Data is the asset attackers want to steal, whether that’s personally identifiable data (PII), protected health information (PHI), payment card information (PCI), or intellectual property (IP); all of it has value.

While other security controls are important, without monitoring data activity, you will have a critical gap. No matter what form the attack takes.

Here are the focus areas for the Zero Trust Framework. Forrester recommends organizations address each of these focus areas to build the best Zero Trust security strategy.

  • Zero Trust Data: A Zero Trust approach starts by protecting data first and then building additional security layers. If an attacker can breach your perimeter controls, exploit a misconfiguration, or bribe an insider, under Zero Trust, they would have extremely limited access to valuable data, and controls will be in place to detect and respond to abnormal data access before it becomes a breach.

Because data is the ultimate target for attackers and insider threats, it makes sense that the first pillar of the Zero Trust Framework is data. To protect data, companies need to be able to understand where their data lives, who can access it, what’s sensitive or stale, and monitor data access to detect and respond to potential threats.

  • Zero Trust Networks: Attackers must be able to navigate your network to steal data, and Zero Trust networks make that as difficult as possible by segmenting, isolating, and restricting your network with technology like next-gen firewalls.
  • Zero Trust People: Humans are likely the weakest link in your security strategy. Limit, monitor, and strictly enforce how your users access resources both inside the network and on the internet. Trust, but verify, all user activity on your network. Monitor your users to protect against those infrequent human mistakes from phishing, bad passwords or malicious insiders.
  • Zero Trust Workloads: A workload is a term used by the infrastructure and operations team to mean the entire stack of applications and back-end software that enable your customers to interface with your business. Unpatched, customer-facing applications are a common attack vector you must defend. Treat the entire stack from storage, to the operating system, to web front-end as a threat vector and protect it with Zero Trust compliant controls. [Make sure you are using the most current versions of all applications, software programs, and search engines like Google.]
  • Zero Trust Devices: Because of the Internet of Things, (e.g., smartphones, smart TVs, and smart coffee makers), the number of devices that live on your networks has exploded in the past few years. Each of these connected devices represents entry points that attackers can use to infiltrate your network. To move towards Zero Trust, security teams should be able to isolate, secure, and control every device on the network. [RELATED – BYOD Security Challenges]
  • Visibility and Analytics: In order to enforce Zero Trust principles, empower your security and incident response teams with the visibility of everything going on in your network – and the analytics to make sense of it all. Advanced threat detection and user behavior analytics are key to staying on top of any potential threats in your network so that you can identify anomalous behavior in real-time.
  • Automation and Orchestration: Automation helps keep all of your Zero Trust security systems up and running, and your Zero Trust policies enforced. Humans are not capable of keeping up with the volume of monitoring events necessary to enforce Zero Trust. Automate as much of your remediation, monitoring, and threat detection systems as possible so you can save your human resources for Incident Response and other more important tasks.

3 Principles of the Zero Trust Security ModelRequire secure and authenticated access to all resources.

  1. Require secure and authenticated access to all resources.

The first basic principle of Zero Trust is to authenticate and verify access to all resources. Each time a user accesses a file share, application, or cloud storage device, re-authenticate that user’s access to the resource in question.

You have to assume that every attempt at access on your network is a threat until confirmed otherwise, regardless of location of access or hosting model.

To implement this set of controls, remote authentication and access protocols, perimeter security and network access controls [must be enforced].

2. Adopt a least privilege model and enforce access control.

The least privilege access model is a security paradigm that limits each users’ access to only the [information] they need to do their job. By limiting each user’s access, you prevent an attacker from gaining access to large amounts of data with a single compromised account.

First, discover where your folder permissions expose your sensitive data and remediate over-permissive access. Create new groups and assign data owners to manage those groups, and use these new groups to implement least privilege access. Audit access and group memberships on a regular schedule and put data owners in charge of who can access their data. IT shouldn’t control access to the Finance team’s data – the Finance team should.

3. Inspect and log everything.

Zero Trust principles require inspection and verification of everything. Logging every network call, file access, and email for malicious activity is not something a human or an entire team of humans can do.

Monitoring and logging are arguably the most important capabilities to maintaining a Zero Trust security model. With monitoring and data security analytics in place, you can tell the difference between a normal login or a compromised user account. You will know that a ransomware attack is in progress or if a malicious insider is trying to upload files to their cloud drive.

This kind of cybersecurity intelligence is difficult to achieve. Most tools in this category require you to code overly complicated rules or generate a significant number of false positives. The right system will use individualized baselines per user account and detect abnormal behaviors based on perimeter telemetry, data access, and user account behavior.

Implementing A Zero Trust Model

Zero Trust starts with data. Here are some key recommendations for where to start to protect your data within the Zero Trust Framework:

  • Identify Sensitive Data: Figure out where your sensitive data lives. This could be internal “finance” or “legal” folders or places where you store PII or PHI. You have to know where your sensitive data lives and who has access to your data before you can protect it.
  • Limit Access: Once you’ve identified your sensitive data, check to see that only the people who need access to it have access. This will limit sensitive data exposure and make it more challenging for hackers to gain access to it.
  • Detect Threats: Knowing where your sensitive data is and limiting access to it are key first steps toward a Zero Trust framework. Next, you need to be able to detect when anomalous activity is happening with your data. Monitor all activity related to data access – active directory, file and share access, and network perimeter telemetry – compare the current activity to baselines of prior behavior, and then apply security analytics and rules to detect active cybersecurity threats from internal or external sources.

Why Zero Trust Model Security?

The data-centric Zero Trust framework can provide a solid defense against data breaches and advanced cybersecurity threats. All that attackers need, to break into your network, is time and motivation — firewalls or password policies don’t deter them. You should build internal barriers and monitor activity to catch their movements when, not if, they break in.”

Great stuff, right? But, what’s the original concept of Zero Trust and how did it evolve? It began with one man…

The Hallmark of Zero Trust Is Simplicity

According to an article by Deloitte, Mr. Kindervag, the founder of Zero Trust, said, “When I worked as a security analyst, I became fascinated by how people and businesses anthropomorphized their digital environments by applying the concept of trust to computing — that somehow a device could be trusted and that it cared that it was trusted. 

Back then, many CISOs  and CIOs adhered to the idea that what’s inside the corporate firewall can be trusted. This concept of inside versus outside became a variable that was used to determine security policy, with many organizations operating under the adage “trust, but verify.” In the trust-but-verify model, trust is the default. When identity is verified, trust is assumed and access is granted.

But, trust applies only to people — not digital environments. Identity credentials can be stolen, networks can be hacked, and insiders with bad intent are often in positions of trust. This means it’s impossible to know with certainty that the originator of network traffic can truly be trusted: An asserted identity is only an assertion, not an actual person.

In response to what CISOs and CIOs told me about their cybersecurity strategies, I created the concept of zero trust, which is framed around the principle that no network user, packet, interface, or device—whether internal or external to the network—should be trusted. Some people mistakenly think zero trust is about making a system trusted, but it really involves eliminating the concept of trust from cybersecurity strategy. By doing this, every user, packet, network interface, and device is granted the same default trust level: zero.

Zero trust should be thought of as a strategy or framework. It requires companies to rethink their philosophy and approach to trusted network users and devices. Zero trust is not a product, although zero trust-based security infrastructures can be implemented by using many different products. Nor does zero trust require organizations to rip and replace existing security infrastructure—rather, it leverages existing technology to support the zero trust mindset, with new tools added as needed.

The hallmark of zero trust is simplicity. When every user, packet, network interface, and device is untrusted, protecting assets becomes simple. To reduce the complexity of cybersecurity environments, organizations can prioritize security technologies and tools that support simplicity by automating repetitive and manual tasks, integrating and managing multiple security tools and systems, and autoremediating known vulnerabilities.

Zero trust is a journey best taken one step at a time. I recommend that organizations begin by prioritizing the smallest possible protect surfaces—a single data set, asset, application, or service—depending on the level of sensitivity or business criticality. Then, they can create a microperimeter around each protect surface and granularly control the traffic allowed into the perimeter.

I encourage security teams to learn and practice on less sensitive protect surfaces, moving to protect increasingly more sensitive or valuable ones as they fine-tune their approaches and their confidence increases. Over time and with lots of practice, they’ll be ready to migrate their most critical assets to the zero trust environment. Finally, when high-value assets are protected, teams can focus on less important assets. And, by continuing to maintain a zero trust mindset, organizations can protect themselves even as security technologies and tools evolve.”

At Adaptive Office Solutions cyber security is our specialty. When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. 

To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives