How to Implement a Zero Trust Security Model in a Wide-Open Landscape
It wasn’t too long ago that security involved on-premises storage with guarded perimeters. Organizations could be confident in the strength of their protection because they knew where sensitive data lived and the limited number of people granted physical access.
This is simply not the digital world we live in today. Fortified perimeters have been replaced by remote environments and a proliferation of mobile devices. Business data is now spread across virtualized storage housed on servers all over the world. While this offers great flexibility and scalability for businesses, it also widens the attack surface for malicious actors looking to exploit security gaps.
In response to this challenge, security professionals are ushering in a new era of Zero Trust security. At its most basic, a Zero Trust approach requires verifying every access request between all resources, no matter who, what or where they are. Fundamentally, Zero Trust is a security mindset and strategy — which can be challenging to implement fully.
In this post, we’ll discuss the origin of the Zero Trust methodology and explain how organizations can implement Zero Trust security in an increasingly remote and perimeter-less, cloud-first landscape.
A brief history of Zero Trust
The term Zero Trust was first discussed in the 1990s in a doctoral thesis on computational security, though it was not used in quite its current meaning. The concept gained more traction around 2010 after a discussion by Forrester Research on the principles of what would become the basis of the paradigm.
Forrester recognized that the idea of a trusted perimeter in organizations is risky. Not only could credentials be compromised, but it doesn’t make any mention of preventing insider threats. Therefore, all network traffic ought to be considered untrusted unless proven otherwise.
Fast forward a few years, and our increasingly mobile (and now, increasingly remote) workforce is redefining even the basic idea of a perimeter. This, combined with the rise of cloud solutions, requires a further shift from credential-based authentication. In addition to a focus on people, we now must extend the Zero Trust framework to focus on data. This means next generation security tools must take into consideration network activity, user access and privileges, and data access and use.
Zero Trust now requires more than just asking who the user is. Every login attempt must demand context, such as:
- Is the device being used as a known device?
- Is the login coming from a known location or network?
- What data or application are they attempting to access?
Of course, demanding and verifying all of this context can be easier said than done in our increasingly open landscape. Security professionals need to prepare themselves for new trends in an increasingly open digital landscape. We’ll take it a step further to see how to adopt a Zero Trust paradigm in a modern security environment.
Implementing Zero Trust in a borderless environment
The nature of data proliferation and remote work today makes it nearly impossible to enforce security perimeters the way we once did. So, let’s take a look at some actionable steps towards turning this strategy into results and a technology-driven security paradigm.
Define the protect surface
The first step to securing your organization’s environment is defining said environment. In essence, you are trying to put up a border where none exists. This approach requires a holistic view of the network and environment, including all users, devices, privileges and traffic
This is particularly challenging if you use cloud-based services or have shared hosting for your servers. According to industry expert Alex Williams of Hosting Data, any time resources are shared, security can take a hit. “The server’s very communal nature may allow viruses to spread across a server site, infecting those linked to it,” says Williams. “You have no way to personalize your security. You’re essentially relying on your hosting team to protect you.”
No matter your particular setup, our modern attack surface is always expanding. There are several ways to define an attack surface, but with Zero Trust, we specifically approach it in terms of what must be protected.
This narrows the focus to what's most valuable to the business. A "protect surface" includes:
- Data (such as personally identifiable information or payment card information)
- Applications (those used to access the data, such as CRM or payments process)
- Assets (servers or equipment that process the data, such as point of sales terminals)
- Services (business-critical services used to access data, such as DNS or Active Directory)
Defining a protected surface brings together data management and asset management in addition to the traditional access management associated with user authentication.
Draft Zero Trust policy
Once you define the protect surface, you must use this information to formalize organization-wide policy. Zero Trust demands asking who has access, to what, when and from where. Each time an access request is made to a particular resource, there are a number of questions that must be asked:
- Who should have access?
- What devices should have access?
- When can users have access?
- From where can users have access?
- What can the resource be used for?
These questions should be translated into actionable steps that are specific enough to cover the unique needs of different assets or services. An attribute-based access control (ABAC) model will be helpful in crafting policies targeted to the attributes of different resource groups.
However, just because you may have different policies for different service types does not mean it isn’t a company-wide policy. If you are new to the subject, you should consider consulting with an expert to help formulate your Zero Trust policy strategy.
Form the "virtual" perimeter
There are several tools and tactics that can be applied to shore up the virtual perimeter. A primary focus in an open landscape should be mapping network flows and increasing visibility into cloud-native resources.
It may be that you have a hybrid cloud environment with some on-premises and virtual resources. You will also have to deal with in-house versus third-party software. The ABAC model will help to consolidate rules to provide more complete visibility. In addition, you will need to segment your services to enforce Zero Trust.
A micro-segmentation tool that offers granular control of your protected source will help to reduce the severity of an attack in the event of a breach. Segmentation is particularly critical when you use cloud-based microservices — without putting up virtual walls, an attacker could move laterally through your system with just one set of stolen credentials. The right tool will also give you real-time visibility of system behaviors, which will help in enforcing your policies.
Monitor and test consistently
Even once you are confident in your policies and implementation, you should never stop testing your system for vulnerabilities. Test your pre-built policies to ensure they are detecting suspicious activity and can be used to enact emergency measures in the event of a threat. It can also be helpful to do periodic adversarial testing, either in-house or contracted out, to map vulnerabilities and avoid getting complacent.
Educate your teams
Finally, in order to advance a Zero Trust paradigm throughout your organization, you must use targeted education to get everyone on board. It’s important that everyone from IT to C-suite knows why the policy changes are being implemented and how they will impact them.
For example, you will want to train employees on how access management and multi-factor authentication will change their login processes and why this is important for the company, employees and customers.
The digital world is ever-changing, and security professionals bear the burden of adapting to these changes. The days of locked-down, on-premises devices are gone, replaced with hybrid cloud, edge computing and the Internet of Things.
Zero Trust helps companies rise to the occasion with multi-layered, data-centric security. And if implemented properly, there is no reason security has to feel like an inconvenience. Rather, it can be an organization-wide priority shift that encourages responsibility and healthy cyber hygiene.
Learn how Illumio, the pioneer and leader of Zero Trust Segmentation, can help:
- Read the latest Forrester Wave reports on Zero Trust and micro-segmentation.
- Get step-by-step guidance in the ebook, 6 Steps to Implementing a Zero Trust Model.
- Download the Forrester Consulting study, Trusting Zero Trust.