Zero Trust is a new approach to information security that many businesses are actively considering as part of their plans for 2020. But with all the buzz words being thrown around it can be difficult to learn anything concrete about this emerging security trend. We thought we’d explain zero-trust in practical terms to make this concept more approachable for small and mid-sized business leaders.
Zero Trust is a New-ish Information Security Concept that “Recombines” Old Tech and even Older Defense Strategy
Sorry to throw another buzzword at you, but recombination is exactly what zero trust is. Just like “The Cloud” does not require any new technology to function; zero trust doesn’t either. It deploys modern security protocols, like multi-factor authentication, Identity and Access Management (IAM), Permissioning (Role-Based Access Control), and Micro-Segmentation to practice a defensive strategy that also turns out to be ancient.
The trick of zero-trust is that instead of investing all defensive resources at network endpoints, there will be defensive structures operating inside the network infrastructure as well. This way, even if a hacker does breach the outer defenses, their access will remain limited, and they will be much more likely to alert security personnel that a breach has occurred.
You might already see the merit of this idea. Some of our largest and most resource-rich organizations have been hacked in the last few years including WhatsApp, Apple iOS, US Customs and Border Patrol, Quest Diagnostics, and many local governments in 2019 alone. If these orgs can fall victim, anyone can.
Aside from being quite alarming from a user standpoint, think about it from the perspective of the business. Can you really trust the users on your network right now, knowing that so many records have been stolen? Anyone could be compromised.
Fundamentally zero trust is a reality check. We need to be more practical about planning for what is becoming an all-too likely scenario.
Civilizations have done this for centuries. Think of a Medieval Castle. First there’s the moat and the wall outside. Then there’s the Keep on the inside. If you’re Minas Tirith from the Lord of the Rings universe, you actually have seven gates in total standing between your attackers and your core value.
Zero-Trust uses old technology and some emerging tools to make it more difficult for hackers to find and exploit valuables even if they have breached endpoint security. It also makes it easier for defenders to detect suspicious activity. External attackers have a huge advantage, primarily because they can keep attacking without repercussions. Almost anyone can eventually win that one-sided battle. With zero trust protocols established, passing the endpoint might bring attackers one step closer, but it also increases the odds of detection.
OK, now let’s see how security professionals secure zero-trust environments.
Multi-Factor Authentication in a Zero-Trust Environment
It’s hard to be online these days without running across multi-factor authentication. Many of the most widely used software brands, including Google, Apple and Microsoft, either support or require multi-factor authentication. These applications request a second form of authentication in addition to a password before they grant access. Typically a temporary passcode sent to the user’s phone or email and will then enter the password.
Especially in a compromised world, multi-factor authentication becomes incredibly useful in ensuring your users are who they actually say they are. If their account password was hacked, or if it is still something easy to guess like “password” or “admin” then their account will remain secure as long as they have access to their device or email account.
Zero-Trust applies multi-factor authentication not only at the endpoint but also within the network, essentially adding more gates or periodically ensuring that users are who they say they are. You might use multi-factor authentication on particular applications or databases to add another layer of defense to more valuable assets.
Zero-Trust Identity and Access Management (IAM)
IAM is really a precursor to Zero-Trust in that its goal has not changed, and many of the technologies it deploys are shared with Zero-Trust. IAM has always aimed to monitor and control user access to reduce attack surface. What happens to contractor accounts after the job is done? Without IAM, these accounts would likely continue to exist, providing an easy target for years to come. IAM protocols can establish contextual rules for access, so you might give users access but only to certain systems and on certain dates.
IAM systems can also track user activities and set alerts for suspicious behavior with tools like Identity Analytics (IA), Risk-Based Authentication (RBA), and API security. There are many different solutions and tools out there. These may require more planning and consultation to set up, but zero-trust is limited in effectiveness without them.
Permissioning, or Role-based Access Control (RBAC)
Permissioning is another way to limit access in the event of a breach. The idea is to grant minimum security access to user accounts so that everyone can work effectively without giving unnecessary permissions to access sensitive information. Attack surface is therefore limited to the greatest extent possible without sacrificing productivity.
Permissioning is typically a component of zero trust because in the event that a user account is hacked that account does not give away “the keys to the castle.”
Micro-segmentation
Segmentation is a great way to understand the difference between old and new security protocols because it shows how old ideas and tech are being reapplied.
Network segmentation has existed as long as firewalls, virtual local area networks (VLANs) and access control lists (ACLs). These deter some movement within business infrastructure, but micro-segmentation inspects and manages internal traffic to ensure that activity is productive and not nefarious. It does not request passwords or throw up road-blocks per se; it just enforces rules and paves the roads. Machine 1 can only talk to Machine 2; widget sensors can only talk to the widget machines, etc.
In the event of a breach, hacked components will be limited in their ability to reach sensitive data, which can significantly increase the difficulty of a hack.
Discuss Zero Trust with Your Platte River Team
Some of the technologies that enforce Zero Trust require significant planning, expertise, and software to implement and might be more typical of enterprise IT for many years. However, any business, mid-size or smaller can use simple tools to accomplish many of the same objectives: limit attack surface, monitor network traffic, and control access.
Please email david@platteriver.com for more information on Zero Trust.