Building a Fortress of ‘Never Trust, Always Verify’: The Power of Zero Trust Architecture
Published 08/28/2024
Originally published by CXO REvolutionaries.
Written by Ben Corll, CISO in Residence, Zscaler.
There’s no succinct instruction manual for zero trust architecture, but here’s the next best thing
Recent headlines about critical vulnerabilities plaguing VPNs and other legacy infrastructure are a sign that the traditional "castle-and-moat" approach to network security – perimeter-based defenses and implicit trust within the network – is going the way of the dodo.
Cybercriminals are growing more sophisticated, breaches are becoming more common, and the number of records being lost is increasing. The good news is that the industry is maturing and zero trust architecture (ZTA) is redefining our technology environments. If you are new to zero trust, what follows are the “CliffsNotes” to help you quickly understand why all the buzz over this exciting new paradigm for connecting users, apps, and data.
What makes zero trust special
Zero trust operates under the assumption that no user or device, internal or external, is inherently trusted. Access to resources is granted based on a continuous verification process that considers identity, context, and the principle of least privilege. Let's delve into these three core principles of zero trust:
- Identity: Every user and/or device seeking access must be continuously authenticated and authorized (who are you and what should you have access to?). This goes beyond simple passwords and usernames, often incorporating multi-factor authentication (MFA) and strong identity management practices. Today, MFA should be employed by default – “table stakes,” if you will.
- Context-based connections: Access is granted based on the specific context of the request. This includes factors like location, device type, applications being accessed, and user history. For example, a user attempting to access sensitive data from an unfamiliar location might require additional verification. This is also what I call the "sniff test." Does the request make sense? Should an HR user in Jakarta be attempting to access finance applications in Rio de Janeiro? Probably not. So why allow the connection?
- Principle of least privilege: Users are granted only the minimum level of access needed to perform their tasks. This limits potential damage from compromised credentials or malicious actors. Even better is when we are able to use just-in-time (JiT) access, which expires after a task is performed or after a period of time, to further reduce the risk or impact from compromised credentials.
Retiring legacy technologies: Why perimeter-based solutions and VPNs fall short
Traditional security solutions like perimeter-based firewalls and VPNs rely on the idea of a secure perimeter built around the network. While these solutions served their purpose in the past, they become increasingly ineffective in today's dynamic environments.
Here’s why:
- Perimeter-based solutions assume that everything inside the network is trusted, which is no longer a safe assumption. A single compromised device within the perimeter can provide attackers with a foothold to launch further attacks. Moreover, our data no longer resides in a single location. We simply cannot build big enough or strong enough walls around a single location expecting it to protect our treasure (data). Today people and data are more widely distributed than ever before. Thinking we can route everyone and all data back to our point-products or perimeter-based protections is old-school thinking and fails to scale. =
- VPNs create secure tunnels for remote users to access resources within the network. However, VPNs often grant broad access once a connection is established, violating the principle of least privilege. Additionally, VPNs can struggle to manage the ever-increasing number of device types seeking access and the user experience tends to suffer.
Benefits of embracing zero trust
Implementing zero trust architecture offers multiple benefits for organizations of all sizes. I'll share a few below, but this is not an exhaustive list. For instance:
- Reduced attack surface: By eliminating implicit trust within the network, ZTA shrinks the potential attack surface for malicious actors. Lateral movement – the ability to hop from one compromised system to another – becomes significantly more difficult. An external attacker who is performing network or application-mapping as part of their reconnaissance phase will have fewer potential points of entry into an organization's network.
- Enhanced threat protection: ZTA’s continuous verification process makes it more challenging for unauthorized users and malware to gain access to sensitive data. Even if an attacker breaches initial defenses, the damage they can inflict is both limited and contained. A single device or application may be compromised, yet lateral movement or pivoting from one application or system to another will be prevented (or limited).
- Improved security for remote workforces: The rise of remote and hybrid work has rendered traditional, perimeter-based security models nearly obsolete. ZTA provides secure access to resources for authorized users regardless of their location. And remote work didn't start with the COVID pandemic, it merely accelerated. But, as the pandemic showed that remote work is possible and productive, we're unlikely to see it go away. That means it must be enabled securely.
- Enhanced scalability: Zero trust architecture is built for agility. It can easily scale to accommodate a growing workforce or cloud (even multi-cloud) adoption. With zero trust the default state of access is set to ‘deny’ which is overcome by participants satisfying authentication requirements and “earning trust”. This simple but effective approach easily extends to any number of employees across local, remote, and cloud environments.
- Simplified cloud adoption: ZTA facilitates a secure and controlled approach to cloud adoption. Access to cloud resources can be granted based on the same principles as on-premises resources. Back to the core principles here.
- Streamlined compliance: ZTA can help organizations meet (or align with) various data privacy regulations (e.g., CCPA, GDPR, LGPD) by providing granular access control, data protection, and detailed audit trails. This arms organizations with an evidence-backed story to share with auditors proving the alignment with said regulations.
- Improved user experience: Zero Trust simplifies access for authorized users by eliminating the need for complex network configurations. Users can access resources securely from anywhere, on any device.
- Reduced costs: While initial implementation may require investment, zero trust can ultimately lead to cost savings by streamlining security operations and reducing the risk of costly breaches.
Building a secure future with zero trust
While implementing zero trust architecture requires careful planning and investment, I'm confident that the benefits outweigh the challenges. Go all in and do it right:
- Conduct a security assessment: Evaluate your existing security posture and identify areas where trust is implicitly granted. This allows organizations to make informed, risk-based decisions rather than simply following general industry trends. Identifying and prioritizing gaps in your security posture is an ideal way to progress a security program. Skipping an initial security assessment can lead to working from feelings rather than data.
- Identity and Access Management (IAM): Invest in a robust IAM solution that can centrally manage user identities and access privileges. It’s been said that identity is now the perimeter, and I agree. This means that identity is the foundation of security. Hence, having a centralized, robust, and well-managed solution is key. The better defined the users are based on their roles and responsibilities, the better one will be at allocating appropriate rights and privileges and then monitoring for misuse of access rights.
- Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security to the authentication process. As with IAM, another common adage states hackers no longer hack in, they log in. This is especially true in today’s phishing heyday. Organizations must make it more difficult for attackers by implementing MFA to protect their data and their environment. Luckily, most users are acquainted with this practice since most social media and financial institutions have normalized MFA.
- Microsegmentation: Divide the network into smaller segments with granular access controls to further limit the potential impact of a breach. This can be done through the same access policies that act as a connection broker. Along with IAM, this can be an amazing foundation to protect an organization. By restricting access and segmenting network communication lines, the blast radius can be confined to a single device or even a single application. We may not be able to stop every occurrence of malicious activity, but we can limit the consequences.
- Data protection (DP): Implement DP solutions like data loss prevention (DLP) to prevent sensitive data from being exfiltrated. As we enter a world powered by AI/ML, this will become even more important. If data is the new oil, bad people will attack organizations to get their proverbial hands on data. By implementing controls to protect our data and additional tools to identify the unauthorized extraction of data, we’re building more resilient programs to protect our organization and the data we are entrusted with.
Conclusion
Today’s threat landscape demands a new approach to cybersecurity. ZTA, with its emphasis on continuous verification, context-aware access, and least privilege, provides a more robust and adaptable security framework for the modern organization. By retiring legacy technologies and embracing a zero trust approach, organizations can build a secure foundation for a dynamic future, ensuring "never trust, always verify" becomes the guiding principle for data protection.
After all, people are counting on us to protect the data they are entrusting to us. It’s up to us to keep that trust.
Now, let’s stay safe out there!
Related Articles:
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024