What is Zero Trust Security?
Published 09/29/2023
Written by the CSA Zero Trust Working Group.
Zero Trust, as defined by NIST, is a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Here are 11 guiding principles to follow as you journey into the realm of Zero Trust security.
1. Begin with the End in Mind
Zero Trust is a modern approach that breaks away from the old model of assuming good actors are inside and bad actors are outside. Today, organizations live in an ecosystem that is distributed and, quite often, global. Zero Trust is designed to align the security architecture with the organization’s distributed workforce and technology model that does not have an inside and an outside. Beginning with the end in mind means having a clear vision of your desired direction and destination, allowing you to realize faster results while avoiding burnout.
2. Do Not Overcomplicate
The Zero Trust model aligns with modern lifestyles and isn't overly complex. Security controls that are preventative, detective, and corrective (or reactive) form the basis of Zero Trust principles. These controls include:
- Least-privilege access (preventative)
- Separation of duties (preventative)
- Segmentation (preventative)
- Logging and monitoring (detective)
- Configuration drift remediation (corrective/reactive)
3. Products Are Not the Priority
Zero Trust security focuses on people, processes, and organization rather than tech. Prioritize these aspects for a stronger long-term strategy.
4. Access is a Deliberate Act
The Zero Trust model ditches physical perimeters, adapting to a global, remote, and tech-driven landscape. It relies on precise user identification, making identity verification essential before access authorization. Access decisions now involve business owners, with IT as custodians.
5. Inside Out, Not Outside In
With Zero Trust, instead of asking “What are we trying to defend against?”, you need to ask “What are we trying to protect?” Legacy security models rely on a strong outer perimeter. These models presume anyone on the inside is good and anyone on the outside is bad. With de-perimeterization progressing over the last several years, more people and assets are outside than inside.
6. Breaches Happen
Presuming 100% protection against data breaches is unrealistic. Zero Trust security verifies identities before granting access to assets, focusing on resilience, not just security. Segmentation and micro-segmentation help with reducing incident impact by restricting lateral movement.
7. Understand Your Risk Appetite
Risk appetite sets an organization's risk threshold. The CIA Triad is a fundamental InfoSec model that assesses potential harm to assets:
- Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
- Integrity: The property that data has not been altered or destroyed in an unauthorized manner.
- Availability: The property of being accessible and usable upon demand by an authorized entity.
8. Ensure the Tone from the Top
The Zero Trust model requires organization-wide collaboration. An executive sponsor, ideally from the Board of Directors or senior leadership, is essential.
9. Instill a Zero Trust Culture
Zero Trust security is a shared responsibility, extending beyond IT and the CISO. Embed Zero Trust principles in training to empower all employees for enhanced cyber resilience.
10. Start Small and Focus on Quick Wins
Getting leadership support is easier when you start with a small, low-cost pilot project. This helps showcase the shift in security and its value. Taking on too much and aiming for a bigger win that takes longer can mire a project and correlate an organization’s Zero Trust efforts with failure rather than success.
11. Continuously Monitoring
Knowing that bad actors often compromise the accounts of valid users, and malevolent insiders often attempt to exceed privileges to suit their needs, it’s important to monitor and log events. Monitoring and maintaining a Zero Trust infrastructure involves regular auditing of access privileges, continuous monitoring of network behavior, maintaining up-to-date security patches, conducting risk assessments, and reinforcing user security awareness.
For more details about these 11 principles and how to get started on your Zero Trust journey, check out CSA's Zero Trust Guiding Principles publication.
To develop and demonstrate an in-depth understanding of Zero Trust, consider earning CSA’s Certificate of Competence in Zero Trust (CCZT).
Related Resources
Related Articles:
Bringing the Security vs. Usability Pendulum to a Stop
Published: 11/26/2024
Zero Standing Privileges (ZSP): Vendor Myths vs. Reality
Published: 11/15/2024
What is Cloud Workload in Cloud Computing?
Published: 11/13/2024