Recently, the concept of zero trust architecture as a cybersecurity practice has come into sharp focus following President Joe Biden’s executive order for all arms of the federal government to begin adopting and implementing zero trust policies.
This federal mandate set the precedent for government entities and private organizations alike to begin taking the concept of zero trust seriously. But what is zero trust, and how is it different from the cybersecurity measures already in place for most organizations? Simply put, zero trust architecture is a security method that requires all users of a given network to be continuously authenticated, validated and authorized in order to access that network’s data and tools. No devices or users are automatically trusted to gain access to the network, hence the name “zero trust.”
As a security author for Pluralsight and a cyber threat hunter on the Mission Defense Team for the Florida National Guard, I know firsthand the power of a strong cybersecurity program. That’s why I’m so passionate about employing effective security practices. Here’s a bit about the zero trust philosophy, concepts and how your organization can begin integrating the practices of zero trust into your cybersecurity strategy.
The zero trust origin
Though the term zero trust was first coined in a Forrester research report in 2010 by John Kindervag, the concept itself has deeper roots. The approach stemmed from a need to update the long standing perimeter-based network security model. The perimeter approach assumed that any user inside the boundaries of a corporate network was a “trusted” user, able to access network data without multi-factor authentication. Those who were outside of the network were considered “untrusted” users.
As cyber threats became more and more sophisticated, the general consensus in the cybersecurity community changed to eliminate the idea that any user can truly be trusted.
As the old adage “the best defense is a good offense” suggests, zero trust architecture emerged as a response to growing cyber threats, taking an active role in combating threats from every possible vantage point.
Today, the zero trust approach to cybersecurity is gaining traction with both government and private entities. Now, let’s dive a bit deeper into the security foundation behind zero trust architecture.
Core concepts of zero trust
There are four key concepts that I like to highlight whenever I’m discussing zero trust:
- Assume the network is hostile;
- know that your environment contains active threats;
- always authenticate and authorize every user, device, and network flow; and finally
- ensure that network policies are dynamic and calculated from multiple telemetry sources.
I’ll go into each of these principles in a bit more detail.
The first principle — assume the network is hostile — is possibly the most central concept to the zero trust ethos. Firewalls or intrusion detection devices have traditionally separated the “trusted” internal network from the “untrusted” internet. These devices can restrict control for simple things like IP addresses, ports or even services. The trust is then attributed to anything embedded in the network. As cybersecurity threats have become increasingly complex, bad actors are excellent at bypassing these simple controls and gaining this attributed trust. Once inside, lateral movement can be completely unimpeded.
Second, it’s always safest to assume that your environment contains threats. Major breaches are still a risk even if your environment has extensive defensive measures in place. This emphasizes the need for continued monitoring and analysis of network artifacts. Additionally, never assume networks are low risk, thus requiring little protection, or that vendor solutions spouting machine learning and artificial intelligence will solve all your problems.
Third, there is never a scenario in which a device or user should not be authenticated before entering your network. This extends beyond simple authentication and can be implemented using the Kipling method. This means asking the who, what, when, where, why and how for everything. This will ensure you have the tools or data to see and restrict this information.
Finally, it’s crucial to remember that network policies are dynamic. A fully functioning zero trust policy cannot be implemented in a single day. This requires continued analysis of a changing network, implementation of new controls, and a continuous inventory plan to identify the necessary applications, assets and services within a network. As environments evolve, your implementation needs to evolve with it.
Implementing zero trust
There is no simple way to go about implementing zero trust infrastructure within your organization. However, the hardest part may be driving the cultural change that forces different departments to share and coordinate information, sealing the cracks for potential cyber threats. In fact, research suggests that as few as 10% of organizations have technologies in place to implement zero trust, despite nearly 50% of cybersecurity professionals actively researching how to implement the practice.
Despite these challenges, there are a few ways that you can go about implementing zero trust. The first way is to be aware of the cybersecurity practices you already have in place, and to take inventory of the data that you need to protect. Doing a thorough analysis of your network will likely reveal places where your perimeter has weaknesses, allowing you to adjust those based on zero trust policies.
Next, it’s important to begin implementing policies that align with zero trust one by one. This may look like putting MFA into place for all of your employees, employing some sort of mobile device management system, or experimenting with your existing network tools to see what security improvements can be made. Finally, it’s crucial to put a coordinated, actionable plan in place to keep the zero trust architecture running like a well-oiled machine. Good zero trust architecture should be as seamless and uniform as possible, even if it takes some iterating to get there.
In today’s digital environment, cybersecurity threats are a chief concern among governments and private organizations. According to research from CompTIA’s 2021 State of Cybersecurity report, cybersecurity is at the top of the list for business leaders to focus on in the coming years.
Anxiety over cybersecurity threats isn’t only plaguing organizations, it’s causing consumers to question the integrity of data and technology writ large. According to Forbes, trust in tech and data is one of the largest challenges facing the tech industry.
The cost of not implementing good security practices is evident by looking at the growing number of data breaches and ransomware that plague every organization. In the face of this uncertainty around the future of cybersecurity, it’s crucial to begin setting Zero trust architecture into motion to stop cyber threats from ever penetrating your network.
Brandon DeVault is a Pluralsight author for cybersecurity courses, and a member of the Florida Air National Guard.