Never trust, always verify
Operating in a cloud environment is essential for organizations looking to improve accessibility, flexibility and scalability. Yet the cloud also presents new challenges when it comes to securing your network, data and applications. Read on to learn why there’s so much buzz about zero trust networks and how this approach to securing your enterprise IT environment warrants serious consideration.
Zero trust, defined
It doesn’t matter whether your network is on-premises, in the cloud or a combination of both, zero trust security is all-encompassing. Initially intended to prevent attacker lateral movement by providing application isolation, zero trust has evolved into an architecture that provides protection at every network touchpoint.
Zero trust is “a network security architecture that relies on authenticating all users and verifying all devices before granting access to resources, regardless of where any of the latter may be located, and which relies on micro-segmentation to grant access to only those specific resources to which users are permitted according to policy.” (definition from 451 Research S&P Global Market Intelligence)
Key principles of zero trust networking include:
Authenticate – Using multi-factor authentication, a user must provide at least two pieces of evidence to gain access to a digital resource; enforce authentication dynamically and continuously.
Authorize – Grant access based on all available data points, such as: user identity, location, device, application or workload, data classification and other factors.
Control access – Enforce the principle of “least privilege” by using just-in-time (JIT) and just-enough-access (JEA) policies and data protection to secure data and workloads.
Encrypt – Segment access by network, user, device and application and encrypt all sessions end-to-end.
Continuous Improvement – Monitor the current state of network assets, infrastructure and connections to ensure data and other organizational resources are secure and to improve the security posture of the network.
Zero trust is pervasive. Traditional approaches are not
“Trust first, ask questions later” – that’s the premise on which traditional network security is based. This approach focuses on protecting resources inside the network perimeter from external threats. But the downfall of a traditional cybersecurity model is this: it automatically trusts users and endpoints within the network, exposing the organization to malicious internal actors that can wreak havoc by gaining far-reaching, unauthorized access. Traditional network management is largely manual and security policies are predominantly static, resulting in limited visibility to evolving threats.
As more and more organizations migrate to the cloud, traditional network security is fast fading into obsolescence and being replaced by a zero trust approach.
Unlike traditional network security, zero trust knows no boundaries. Instead, it’s based on the premise “never trust, always verify”. Microsegmentation is an effective practice used in zero trust networks, where small, isolated zones are created to allow access to only those users and devices with authorization for a specific business purpose. For example, workloads in a cloud environment or physical data center can be separated by the creation of zones to bolster regulatory compliance and prevent breaches.
Another way zero trust differs from traditional network security practices is policy management. As stated earlier, static security policies are the norm in a traditional model; in zero trust, enforcement relies on real-time visibility into user credentials, with all access requests vetted continuously.
Key considerations for implementing a zero trust network
This high-level framework will give you an idea of what’s involved in implementing a zero trust security model:
- Define your protect surface – Identify sensitive data, assets, applications and services.
- Map the transaction flows – Gain insight and document how traffic moves across a network and how specific resources interact with each other.
- Architect a zero trust network – This is not a one-size-fits-all exercise. Your zero trust network will be custom-designed to fit around the protect surface you defined in step #1.
- Create zero trust practices and policies – Implement preventative measures such as multi-factor authentication, micro-segmentation and least privilege principles to guard against unauthorized access.
- Monitor and maintain – Continuously inspect, analyze and log all traffic and data and design a clear action plan for anomalies.
If you are planning a cloud adoption initiative, but have concerns regarding data security and compliance, reach out to our Advisory team. Our Advisory practice offers a range of consulting services that will help build your cloud strategy and support the development of governance, security, and compliance policies.