The evolving Zero Trust paradigm

ZERO trust has been making its way into the cybersecurity roadmap of enterprises and security professionals are increasingly interested to start their journey of zero trust within their organization. Let's explore this evolving paradigm shift.

What is Zero Trust?

It is important to understand that a zero trust architecture is not a product or set of products, but a strategy that enterprises can and should evolve over time. The National Institute of Standards and Technology (NIST) describes zero trust as "an evolving set of cybersecurity paradigms that shift protection from static, networked perimeters to users, assets, and resources." Think of "zero trust" as an active defense strategy that anticipates and reacts to enemy attacks, not as a non-reactive stationary defense.

In 2009, zero trust first appeared as an information security model at Forrester, called the Zero Trust Model. Over time, it has gained wide recognition. The federal government's top cybersecurity leaders have decided to adopt a zero-trust approach. Today, the zero trust model is supported by three pillars - everything is dynamic, allowing the least privileges, and observing and verifying all actions.

Our digital environments have become much more dynamic, expandable and complex. The policy of zero trust is more relevant than ever because the stakes are now higher than ever.

A logical question arises, how can an organization move to a zero-trust model?

Guidance on Moving Toward the Zero Trust Model

Since zero trust is a strategy with many applications and practices, it can seem overly complicated when viewed from the outside. However, the model is based on simple concepts that can be easily divided into ten recommendations:

• Least Privileged / "On Demand" Access: Restrict access from the outset and only allow access to authorized users who really need it.

• Constantly check and use smaller units: Access tokens should be checked regularly. Businesses can split up larger units of work to reduce one-time losses, which will also help the efforts of detection and response teams.

• Automate and micro-segment the network, workload, and data: Security must be woven into business processes and architecture from the beginning, not added as an afterthought. The network, workload and data must be isolated and segmented to minimize the impact radius of a cyber incident and speed up containment. In addition, automation should be applied wherever possible.

• Protect endpoints: Assume that hacking is not a matter of "how", but "when". Likewise, organizations should never assume that client endpoints are secure without verifying them. Enterprises should send only necessary information to endpoints.

• Validate services: Static as well as "default trusted" bindings should not be used in services - alternatively, companies should align the resource access model with Identity Access Management (IAM) strategy across all SaaS, API providers and online applications.

• Redefine enterprise services: Whether the SaaS host is internal or external, all enterprise tools must be integrated with the enterprise identity framework while maintaining total control.

• Secure Development Practices: Along with immutable infrastructure, two models that will help enterprises bring their systems into zero trust are the Secure Software Development Model (SSDM) and the Continuous Integration/Continuous Delivery (CI/CD) pipeline.

• Do not trust the network: A company should never assume that the network is unreachable, even if its employees use a virtual private network (VPN) while on the corporate network. Companies should implement multi-factor authorization (MFA) along with multi-level security controls.

• Think like a hacker: Companies need to think like attackers to understand how they operate. By examining their own system from a hacker's point of view, organizations can see weaknesses and problems that they might not have noticed.

As digital technologies become more complex, traditional cybersecurity is losing its hold, leaving many businesses vulnerable. The digital transformation is being exacerbated by cyberattacks, which continue to grow in frequency and complexity.

Businesses of every size and industry can no longer afford to rely on outdated security practices as the impact of cybercrime continues to rise.

The widespread work-from-home model has further exacerbated the already outdated perimeter defense model. Even before the COVID-19 pandemic, companies were increasingly turning to BYOD, opening up new entry points to their systems. In the new hybrid work environment, it's nearly impossible to succeed with traditional security, even with mobile device management (MDM) and endpoint protection.

Four Models of the Zero Trust Concept

There are four models of the concept of zero trust, and they are all similar at a fundamental level - don't trust

• The Identity-Centric Model: This model is the standard starting point and foundation of all four models. Businesses can even add parts of the other three where appropriate. It is ideal because it consolidates identities to control the entire ecosystem, including partners, customers, and employees. As many business transactions require network access, it may not be possible to verify credentials for every request. By associating a user's identity, device, service, or network with the requested operation, and using multi-factor authentication (MFA) and challenge-response (CR) authentication, this model establishes the necessary control.

• Network-centric model: The basis of this model is that the company creates distributed and multi-level network isolation structures. The creation of such structures depends on micro-segmentation, or the process of establishing small and well-defined boundaries with a next-generation firewall that logically extends across the entire enterprise, spanning both on-premises and hybrid clouds.

• Workload-centric model: As with the network-centric model, the underlying principle of this path is that everything, especially the API, is broken down into smaller units that are layered and secure. Execution modes, for example, are broken into separate micro-segments, contained on properly configured nodes, and tested in sandboxes for monitoring purposes. Another component of this path is containerization or breaking up the operating system into parts for further segregation, which prevents attackers from gaining access to all parts of the system.

• Data-centric model: Encryption is vital for tamper protection and asset visibility, but it is only as strong as the key management policy allows. With this fourth model, businesses can understand what data is coming into the system and where it comes from by breaking down the data into smaller units and assigning special labels to them - just like in previous models. With zero trust, attackers must decrypt every single unit they break into the system, rather than having unlimited access to everything.

Most companies combine all four models for the most optimal solution, called the zero trust hybrid approach. Cyber-attacks will become more common and even more costly, so companies must bring the same flexibility to their security architecture as they do in business. By realizing that nothing can be 100% secure, and by adopting a zero trust mindset, security teams will increase the level of business protection – from customers to employees and ultimately to the bottom line.