The next step in cybersecurity: ‘Zero Trust’
Author
Publisher
Date Published

Once, we navigated the digital world on a “trust but verify” policy. Companies had perimetric security controls (e.g., a firewall) to safeguard their network and data, and once traffic cleared that single checkpoint or “border wall,” it could freely communicate within the network without further checks. This worked well, for a time. But as the internet and networking became more convoluted, distributed, and innately riskier — especially with the cloud migration — companies couldn’t just rely on a gateway guard and one-time validations any longer. Our modern explosion of devices and complex webwork of interconnected networks demand much savvier and more reliable security controls — when it became a zero-trust world, we adopted a zero-trust philosophy.

Zero trust is a concept and security framework introduced by Forrester Research years ago: “Never trust, always verify.” To achieve zero trust security, there are three guiding principles, as outlined by software company Varonis:

  1. Require secure and authenticated access to all resources: Authenticate and verify all attempts to access the network, assuming they are threats until proven otherwise).
  2. Adopt a least-privilege model and enforce access control: Limit user access to only the access each needs to do their job, thereby limiting the scope of a potential breach.
  3. Inspect and log all activities using data security analytics: Introduce proper individualized baselines per user account that will detect abnormal behaviors based on perimeter telemetry, data access, and user account behavior).

In short, zero trust requires all users, within and outside a network (be it local, in the cloud, or hybrid), to be authenticated, authorized and validated continuously for security configuration and posture before being given (or retaining) access to applications and data. To verify user identity and uphold the network’s security, this framework relies on advanced technologies — such as multifactor authentication, identity protection, endpoint security technology, etc. — to achieve real-time visibility into user credentials and attributes. This added layer of protection becomes even more essential as companies increase their network endpoints, expand their infrastructure, and are exposed to increasingly sophisticated attacks by rogue (insider or compromised) credentials.

With that being said, successful establishment of zero trust depends on how quickly and effectively each organization can implement end-to-end, multi-cloud security solutions and uphold the requisite methodologies. Because of the added risk when dealing with any cloud deployments, endpoint security must stay top-of-mind during these migrations to satisfy compliance models such as the GDPR and the NIST Cybersecurity Framework.

To protect data — especially cloud data — software company MobileIron’s 10-point security audit checklist lists the best practices for designing a data security and access control framework on every endpoint across borderless enterprises:

  1. Enforce device encryption and password protection.
  2. Prevent business apps from sharing data with personal apps.
  3. Automatically delete business data from compromised devices.
  4. Tunnel business traffic without tunnelling personal traffic.
  5. Stop unauthorized devices from accessing business cloud services.
  6. Stop unauthorized apps from accessing business cloud services.
  7. Detect and remediate zero-day exploits.
  8. Provide rich security controls across a variety of different operating systems (e.g., Android, iOS, macOS, and Windows 10 now support unified, cross-platform security solutions).
  9. Certify for device security (e.g., Common Criteria Protection Profile for Mobile Device Management).
  10. Certify for cloud security (i.e., SOC 2 Type 2 and FedRAMP).

Already a boon to internal security, a company’s implementation of zero trust also forecasts favorably when it comes to auditing. As noted in Internal Audit 360, “Zero trust eliminates traditional security tooling implementation nightmares, yet provides the fine-grained controls security practitioners seek, the auditability auditors need, and the network flexibility IT operators want.”

Inherently providing visibility and automation, zero trust streamlines compliance by first evaluating and then logging (with detail) each access request. Orchestration tools that are already working to detect suspicious user behavior or potential cyberthreats also create an effortless chain of evidence that paves a smooth audit trail.

Given that each asset in such a network is “fingerprinted” before it’s allowed in the system (and that each is constantly getting re-verified), zero trust networking enables organizations to easily demonstrate how their data has been accessed, collected and used. It also encourages another critical element of auditing data and systems security: data flow mapping, or understanding where an organization’s data is, and how and with what it’s communicating. This superior visibility provided by a zero-trust network supports compliance initiatives and enables auditors to achieve better insight into how and where the data flows, how users and workloads are protected, and how the system is overall secured.

The benefits to this approach are clearly laid out — the amount of transparency and meticulous control permitted by zero trust help mitigate the risk of security breaches and exploitations, as well as that of negative audit findings. It stands to reason that, as the internet continues to evolve, with more and more processes turning to digital alternatives, the focus on protection of data will only increase and zero trust methodology should absolutely be discussed as an option for every organization.