What is Zero Trust Security?
Zero Trust security is based on the principle of ‘never trust, always verify’. First introduced by Forrester Research, a Zero Trust approach requires all users to be properly authenticated before granting access, irrespective of the location or device being used to access.
It’s easy to understand why Zero Trust is becoming increasingly popular. Organizations are adopting flexible policies like BYOD, remote access is becoming common and attempts to breach data are getting more sophisticated by the day. In a landscape where identity has become the new perimeter, organizations must accept that the concept of authentication has evolved beyond remembering a username and password.
Main Features of Zero Trust Security:
Verify Every User/Device
The Zero Trust model assumes that malicious actors can (and do) exist inside an organizations, as well as consist of hackers looking to breach systems from external locations. Hence, no device or user must be trusted by default.
Principle of Least Privilege (POLP)
The POLP model requires that a user is provided only the minimum set of privileges to perform their task. This way, an organization can minimize the risks of two primary data threats – privilege abuse and credential compromise.
Privilege abuse is the second most common data threat in an organization. Typically, it is a result of inadequate access controls being in place. Users are granted “more-than-necessary” access rights, and the organization fails to monitor the activity of these accounts.
Meanwhile, credential compromise is known to be the root cause behind 74% of all data breaches. A hacker gains access to user accounts through a brute force attack, or phishing, and can then steal data.
Additional Security Steps
One of the main principles of the Zero Trust model is to include additional authentication steps to limit the possibility of a successful “credential-based” attack.
Today, organizations have increased the adoption of additional, stepped-up authentication layers (apart from ID/password) to securely grant access to users. For instance, the 2019 Duo Trusted Access Report, states that over the last four years (2015 to 2019), customers are more often using biometrics as a second authentication factor to access applications.
Leverage Context When Granting Access to Data
Securing data is as crucial as controlling the access to enterprise applications. A Zero Trust policy ensures data access is granted to users on a contextual basis. This could include a variety of factors – location of access, the device used, time of the request, and such others.
Zero Trust: Where to Begin?
Monitor User Activity
Organizations need to monitor and record user activity constantly. With the help of detailed records, security professionals will be better equipped to detect possible threats.
Granular, real-time logging solutions can help achieve this objective. Logging what data is being accessed and capturing the contextual parameters of access (ex. user IDs, the device of access, location, IP address, and more) can help make the response to a security incident faster and more accurate.
Such a solution would help achieve two goals – mitigating the risks of a data breach and establishing a compliance strategy around specific access use cases – as opposed to static, roles-based permissions.
Contextual Access
Contextual access requires the use of supplemental information to improve data security decisions. Often, these include – the time of access, location, device used, and such other factors. A contextual policy allows users to access based on these parameters. For instance, an employee tries to access sensitive company data outside the corporate network – even though the employee may have the desired privileges, access may be denied because of the unsecure network.
An effective contextual access policy ensures users are granted privileges, at the right place and at the right time.
Multi-Factor Authentication (MFA)
Credential theft is becoming increasingly common. According to a report, more than 80% of hacking-related data breaches happen because of stolen passwords. Hence, the traditional ‘password-only’ ways of authentication are no longer adequate.
Organizations are gradually moving to Multi-Factor Authentication (MFA) – a more reliable way to secure data. MFA combines the use of two more of the following:
- Something that the user is (biometrics)
- Something that the user knows (password)
- Something that the user has (a one-time password – OTP, or a security token).
Micro Segmentation
Securing a corporate network can be a challenging task; especially given the wide range of users and access points. To make this easier, organizations are dividing the network into smaller, manageable segments. Network segmentation allows limiting data access to a set of users within a segment, where a set of access rules governs each segment. Generally, users within the segments would be allowed the minimum required privileges to perform their tasks.
In case of a security incident, micro-segmentation ensures the risk is contained in a small part of the network, and does not spread beyond.
Conclusion
Zero Trust was founded on the principle that any user or device can be compromised. However, an absolute zero level of trust is also not practical. To perform efficiently, organizations have to strike a balance between granting and restricting access selectively. Leveraging context as your dynamic variable is recommended.
A Zero Trust security system is not just about implementing individual security technologies – it involves a systematic approach to data security. Contact us to get started on your Zero Trust security preparation.