Zero trust

Zero trust is the principle that requires all users and devices to be authorized and authenticated before they are able to access any resources within a network. While it may seem obvious, typical cybersecurity frameworks allow users to interact freely within the network once they are initially granted access. A good analogy for this concept is running a marathon. The runner has to be registered to compete, but suppose they also have to show ID every time they stop to grab water. That way, their identity is confirmed throughout the race, and impersonation becomes a lot more difficult. Zero trust is like many road blocks/check points along the way for whatever journey the user is taking to their final destination, and every time they re-enter the network they must go through the checks again.

A challenge involving zero trust is that unlike some cybersecurity tools, it is a constant process that requires monitoring. Much like security by design, zero trust involves continuous evaluation and improvement. Some of the main things to consider in this process include making sure all defaults are to automatically deny access, to ensure users are authenticated multiple ways (see our Multi-factor authentication lesson for more), to have a system for real-time monitoring of activity, and to be conscious of your unique attack surface and sensitive areas.

Let’s get into it with more detail!

Learn about the concept of zero trust architecture and how it can help an organization protect their network. We’ll cover its meaning and importance, an example of how it might work in action, and mitigation tactics for the vulnerabilities related to improper trust management.

To start, the concept of zero trust was coined by name in 2010 by a researcher at Forrester. While the concept itself had been loosely followed prior to this, it has since developed into a widely accepted framework. A lot of the early adopters of this architecture were financial institutions like JPMorgan and Goldman Sachs, which is congruent with the fact that IMF research indicates financial institution losses have more than quadrupled since 2017, reaching $2.5 billion. They had to tighten their security framework to combat the growing threat. Down the line, zero trust became even more formal with its use in the U.S. federal government and with NIST (National Institute of Standards and Technology) publishing a unified framework to establish the architecture in 2020.

Because organizations migrated to digital means of storing and processing data so quickly with the emergence of the internet and database systems, cybersecurity sometimes fell behind and augmented more slowly than progress in other areas. However, this leaves notable weak spots for cyber criminals to exploit and steal vital data about peoples’ banks, healthcare, and personal information – especially considering how these technological advancements have elevated the sophistication of possible attacks.

Zero trust architecture can help an organization to be more compliant with data protection standards like HIPAA, PCI DSS, and GDPR (which are all standards for protecting healthcare data, financial information, and sensitive info generally). Not to mention, it can help to keep sensitive information safe, decrease monetary and intellectual losses, and maintain trust among customers/users.

We’ll see an example of how this looks in practice in the next section…

Let's take a look at how a zero trust vs. a typical perimeter-based trust system might look in action. Suppose you are a software engineer at a large company, and need to access data to run some analysis and add it to the company audit.

As you can see, it is much harder for an attacker to get into sensitive resources within your network when there are multiple layers of authentication. Having a perimeter only is not enough, but additional check points bolster your security immensely. Now let's look at more mitigation tactics for identity-based vunerabilities.

In terms of mitigating attacks related to authentication and access control, there are lots of things an organization or individual can do to protect data and information.

Firstly, there are several proactive measures that you can take to protect accounts, data, and networks before the threat even begins. These include:

1. Multi-factor authentication: Requiring multiple forms of authentication (or confirming one’s identity) before someone is able to access an account, network, action, etc. See our multi-factor authentication lesson for more.
2. Least privilege: Ensuring that the people working within an organization are only able to access the actions vital to their job function. For example, within an investment banking company, someone working in HR should not have the same access to sensitive personal information of customers that an investment banker would have. Least privilege helps to prevent accidental leaks, and makes it more difficult for attackers to launch privilege escalation attacks, which is also discussed in the multi-factor authentication lesson.
3. Segmentation: When discussing micro-segmentation generally, this means dividing a network into controlled, more manageable zones to limit access and movement of attackers within it. For example, requiring additional credentials for vital actions within a network, or when accessing sensitive data. Identity segmentation specifically is similar to the concept of least privilege (although at a more administrative level rather than individual), where actions and resources are based on a user’s, device's, or application's identity rather than network location. Identities would be grouped based on factors like job function, applications used, or location in order to apply tailored security controls to each group.
4. Monitoring the network: Tracking behavioral patterns via analytics in order to quantify what is normal and more accurately detect what is not.

Another good outlet is auditing, or an organized, comprehensive assessment of an organization's security policies, controls, and infrastructure to confirm systems are effective, compliant with regulations, and able to identify weak points. Identifying and auditing every credential allows organizations to track what activity is occurring across the network, and plays into what was discussed earlier about monitoring the network in order to readily identify unusual behavior.

A related concept is keeping track of information within your organization and who is able to access it. Understanding where the sensitive information is contained is the first step in keeping it secure. Developers should ensure as a part of zero trust that all of the sensitive areas are interacting compatibly (data, assets, applications, and services aka DAAS), and should understand the sanctioned cloud services available and enforce access to them. Mandatory password rotation, account maintenance (removing deprecated accounts), and keeping track of when these things occur is vital to reduce vulnerabilities and holes in security infrastructure. Having a directory to organize all of the user accounts, what permissions they need, and their activity is a good way to find vulnerabilities and unusual behavior early on.

Zero trust is a strong philosophy allowing an organization to continuously control who and what is accessing resources within their network. Rather than establishing a trust perimeter for a network, allowing users and devices to operate freely once they pass through the perimeter, zero trust requires additional checkpoints within the system in order to complete certain tasks or access certain resources, or even just to continue moving through the network. It helps to mitigate identity theft and other role-based attacks, along with the other methods above that fall under the umbrella of zero trust. Help reduce the millions of dollars in damage and emotional strife caused by hacked accounts and attacks every year with this architecture!

Now that you're a zero trust expert, take some time to look at our other less technical lessons. Linked below are some:

• Here is a lesson about false negatives and positives.
• And a related topic mentioned in this zero trust lesson is multi-factor authentication and privilege escalation.
• Finally, learn about personally identifiable information here!