Zero Trust Explained: Everything You Need to Know About the New Security Model
In the world of IT security, trust is a luxury you can no longer afford. To protect against the growing frequency and sophistication of cyberattacks, even users and devices within your own network can no longer be trusted implicitly, but have to verify their identity on an ongoing basis. This approach, more commonly known as the zero trust security model (ZT), puts a spin on the old saying: Never trust, always verify. Read on to learn why zero trust emerged as the new standard for cybersecurity, what the advantages of zero trust security are and how your organization can implement zero trust architecture in your own network.
What is Zero Trust?
Zero trust, also known as zero trust architecture or zero trust network access, is a cutting edge cybersecurity model based on constant scrutiny and the repeated authentication of all users, devices and services. By securing interactions within a network, zero trust represents an important paradigm shift in IT security.
In the past, the network border or perimeter acted as the first and often only line of defense in the fight against malware, hackers and cybercriminals. Everything outside the local domain was considered a potential threat and kept at bay through virus scans, firewalls and similar safety measures. Devices in the local network, however, were seen as part of this closed ecosystem and therefore generally considered safe and trustworthy.
This black and white view no longer captures the complexity of modern computer networks. Cloud services, remote work and BYOD policies (bring your own device) blur the line between the local network and the dangerous outside world. At the same time, the rapid rise in cybercrime (particularly the recent surge in ransomware attacks) presents new challenges for organizations trying to protect their data and digital infrastructure. Thus, the need for a new security paradigm was born.
Because zero trust security is designed to replace the traditional model of perimeter security, it is sometimes referred to as perimeterless security. However, this name is a bit misleading, since ZT strategies do not render virus scans or firewalls obsolete – far from it! Securing the network border is still an important part of cybersecurity. It may be more helpful to think of zero trust as an additional layer of precaution, rather than a departure from existing methods.
Zero Trust Basics
|Restrict Access||Keep access to digital resources to a necessary minimum (least privilege) to limit the impact of possible attacks.|
|Assume Breach||Maintain security between network segments and resources as if they had been compromised.|
|Always Verify||Actively confirm the identity and integrity of all access attempts, even within your network.|
|Track Everything||Track device status, security posture and other metrics as needed to assess risk.|
|Dynamic Policy||Grant, deny or challenge access based on available data and informed policy.|
How Zero Trust Works
It’s important to understand that zero trust is not a type of application or specific feature. Rather, zero trust is an overall strategy that consists of various safety measures. The core tenet of the zero trust security model is that all users, devices and services – even those in your own network – should be considered a potential threat and must therefore continuously verify their identity, both through active checks such as MFA challenges, one-time passwords and background analytics that track factors like the location, security posture and patch status of devices.
Of course, the first step to secure authentication is knowing who is part of your network and which systems they are allowed to access. That’s why identity and access management, the technology that helps businesses keep track of user accounts and permissions, is a key part of the zero trust framework: You can’t verify that a user is who they say they are, if you don’t have accurate information about all of your users.
Here’s how it works in practice: Say a user is trying to access a resource on your network. To check if the person behind the device is indeed who they claim, they first have to prove their identity using secure multi-factor-authentication (MFA). Rather than granting them access to the entire network based on this single check, however, the zero trust model continues to monitor user activity. To access additional resources, they may have to pass repeated or escalating controls, depending on the risk analysis performed in the background and the level of security defined for specific systems.
One of the main strengths of zero trust security is its flexibility in adjusting to different situations. Depending on the specific context – such as the location of the user or the patch level of the device – access to systems can be granted, rejected or restricted. For instance, you could set a policy that allows users who access the company server from home to read certain files, but not edit them.
To ensure that these access controls can’t be bypassed, the zero trust security model also includes measures such as endpoint security, network monitoring and data encryption (both at rest and in motion). In many cases, the network is also split into smaller sections (network segmentation), each guarded by a next generation firewall. Depending on the specific implementation of zero trust, different tools and software solutions are needed to support this level of security.
Zero Trust Definition
Though zero trust has only reached mainstream adoption in the last few years, the concept is a lot older than you might think. The term zero trust was first coined in 1994 by the scholar Stephen Paul Marsh as part of his research and later popularized around 2009 by the Forrester analyst John Kindervag. This is also when the internet giant Google implemented their own version of the zero trust framework know as BeyondCorp.
With the rise of cloud platforms, long-distance collaboration and distributed teams, more and more organizations realized that a different approach to cybersecurity was needed to address the weaknesses of perimter-based security. However, as businesses became interested in the concept and service providers began offering various zero trust solutions, the meaning of the term zero trust began to diverge. Rather than a single definition, there were now various competing versions of zero trust, all based on slightly different technical implementations.
To avoid confusion, official institutions eventually stepped in to provide their standardized definitions of zero trust. The two most important bodies offering centralized guidance on the zero trust security model are the National Institute of Standards & Technology (NIST) in the US and National Cyber Security Centre in the UK. The exact definition of zero trust is a topic of ongoing debate and research, but in the following sections, we will give an overview of these two commonly accepted frameworks.
Zero Trust According to NIST
In August of 2020, NIST released the special publication 800-207, a document that outlines basic information about zero trust architecture and offers guidance for organizations looking to implement the security standard. In talking about zero trust, the publication differentiates between two basic levels: The data plane, where users and resources are located, and the control plane, which acts as a separate layer where access attempts are evaluated by the automated policy engine.
Aside from this distinction, the text identifies several core tenets of the zero trust model:
Communication inside and outside the network is secured.
Access to resources is granted on a per-session basis.
Access attempts are evaluated by dynamic policy.
The integrity and security posture of all assets is continuously evaluated.
Collected data is used to improve policies and enforcement.
On the technical side, NIST divides zero trust implementations into three different categories: zero trust architecture (ZTA) based on enhanced identity governance, ZTA based on network micro-segmentation and ZTA using software defined perimeters (or logical segmentation).
Although these approaches vary in the components used and the way policies are enforced, there is significant overlap between the three types and NIST notes that a complete ZT solution “will include elements of all three approaches.”
SP 800-207 provides an operative definition of zero trust as ” a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Zero Trust According to NCSC
Unlike the documentation by NIST, which is exhaustive and technically complex, the zero trust guidance published by the UK’s National Cyber Security Center is purposefully kept brief and readable with the goal of educating non-technical readers and helping decision makers in an enterprise familiarize themselves with key concepts. Broadly speaking, the Center defines zero trust as an approach to security where the network is assumed hostile and each request is verified based on a policy.
To break the model down further, the agency summarizes zero trust through eight basic principles:
Know your architecture, including users, devices, services and data.
Know your user, service and device identities.
Assess your user behavior, device and service health.
Use policies to authorize requests.
Authenticate & authorize everywhere.
Focus your monitoring on users, devices and services.
Don’t trust any network, including your own.
Choose services designed for zero trust.
Advantages of Zero Trust
The switch to zero trust is less about weighing the advantages and disadvantages of different models than the simple fact that a new approach to cybersecurity has become necessary. Conventional safety measures no longer provide adequate protection against the latest generation of threats. In order to keep their data and digital infrastructure safe from harm, organizations need to rethink their security strategy.
If you need more proof that zero trust is here to stay, take a look at these facts & figures on zero trust adoption: In a recent survey by Microsoft among 1,200 security decision makers, 76 percent reported that they are currently implementing zero trust in their organization. In the US, President Biden’s Executive Order on Cybersecurity makes the zero trust model a requirement for federal agencies and the federal government. Following the same trend, 82% of European companies have increased their budget for zero trust implementation in 2021.
There’s no denying it: the zero trust security model is the way of the future. But if you still need help convincing managers, executives and decision makers at your organization, here are the main advantages of zero trust, at a glance:
cutting-edge cybersecurity to defend against the latest threats
optimal protection for hybrid and cloud environments
effective against external & internal dangers (leaks, cyberattacks, data theft)
compliance with current and upcoming security standards
Why is Zero Trust So Important?
The first reason for the trend towards zero trust is the changing structure of company networks. Data that was once stored on a central server is now spread across countless cloud platforms. The adoption of the Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) models has only accelerated this change. Thanks to Microsoft 365 and Azure Active Directory, even core components of office and enterprise software are moving to the cloud.
All of these changes have radically transformed the way we work: We take our personal laptop into the office or log in from home via a VPN connection. We share files in Microsoft Teams or even invite guest users to collaborate with partners and contractors. All of these tools do wonders for seamless collaboration and productivity. But when all it takes to leak important files is one misplaced click, it becomes a lot harder to keep data in the right hands.
Which takes us to the second reason why zero trust is so important for businesses: The growing threat posed by hackers and malware. Because just as work and office networks have evolved over the past decades, so has cybercrime.
Spam mail filled with outrageous claims about distant relatives or Nigerian princes are now (mostly) a thing of the past. These days, scammers recreate existing sites and genuine messages in such detail that they are nearly impossible to tell apart. Or they buy login credentials in bulk from the latest password leak, just in case their target used the same password at the office. They work tirelessly hoping to find a new exploit or zero day vulnerability. Or rely on supply chain attacks to breach your network via trusted services or external partners (Remember the Solarwinds hack?).
Not only are cybercriminals constantly refining their methods, but the switch to the cloud and decentralization of networks has vastly increased the attack surface of most companies. The same level of interconnectedness that allows us to easily work together across long distances has also raised the number of possible entry points for hackers. The result? More and more businesses are suffering cyberattacks each year, often with catastrophic results. Security experts now believe that it is only a matter of time until any given organization becomes a target.
The big question, then, is how much damage this eventual cyberattack manages to cause. Under a traditional castle-and-moat security model, which considers everything within your own network safe, attackers that manage to clear the initial barrier face next to no resistance once they are inside. This makes it easy for them to move from device to device, infecting various systems and stealing or encrypting as much data as possible. The Internal barriers and security checks of the zero trust model prevent this kind of lateral movement and stop attackers from accessing any additional systems.
The benefit of zero trust security is twofold: First, by closing old accounts and removing outdated permissions, it reduces the attack surface of your network and minimizes the risk of cyberattacks. Second, even if an attacker manages to gain access to your network, internal controls keep them locked down and therefore minimize the damage a breach can cause.
Zero Trust vs. Least Privilege: What’s the Difference?
According to the principle of least privilege (POLP), organizations should only grant the minimum level of access required for any given task to prevent access rights from being exploited by bad actors. This also requires addressing the gradual build-up of permissions known as privilege creep. If an account were to fall into the wrong hands, any permissions assigned to it become a liability. Removing any permissions that aren’t strictly necessary for daily operations stops attackers from exploiting them, while also reducing the risk for leaks and data theft.
Least privilege and zero trust follow a similar line of thinking: Both approach cybersecurity by considering the worst-case scenario and examining the inherent risks of normal IT processes. In fact, limiting access rights as much as possible is itself part of the zero trust security model.
However, zero trust goes a few steps further than least privilege: While least privilege is concerned with eliminating IT access when it doesn’t serve an essential purpose, zero trust considers even legitimate access to resources a potential threat that needs to be monitored and kept under guard. The two concepts compliment each other.
How to Implement Zero Trust: The Key Steps
Now you know the theory behind the zero trust security model, but how do you actually put it into practice? As we’ve established, zero trust refers to the overall approach to network security rather than a specific product, so there is no one-size-fits-all solution you can buy, install and be done with it. Rather, zero trust encompasses a variety of different safety measures and best practices. Even the basic structure of your network plays a huge part in managing access to sensitive resources. This is why the concept is also known as zero trust architecture (ZTA) or zero trust network architecture (ZTNA).
Since every network is different, zero trust access needs to be tailored to the specific structure and needs of your organization. To prepare your transition to zero trust, you need to take into account factors such as user and data flows, the location of sensitive resources and potential weaknesses such as systems exposed to the internet. While we cannot offer personalized recommendations in this article, our guide will walk you through the basic steps of planning and implementing zero trust security.
Mapping Out Your Network
To determine whether an access attempt comes from an authorized source, you first have to know who is part of your network. And that includes everyone and everything: The first step to implementing zero trust security is to make an inventory of all users, devices and services that are part of your digital infrastructure. Often, this survey already reveals vulnerabilities such as orphaned accounts or disused interfaces, which should be eliminated right away.
Once you have an accurate list of all members and resources in your network, the next step is to figure out who needs access to which systems and to design a security policy based on least privilege access. Ask yourself: Where can you limit access rights without affecting daily operations? And where should you implement additional controls to enforce secure access?
Hint: You can learn more about how to create your own security policy and model resource access within your organization in our guide to role-based access control.
Planning & Priorities
Mapping out users and resources not only gives you a clearer picture of the current state of your network, but also helps you figure out the next steps in putting your new security policy into action. In order to lay the technical foundations for secure access, you may need additional support in the form of dedicated solutions for endpoint security, network segmentation, data encryption etc. Then there’s the question of your network structure: Is there any data that should be split up and stored in different locations to allow for more fine-grained access control? Are there any applications that should be moved to a separate instance?
The easiest way to implement zero trust architecture would be to start from scratch and redesign the entire network with zero trust in mind. However, this kind of drastic change is not a practical solution for most organizations, since continuity – such as continued access, continued service and continued operation – is another important factor. That’s why most businesses choose a gradual transition to zero trust security.
Since you won’t be able to put your entire plan into action all at once, you should set clear priorities for which systems and resources need to be secured first. Just put yourself in the shoes of a would-be attacker and consider which areas of your network are high-value targets or possible entry points. A few examples of high-priority resources would be directories that store particularly sensitive data or systems that are exposed to the outside, such as cloud services or interfaces used by business partners.
Making the Switch
All admins know that big changes like this one are likely to cause some problems and tensions. To ensure a smooth transition, experts recommend starting with fail open phase or simulation. During this test phase, all access to resources is checked against the new security policy and the results are logged for future review. However, users and services that don’t pass these additional controls are still allowed normal access.
You can think of this approach as a sort of trial run that allows you to iron out any kinks and see if you missed anything important, such as a key application not being able to access the network. It also gives you staff a bit of time to get used to the safety measures and additional checks.
In general, the implementation of zero trust security is not a one-time task but a continuous process that requires re-evaluation and regular revisions. Even once your security policy is in place, you will have to keep updating it as you expand your network or make changes to the structure.
Zero Trust and IAM
The zero trust security model is designed to answer a simple question: Is the user trying to access a particular system really who they claim to be? If you don’t know who in your network has access to which systems, this question is impossible to answer. Securing digital identities is key part of the ongoing transition to the zero trust model. That’s why tenfold Access Management is the first step towards zero trust security.
tenfold provides organizations with a powerful IAM platform that allows you to manage all user accounts and access rights through one central hub, lets you automate user provisioning and de-provisioning and eliminates security risks such as abandoned accounts and outdated permissions. Establish zero trust access thanks to our set-up assistants and role-based access control model. A wide range of reporting tools make it easy to track and enforce your security policy. With tenfold, you enjoy best-in-class security and transparency in your local domain, hybrid environments and in the cloud!
Our IAM solution has been specifically designed to suit the needs of mid-market organizations: Thanks to a suite of pre-built plugins, tenfold can be set up quickly and is easy to connect to other security applications as part of your zero trust stack. Want to learn more? Sign up for a free trial to see tenfold in action.
Best Practices for Access Management In Microsoft® Environments
Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.