What is zero trust security

What is Zero Trust Security?

February 8th, 2022 Posted in Information Security

Zero Trust security refers to a collection of cyber security principles that focus on moving cyber security defences away from the castle-and-moat approach. This approach centred on the notion that users within the ‘castle’ (company network) were protected from users outside the high walls, closed and locked gates, a big moat and other perimeter defences.  

This approach is often also referred to as ‘soft centre, hard shell’ security and was the most common approach when organisations’ systems and data were all located on-premise and all users worked from the same office locations.  

Times have clearly changed – as our systems are commonly owned and managed by SaaS providers, our data is stored or processed by multiple third parties and our users can be based anywhere and access data from a multitude of devices (maybe including personal devices).  

Given this, the castle and moat approach has run its course and organisations are adopting new models of cyber security. Zero trust is an increasingly common model which, at its simplest, can be summed up in the phrase: “trust no one, verify everyone.” 

What is Zero trust?

Zero trust is the idea that, in the hybrid world of work, organisations must dynamically and continuously authenticate users and devices to prevent a security incident. In this paradigm, if users log-on from trusted network locations or devices, they themselves should not be trusted. In this way, zero trust moves security away from protecting network segments to protecting resources.  

Zero trust can be summarised through the five following assertions, as described in the book: Zero Trust Networks: Building Secure Systems in Untrusted Networks. 

  • The network is always assumed to be hostile
  • External and internal threats always exist on the network
  • Network locality is not sufficient for deciding trust in a network
  • Every device, user, and network flow are authenticated and authorised
  • Policies must be dynamic and calculated from as many sources of data as possible

The evolution of zero-trust security

Zero trust developed in response to the evolution of enterprise workflows. Trends such as remote working, bring your own device (“BYOD”), and increased cloud adoption have led to the dissolving of the traditional enterprise network. This increasing complexity has, in turn, made perimeter-based network security methods outdated and no longer fit-for-purpose.  

There is rarely a single enterprise perimeter in today’s modern organization (a modern data and systems map would look less like a castle location than stops on the London tube map); and second, perimeter security is insufficient when a malicious actor has multiple points of access, many of which might be owned by someone else. 

In response to these challenges, official security bodies – such as the National Institute of Standards and Technology (“NIST”) and National Cyber Security Centre (“NCSC”) – advocate a zero-trust security approach. Zero trust is not a particular set of technologies or vendors, but an overarching strategy focused on evolving security approaches to secure data, enterprise assets and end-users.  

Zero trust asks organisations to assume a malicious actor may already be present in their enterprise environment – and that no user is trustworthy. This outlook encourages organisations to continually examine and evaluate potential risks to their infrastructure and put in place solutions to mitigate these risks. Such protections include the principle of least privilege, data classification and protection policies and multi-factor authentication measures.   

Levels of zero trust maturity

Zero trust frameworks offer high-level guidance which helps cyber security architects integrate security and visibility from multiple vantage points. The end goal is to create a unified, multi-level cyber security engine that empowers risk-aware, real-time decisions, reducing the likelihood of a security incident. Indeed, for a zero-trust strategy to be successful, the principles must be applied to most – if not all – aspects of the enterprise infrastructure. Any gaps in visibility or coverage could render the architecture obsolete, should a threat actor find this blind spot.  

For organisations curious about zero-trust security, this means understanding that deployment should be holistic. As NIST advises, organisations should not pick and choose elements of zero trust and instead fully embrace the security model.  

Saying this, developing a zero-trust architecture is not as simple as deploying some of today’s plug and play security solutions. Moving to such a model requires time, investment and strategic effort. This change cannot be made overnight. Organisations will be able to leverage some of their existing architecture and solutions to encompass zero trust, but to become wholly ratified will involve overhauling some capabilities and adding new ones.  

This is a journey that takes time. Zero trust can be seen as a series of building blocks; each new block – each new capability – added will improve cyber security defences. The more building blocks an organisation has strategically placed, the more mature its implementation. The resultant cyber security environment will offer organisations more visibility, better decision-making capabilities and, ultimately, a more mature security posture that can withstand today’s complex threats.  

Benefits and challenges of zero trust

Before implementing an overhaul of architectural operations, it is vital to understand the benefits and challenges that surround zero trust adoption. A thorough understanding is integral to making an informed decision.  

Below are the most common benefits related to migrating to zero trust. 

Ability to tackle today’s sophisticated threats:Zero trust’s use of the principle of least privilege means every request, user and device must be authenticated for access to be granted. This access is given dynamically and re-assessed based on contextual changes. In this way, zero trust reduces the likelihood of a malicious actor compromising enterprise resources. Even if they were to somehow gain a foothold in the organisation, it would be challenging for them to gain authorisation to access sensitive data.  

Enables secure hybrid working: A mature zero trust architecture relies heavily on automation and artificial intelligence to streamline the authentication process, enabling users to access approved resources without the interference of the IT team. In this way, zero trust can improve the user experience – particularly in a remote environment – as the architecture is seamlessly integrated into the daily workflow.   

Enhances supply chain security: A zero trust architecture restricts access in an organisation’s environment. This can help limit supply chain vulnerabilities by reducing the probability of a malicious actor entering a supplier network and ‘island hopping’ into the organisation’s infrastructure.  

Tackle shadow IT:One of the most significant challenges with cloud adoption is maintaining visibility over unsanctioned use of software-as-a-service applications. With a zero-trust architecture, security policies are applied at the host’s workload, keeping security close to data and users. This enables security protection travel with the workload as it crosses into the cloud, reducing the risk of accidental data leakage.  

Along with many advantages, there are also some widespread deployment challenges. Namely:  

Difficult to define:Thus far, zero trust is more of an approach than a standard. For vendors and organisations, this loose framework can be challenging to implement granularly.  

An expensive investment:As with all infrastructure changes, migrating to zero trust will involve financial investment – be it installing new products and services or working with a third party on a managed service provider basis. Despite this, it’s worth noting the investment cost may be equal to the maintenance cost of maintaining current systems.   

Potentially disruptive: Shifting to zero trust can be a very disruptive activity – one likely to last several years. Moreover, the end goal of zero trust is hard to define. The principles surrounding zero trust will possibly evolve in the coming years, as technology does. This means defining an end-state is near impossible.   

Resources to consider

As mentioned, moving to a zero-trust model will involve a series of changes made over time. Some changes will be straightforward – such as changing configurations or access policies – while others will include investing in new solutions and infrastructure. This all depends on the organisation’s current level of cyber maturity.  

To help organisations embrace a zero-trust model, there are several resources available. We suggest you start by reading the NCSC’s zero trust architecture design principles. This guidance provides eight principles aimed at security architects responsible for implementing a zero-trust architecture in an enterprise environment. We also recommend reading NIST’s guidance on zero trust architecture and NIST’s zero-trust planning guide for administrators. 

If you are at the very beginning of your journey, we recommend starting with the NCSC’s Cyber Essentials. We have written a blog about Cyber Essentials, which you can find on our website.  

Need help?

If you need help or advice on managing your business’ cyber security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check that your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat. 

 

Marcus Chambers 250 x 250

Written by Marcus Chambers

Marcus is a senior security consultant specialising in cyber security; including strategy, security transformation, risk management, incident response and supply chain assurance. His career started in the British Army where he delivered multifaceted operational solutions often in austere settings. Since leaving the military, Marcus has worked in senior security consulting roles, across numerous sectors. He has three Masters degrees including an MSc in Information Security from Royal Holloway, University of London; he holds ISACA's CISM and CGEIT certifications; is a Chartered Engineer and a graduate of the British Military's esteemed Advanced Command and Staff Course.