Zero Trust is a framework for managing cybersecurity in the modern world. The underlying concept of Zero Trust is that organizational security is always at risk, both from external and also internal threats.
The IT industry historically relied on perimeter-based security strategies to protect its data and intellectual property resources. Organizations would use firewalls and network-based tools to inspect and validate users as they moved into and out of the network.
The move to hybrid cloud infrastructures, digital transformation, and the increase in remote work has led to significant changes in how the business operates. These changes mean a network perimeter is no longer adequate.
There has to be a balance between changing security demands and the user experience. Applications, devices, and users need fast but secure data access.
The following are seven components that are key to Zero Trust.
1. Resource-Level Authentication
Zero Trust was created in response to the inability of perimeter security to actually provide secure modern IT environments in a reliable way. With perimeter security, a perimeter is created with a firewall around the central network. The authentication required is at the perimeter level for users who need to access network resources.
When organizations started moving away from centralized infrastructure, and toward cloud computing, the maintenance of the perimeter became increasingly difficult.
The physical infrastructure the perimeter is supposed to surround doesn’t exist anymore in many cases, so then this means perimeter-based security is subsequently obsolete.
Zero Trust addresses the issue by moving authentication to the resource level. It’s required when accessing any resource rather than requiring user authentication at the entry to the infrastructure. This reduces the chance for lateral movement if there is a breach, and interestingly, many organizations have already moved to resource-level authentication. Still, they don’t necessarily realize it’s part of Zero Trust.
2. Multi-Factor Authentication
Multi-factor authentication (MFA) is one of the implementations of Zero Trust that’s most commonly done already. Nearly 90% of even small and medium enterprises already have MFA in some places.
Zero Trust and MFA work together because MFA helps improve the security of a traditional model of authentication relying on a username and password.
With Zero Trust architecture, MFA is at every access transaction unless something like passwordless authentication or conditional access overrides it. If you’re an organization that’s already started using MFA for a few applications, you might want to think about expansion.
3. Single Sign-On
Single sign-on (SSO) is a method to secure authentication, and it takes some of the burden of MFA off end users. With SSO, there’s the facilitation of secure authentication to all user applications with one set of login credentials. In an ideal situation, they’re backed up by multi-factor authentication.
SSO uses protocols like SAML to avoid the need for users to put in credentials for every application while doing so without compromising security.
True SSO integrates all the applications that make up an organization’s infrastructure. Then users only need to put in their credentials once to access everything needed to do their work.
4. Device Management and Visibility
An organization must have visibility into the devices on its network. With networks growing more distributed and more devices making their way onto them, device management has to go beyond just visibility.
An organization also needs to harness control over devices, with just how much control being determined by whether the company or the employee owns the device.
No matter who owns a device, the IT team should be able to require a passcode, custom configure policies and applications, lock the device remotely, and let users opt-in or out.
Corporate devices should also use mobile device management or MDM tools to let IT teams require a password and set requirements, enforce restrictions on a device, and lock and wipe the device remotely.
5. Patch Management
Devices and software need to be updated to be secure. Patch management is something most organizations are already doing, and it’s also part of building a Zero Trust architecture. An organization needs a standardized patch management system for all devices, not reliant on manual management.
Automating management can reduce the impact on IT teams and improve security.
6. Principle of Least Privilege
The principle of least privilege is that everyone in an organization should have access assigned only to what they need. It’s one of the cornerstones of the foundation of least privilege.
It’s easy for privilege creep to occur as people are assigned different roles. That means that an inventory of users and their level of access needs to be done regularly.
7. Identity and Access Management
Identity and access management or IAM is necessary for Zero Trust. The identity becomes the perimeter in Zero Trust.
While most organizations have some level of IAM in place, it’s not often comprehensive enough to meet the true standards of a Zero Trust architecture.
When there’s a comprehensive IAM framework, IT managers can control access to critical information. IAM comprises systems like single sign-on, multi-factor authentication, and privileged access management.
These technologies also allow for secure identity storage and storage of profile data.
IAM includes how individuals are identified in a system, how roles are identified and then assigned, and how individuals are added, removed, and updated. IAM also includes assigning access levels to individuals or groups, protecting data within the system, and securing the entire system.
Roles are defined based on job, responsibility, and authority. An IAM system needs to capture and then record users’ login information, manage the database of user identities, and facilitate assigning and removal of access privileges.
IAM can also facilitate the management of device and application digital identities.
IAM can be managed as identity as a service or authentication as a service. In both cases, using a third-party provider reduces the burden for admins and users.
There are a number of benefits of IAM, including ensuring the proper authentication and authorization of users, more control of user access to reduce the risk of data breaches, and better policy enforcement.