Zero Trust security is the concept, methodology, and threat model that assumes no user, system, or service operating within a secured internal environment should be automatically trusted. It put forward that every interaction must be verified when trying to connect to a system before being granted access. This concept uses micro-segmentation, and granular edge controls based on user rights, application access levels, service usage, and relation to the location to determine whether to trust a user, machine, or application seeking to access a specific part of an organization.
Why is it Needed?
Due to the ongoing nature of nation-state level cybercrime, extensive utilization of malware, and the overall insecurity of an internal network, once the external firewall access has been breached, a more granular approach to security was needed to stem the tide of intrusions and bolster security across an organization, especially if there is a wide area network in place. The more access points that exist in an infrastructure, the weaker the overall security can become.
Why is it Useful?
Zero Trust security begins with the concept that no access is trusted. Access is only allowed on a per-user/service/application basis. On top of this, we add in Two-Factor Authentication, IAM (Identity & Access Management) ongoing analytics, enforced encryption, security scoring, and file system permissions. This allows for continual monitoring that governs access and privileges within an infrastructure.
How is Zero Trust Defined?
In 2010, Google formed BeyondCorp, which helped to standardize the Zero Trust model. They stated:
"BeyondCorp is a Zero Trust security framework modeled by Google that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN.
Unlike the traditional perimeter security model, BeyondCorp dispels the notion of network segmentation as the primary mechanism for protecting sensitive resources. Instead, all applications are deployed to the public Internet, accessible through a user and device-centric authentication and authorization workflow.
The guiding principles set forth by Google help pave the path for other organizations to realize their own implementation of a Zero Trust network."https://www.beyondcorp.com/
Additionally, in 2017, Garner presented their five Zero Trust ideas called the CARTA model (Continuous Adaptive Risk and Trust Assessment). The following ideals define this model.
- Replaces single binary security decisions with more context-aware programs
- Recommends using increased granular controls and micro-segmented control planes regulated by predetermined policy decisions
- Continuous monitoring of assets that prioritize risk vs. trust proactively and reactively.
- Advanced risk/trust assessments before policy implementation
- Changing to a “Software-Defined Perimeter” (SDP). An SDP is a dynamically accessed, micro-segmented network pathway used to provide a one-to-one connection between users and a resource they need to access.
5 Steps to Implement Zero Trust
A Zero Trust model is realized using the following five steps.
- Define the goals and objectives of securing a network. This begins with these three ideas.
- Never Trust, Always Validate
- Every connection is possibly hostile
- Always use the Principle of Least Privilege
- Determine the areas which require the most amount of security to the least amount of security.
- Outline the users who can access these areas and what security measures they will use to access them. These include Multi-factor Authentications (at least 2 of the following factors):
- 2FA (Two-Factor Authentication)
- Hardware or Software-based security tokens
- Time-based security measures (e.g., daily passphrase)
- Location-based specific security measures
- Plan, layout, and implement the methods used to enforce the Zero Trust Policy.
- Continued Monitoring, Observation, Testing, and Evaluation.
Below, we will go into each of the five factors above in more detail.
Step 1. Define the Target Objectives
In the first step, we begin by working from the idea of trusting nothing and no one with access to our network. Next, we should identify every access point, endpoint, service, and application we intend to include in our policy. We then work forward in each of these areas to determine who requires access and provide a minimal amount of rights needed to work in these planes.
Step 2. Establish the Protect Surface
Next, within each of these planes, we identify and compartmentalize each area from the most security needed to the least security needed. For example, the Finance department would need tighter security protocols in place than, say, the marketing department. By identifying each department, we can then offer the varying degrees of employee access needed for each level. So, our finance department's directory would need a greater degree of autonomy and clearance than, say, an employee who handles invoicing or purchasing.
Step 3. Outline User Access Control Priorities
In this step, we implement the type of authentication required to access the area required to accommodate the position in question. A user with increased access to sensitive material would be required to provide additional authentication layers to access and work in their compartmentalized area.
So for the same director of finance, the use of a username and password, additional biometrics, as well as time (8:00 am-5:30 pm) and location-based (east coast region, west coast region, European division) security measures could be implemented. This compartmentalization level would deny access to that same user for a different division's location or timeframe if UTC times were used.
Step 4. Implement the Plan
Typically, the executive management team, along with the major department heads, HR and Security department, would need to begin preparing the changeover to this new security paradigm. This would include new pieces of training, written and verbal information on why the change is needed, including examples of how this modification benefits the organization as a whole.
As a rule, changes this broad would need to be implemented from the institution's top-down. The required explanation for the change and management buy-in would also be required as any failure in the chain of custody would tend to defeat this measure's purpose, especially if this is a new policy. This measure would no doubt be met with an initial degree of pushback due to the nature of the restrictions to be implemented.
As with any major policy shift, company-wide as well as department-wide employee meetings would need to be held to answer any and all questions related to why such a policy shift is needed. A patient and thorough explanation will go a long way with employee buy-in and in the long run, provide a smoother transition of the new policy.
Step 5: MOVE: Monitor/Observe/Verify/Evaluate
Lastly, implementing a Zero Trust policy should include ongoing monitoring of the changes. The flexibility to modify areas of concern or where adjustments are required should not preclude the ability to mold the policy to fit the organization. Any changes to the policy should be granted only on a case by case basis and with the team's input (s) involved and extensive documentation as to why a modification or exemption is needed. This continues the posit of influence in maintaining the lowest amount of access needed to accomplish a position's required tasks.
Observation is then required to see if there are areas of lowered productivity, as this is expected due to the nature of the sweeping changes and employees' adaptation of the model. If a major hindrance is noted, a full review of the specific areas involved is warranted and incremental changes can be applied and then evaluated over X amount of time to determine the effectiveness of the changes.
A period of verification should be done at the three months, six months, one year, and each subsequent year for the policy's effectiveness. Again, modifications can be made by a steering committee if larger changes are required due to security failures at any point in the process. This also allows for a tightening of some areas and a loosening of other areas as needs dictated.
Finally, an agreed-upon timeframe should be utilized, using both an internal audit and external evaluation which should be completed by an independent auditor to gauge the effectiveness of the policy. This precludes the possibility of exploitable gaps not seen or experienced during the policy change period. This allows for the executive team to ascertain the effectiveness of the policy and shore up any areas of liabilities or deficits in the policy. By implementing this type of system, security can be improved, malicious intent prevented and losses deterred increasing the overall security of the corporation.
A Zero Trust policy is the newest cost of doing business in a tech-savvy world. Approaching security measures in a smart way and being open to the possibility of the ever encroaching outlook of bad actors taking advantage of gaps in security. Policies like these can improve control over the access to internal resources reducing an organizations attack surface. This also prevents internal lateral attacks utilized by those seeking unauthorized access to resources that should be unreachable or even invisible to them. Zero Trust security enables greater visibility to deficits in shared access through activity monitoring and evaluation.
We pride ourselves on being The Most Helpful Humans In Hosting™!
Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.
Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.
If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to assisting you with this process.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.