How to Implement Zero Trust Security in 5 Steps

Reading Time: 6 minutes

What is Zero Trust Security?

Zero Trust security is the concept, methodology, and threat model that assumes no user, system, or service operating within a secured internal environment should be automatically trusted. It put forward that every interaction must be verified when trying to connect to a system before being granted access. This concept uses micro-segmentation, and granular edge controls based on user rights, application access levels, service usage, and relation to the location to determine whether to trust a user, machine, or application seeking to access a specific part of an organization.

Why is it Needed?

Due to the ongoing nature of nation-state level cybercrime, extensive utilization of malware, and the overall insecurity of an internal network, once the external firewall access has been breached, a more granular approach to security was needed to stem the tide of intrusions and bolster security across an organization, especially if there is a wide area network in place. The more access points that exist in an infrastructure, the weaker the overall security can become.

Why is it Useful? 

Zero Trust security begins with the concept that no access is trusted. Access is only allowed on a per-user/service/application basis. On top of this, we add in Two-Factor Authentication, IAM (Identity & Access Management) ongoing analytics, enforced encryption, security scoring, and file system permissions. This allows for continual monitoring that governs access and privileges within an infrastructure.

How is Zero Trust Defined?

In 2010, Google formed BeyondCorp, which helped to standardize the Zero Trust model. They stated:

BeyondCorp is a Zero Trust security framework modeled by Google that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN.

Unlike the traditional perimeter security model, BeyondCorp dispels the notion of network segmentation as the primary mechanism for protecting sensitive resources. Instead, all applications are deployed to the public Internet, accessible through a user and device-centric authentication and authorization workflow.

The guiding principles set forth by Google help pave the path for other organizations to realize their own implementation of a Zero Trust network.

https://www.beyondcorp.com/

Additionally, in 2017, Garner presented their five Zero Trust ideas called the CARTA model (Continuous Adaptive Risk and Trust Assessment). The following ideals define this model.

  • Replaces single binary security decisions with more context-aware programs
  • Recommends using increased granular controls and micro-segmented control planes regulated by predetermined policy decisions
  • Continuous monitoring of assets that prioritize risk vs. trust proactively and reactively.
  • Advanced risk/trust assessments before policy implementation
  • Changing to a “Software-Defined Perimeter” (SDP). An SDP is a dynamically accessed, micro-segmented network pathway used to provide a one-to-one connection between users and a resource they need to access.

5 Steps to Implement Zero Trust

A Zero Trust model is realized using the following five steps.

  1. Define the goals and objectives of securing a network. This begins with these three ideas.
    • Never Trust, Always Validate
    • Every connection is possibly hostile
    • Always use the Principle of Least Privilege
  2. Determine the areas which require the most amount of security to the least amount of security.
  3. Outline the users who can access these areas and what security measures they will use to access them. These include Multi-factor Authentications (at least 2 of the following factors):
    • Username/Password
    • 2FA (Two-Factor Authentication)
    • Biometrics
    • Hardware or Software-based security tokens
    • Time-based security measures (e.g., daily passphrase)
    • Location-based specific security measures
  4. Plan, layout, and implement the methods used to enforce the Zero Trust Policy.
  5. Continued Monitoring, Observation, Testing, and Evaluation.

Below, we will go into each of the five factors above in more detail.

Step 1. Define the Target Objectives

In the first step, we begin by working from the idea of trusting nothing and no one with access to our network. Next, we should identify every access point, endpoint, service, and application we intend to include in our policy. We then work forward in each of these areas to determine who requires access and provide a minimal amount of rights needed to work in these planes.

Step 2. Establish the Protect Surface

Next, within each of these planes, we identify and compartmentalize each area from the most security needed to the least security needed. For example, the Finance department would need tighter security protocols in place than, say, the marketing department. By identifying each department, we can then offer the varying degrees of employee access needed for each level. So, our finance department’s directory would need a greater degree of autonomy and clearance than, say, an employee who handles invoicing or purchasing.

Step 3. Outline User Access Control Priorities

In this step, we implement the type of authentication required to access the area required to accommodate the position in question. A user with increased access to sensitive material would be required to provide additional authentication layers to access and work in their compartmentalized area.

So for the same director of finance, the use of a username and password, additional biometrics, as well as time (8:00 am-5:30 pm) and location-based (east coast region, west coast region, European division) security measures could be implemented. This compartmentalization level would deny access to that same user for a different division’s location or timeframe if UTC times were used.

Step 4. Implement the Plan

Typically, the executive management team, along with the major department heads, HR and Security department, would need to begin preparing the changeover to this new security paradigm. This would include new pieces of training, written and verbal information on why the change is needed, including examples of how this modification benefits the organization as a whole.

As a rule, changes this broad would need to be implemented from the institution’s top-down. The required explanation for the change and management buy-in would also be required as any failure in the chain of custody would tend to defeat this measure’s purpose, especially if this is a new policy. This measure would no doubt be met with an initial degree of pushback due to the nature of the restrictions to be implemented.

As with any major policy shift, company-wide as well as department-wide employee meetings would need to be held to answer any and all questions related to why such a policy shift is needed. A patient and thorough explanation will go a long way with employee buy-in and in the long run, provide a smoother transition of the new policy.

Step 5: MOVE: Monitor/Observe/Verify/Evaluate

Lastly, implementing a Zero Trust policy should include ongoing monitoring of the changes. The flexibility to modify areas of concern or where adjustments are required should not preclude the ability to mold the policy to fit the organization. Any changes to the policy should be granted only on a case by case basis and with the team’s input (s) involved and extensive documentation as to why a modification or exemption is needed. This continues the posit of influence in maintaining the lowest amount of access needed to accomplish a position’s required tasks.

Observation is then required to see if there are areas of lowered productivity, as this is expected due to the nature of the sweeping changes and employees’ adaptation of the model. If a major hindrance is noted, a full review of the specific areas involved is warranted and incremental changes can be applied and then evaluated over X amount of time to determine the effectiveness of the changes.

A period of verification should be done at the three months, six months, one year, and each subsequent year for the policy’s effectiveness. Again, modifications can be made by a steering committee if larger changes are required due to security failures at any point in the process. This also allows for a tightening of some areas and a loosening of other areas as needs dictated.

Finally, an agreed-upon timeframe should be utilized, using both an internal audit and external evaluation which should be completed by an independent auditor to gauge the effectiveness of the policy. This precludes the possibility of exploitable gaps not seen or experienced during the policy change period. This allows for the executive team to ascertain the effectiveness of the policy and shore up any areas of liabilities or deficits in the policy. By implementing this type of system, security can be improved, malicious intent prevented and losses deterred increasing the overall security of the corporation.

Conclusion

A Zero Trust policy is the newest cost of doing business in a tech-savvy world. Approaching security measures in a smart way and being open to the possibility of the ever encroaching outlook of bad actors taking advantage of gaps in security. Policies like these can improve control over the access to internal resources reducing an organizations attack surface. This also prevents internal lateral attacks utilized by those seeking unauthorized access to resources that should be unreachable or even invisible to them. Zero Trust security enables greater visibility to deficits in shared access through activity monitoring and evaluation.

Join Us!

We pride ourselves on being The Most Helpful Humans In Hosting™!

Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.

Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.

If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to assisting you with this process.

How Was My Website Compromised? 

Reading Time: 7 minutes

In this tutorial, we will look at several methods that are used to compromise a website. In today’s world, websites use multiple procedures that represent the core functions of a modern business. Whether you have an eCommerce site or a business card site, a website is essential for driving business growth. We can safely state that a website is a unique image of your respective business. 

Continue reading “How Was My Website Compromised? “

DevOps: A New Perspective on Shared Automation

Reading Time: 9 minutes

What is DevOps?

DevOps is a set of various tools, practices, and ideals that combine software development (Dev) and IT Operations (Ops) into a single unifying force. It allows for better collaboration between developers, operations teams, system administrators, and system engineers. Their streamlined goal is to continually provide a high-value software product to the customer at high speed while monitoring and improving the overall process than using traditional software and infrastructure management. 

Continue reading “DevOps: A New Perspective on Shared Automation”

How to Install and Configure Chef on Ubuntu 18.04

Reading Time: 10 minutes

Introduction

In this article, we will be reviewing the Chef software, how it works, and why it is useful. We will also explore how it is helpful in DevOps. And then, we will install Chef on Ubuntu 18.04. 

What is Chef? 

31920.chef.logo

Chef is a configuration management system written in Ruby and Erlang using the object-oriented language for configurations description. It is used to ease the task of configuring and maintaining multiple servers. It can be integrated into cloud platforms, such as the new Liquid Web Managed Cloud and VMWare platforms to manage the server’s configuration processes. 

Continue reading “How to Install and Configure Chef on Ubuntu 18.04”

What is Configuration Management?

Reading Time: 4 minutes
Config.mgmt3

Configuration management is the process by which a company or organization defines and tracks the state of its infrastructural resources. Encapsulated in those resources are both physical hardware and software. It is a means to ensure that when changes are made to a system, those changes are tracked, geared toward the ultimate predefined criteria of what state should be.

Continue reading “What is Configuration Management?”

What is Puppet and What Role Does it Play in DevOps?

Reading Time: 5 minutes

What is Puppet?

puppet-labs-logo

Puppet is a cross-platform client-server based application used for configuration management. It handles the software and its configurations on multiple servers. There are two versions available. One is open-source, the other is a commercial version. It works on both Linux and Windows platforms. It uses a declarative approach to automate updates, installations, and other tasks. This feature allows the software to configure those systems using files called manifests. A manifest contains the instructions for a group or type of server(s) being controlled. 

Continue reading “What is Puppet and What Role Does it Play in DevOps?”

What is the Difference Between Git and GitHub?

Reading Time: 4 minutes

What is Git?

gitlogo

Git is a distributed version control system (or VCS), typically used to track files changes. It was developed in 2005 by Linus Torvalds, the creator of the Linux kernel. Git’s primary use is to keep track of changes within source code during the software development process. Source Code Management or SCM was the primary reason for its creation.

Continue reading “What is the Difference Between Git and GitHub?”

How To Protect Your Website From Remote Code Execution

Reading Time: 5 minutes

What is Remote Code Execution?

Remote code execution, also known as code injection, is one of the most common ways hackers compromise a website. This term encompasses multiple techniques which have one aspect in common. The attacker passes off their code as legitimate in the server’s eyes, using a data submission method typically reserved for regular users.

Continue reading “How To Protect Your Website From Remote Code Execution”

The Top 5 Git Best Practices For Success

Reading Time: 4 minutes

What is Git?

31920.github

Git is the most commonly used VCS (Version Control System) today. Git is a free distributed version control system used for tracking changes in source code during development. It is installed and maintained on your local system. It is designed mainly for orchestrating work among developers. But, it can also be used for tracking changes in any set of files.

We can commit your work locally, and if everything is working as expected, it can be synced on the server. Because of Git’s popularity, help is easy to get when it’s needed. Also, the Git community has many resources for learning Git online. 

Continue reading “The Top 5 Git Best Practices For Success”

What is Cloud Automation?

Reading Time: 4 minutes


What is Cloud Automation?

Cloud automation is a blanket term that is often used to denote specialized software, tools, and operations that help us reduce the manual effort when it comes to deploying and maintaining cloud-based IT infrastructure. Simply put, it is automating tasks programmatically.

Continue reading “What is Cloud Automation?”