By Jay Martin, GreenPages Security Practice Lead
Security is top of mind for strategic thinkers in the C-suite and IT department. But what is a "zero trust" security framework and how does it benefit your organization?
It was more than a decade ago when cybersecurity industry analyst John Kindervag introduced "zero trust security" to the IT world. The idea behind the zero trust security framework was to keep user data safe from cyberattacks no matter what devices or networks were used to access the data. But although zero trust security is a great idea, it's often misunderstood by business leaders and IT organizations alike.
Companies are struggling to take zero trust from concept to practice. Some business strategists in the C-suite are confused by the thought of zero trust security as a framework rather than a product. For IT decision makers and their employees, readjusting to the new paradigm of zero trust security involves rethinking an outdated perimeter-focused cybersecurity strategy. And because deploying a zero trust security solution can be accomplished in multiple ways, adopting this framework can be daunting for most organizations.
GreenPages is committed to infusing all our solutions with zero trust security. To help business decision makers understand how zero trust enhances their organizations' security at scale, we should describe exactly what zero trust is—and why it is needed in today's cloud-first world.
Defining the Zero Trust Security Framework
Zero trust is a business strategy, not just a technology play. It requires multiple organizational disciplines, strategies, and technologies to come together to share context and vision before zero trust can help reduce risk and help protect an organization’s data. The core tenet of zero trust security states "Trust No One.” Whether the user or asset is internal to your corporate network (in an office) or external to your network (remotely accessing). Any access to corporate data—no matter if it's located in the cloud, on a server in a closet, or on an employee-owned tablet connected to public Wi-Fi at a coffee shop—needs to continually be evaluated against three core principles: Apply Least Privilege Access, Verify Identities Explicitly, and Assume a Breach.
Apply Least Privilege Access - Zero trust requires IT to apply least privilege access to assets, no matter where they are located. You can also think of this as applying "just in time access," giving just enough permission to the people who need access to the data or application that they need to do their job. For example, a company with zero trust security would not provide marketing staff members unfettered access to financial systems. Access to HR systems in order to view employee HR records in a zero trust model if only given to authorized HR employees.
Granting least privilege access can be summarized as "just because they're on the network doesn’t allow them to get to anything on the network." That's what bad actors do. They get in the network; they scan the network for any devices out there that are listening; and then they try to take advantage of vulnerabilities that they can find and move laterally. Zero trust can shut that down. Within a zero trust framework, we no longer want anyone getting on a network and being able to discover IoT devices, applications, and data in systems that are nearby.
Verify Identities Explicitly - As we've seen in many high-profile cyberattacks, identities can be forged. Millions of usernames are available to criminals on the dark web. Hackers have tools that can easily brute force a password login and even bypass multifactor authentication (MFA) in many cases to fake an authorized identity. Zero trust security requires continuous verification for establishing user identity. Imagine an employee logged in from the office on their workstation in the morning, is granted access to a system, then logs out in the evening from that workstation. When that same employee tries to log into the corporate email system from home, a zero trust security framework looks at that login attempt with suspicion. The username and password are known, the MFA is correct, but now the user's logging in from an unknown laptop.
Zero trust security asks tough questions to explicitly verify not only the user, but the device identity, too. For instance, is this device (whether it's BYOD or company owned), registered with the IT department for use by this user? Does the device have the proper anti-malware and antivirus protections sanctioned by corporate IT? Are the latest OS and application patches installed? Does the device have the latest browser updates? Based on any (or preferably all) of those criteria, zero trust can deny access. These added steps will likely trigger a call from the employee to the helpdesk, but IT decision makers should view this as a "feature" rather than "bug" of the zero trust security framework.
Assume a Breach - An organization should operate on the assumption that the bad actors are already on your network. They’re sitting there idle, watching what you’re doing, and waiting for the right time to launch the worst case scenario on your organization. To mitigate this potential disaster, zero trust frameworks require IT teams to collect telemetry and gain deep visibility into everything. This visibility enables IT security professionals to see what is going on across networks, where the traffic on the network is originating, where it’s going, who is accessing the data, and what they’re doing with that data. By assuming your organization is already breached and having end-to-end visibility into all networks, clouds, and devices, an IT team can easily tell when bad actors are moving data offsite and determine anomalous behavior.
Summarizing a Zero Trust Security Strategy
For zero trust security to be effective, everyone in the organization needs to be part of it. Zero trust security methods must be followed by all departments, from HR, to finance, to sales, and the executives.
It can’t be just the burden of IT or just the security team. Zero trust requires everyone in the organization to pull this together.
To reiterate, zero trust is a business strategy rather than a product. Organizations should be driving toward evaluating their security frameworks around the three core principles.
Even then, zero trust is not a panacea for the ills of cybersecurity. Zero trust will help protect organizations at scale.
Overwhelmed? GreenPages Can Help
85% of IT decision makers report that increasingly-advanced security threats make the stakes of successful data protection greater than ever. GreenPages built a zero trust framework on the eight security control areas outlined in the U.S. Cybersecurity & Infrastructure Security Agency's (CISA's) Zero Trust Maturity Model. If your business is considering a zero trust strategy, then GreenPages' experts can help you in the development, implementation, enforcement, and evolution of these powerful new security policies—and do it in a way that fits for your budget.