Historically, many organizations have adopted a perimeter-focused security model. This is commonly compared to a castle and a moat. Based on the assumption that all threats originate from outside the organization, all of the defenses are deployed at the perimeter to keep those threats outside.
Meanwhile, inside the castle wall, legitimate users have complete access, and the organization has little or no visibility and security. This approach to security has a number of issues, which inspired the creation of the zero trust security model.
Under a zero trust model, access to resources is granted on a case-by-case basis based on access control rules and policies. This provides an organization with greater internal visibility and more granular control over its security.
Why is Zero Trust Important?
A perimeter-based security model works if all threats come from the outside, and the defenses are 100% effective at blocking attacks.
Since neither of these assumptions are valid, a zero trust is essential to enterprise security.
Zero trust security provides protection against a number of different threats that perimeter-based security cannot, including:
- Insider Risks: Whether intentionally or unintentionally, “trusted” employees take a variety of different actions that place the organization at risk. A zero trust strategy limits employee access and privileges to those required for their role, which minimizes the damage that they can do.
- Lateral Movement: Under a perimeter-focused security model, an attacker with access to an organization’s network can move freely within it. Zero trust requires validation of every request, decreasing the probability that an attacker can move through the network without detection.
- Malware Attacks: Perimeter-based security can only detect and block malware when it first enters the network. Zero trust security enables defense-in-depth as each action and access request by the malware is scrutinized.
Most organizations’ cybersecurity risk is increasing as their attack surfaces expand and cybercriminals grow more sophisticated.
Implementing a zero trust security strategy is an important part of minimizing the risk to an organization.
What are the Key Principles Behind a Zero Trust Architecture?
Zero trust is a security model designed to compartmentalize and minimize access and cybersecurity risk. The key tenets of a zero trust architecture include:
- Strong Authentication: Zero trust is identity-centric, with permissions being assigned to a particular user. This makes strong user authentication – using multi-factor authentication (MFA) and similar tools – essential to ensuring that access to resources is only granted when appropriate.
- Least Privilege: The principle of least privilege states that a user, application, or system should only be granted the access and privileges needed to perform their role. By minimizing access, least privilege constrains cybersecurity risk.
- Take Advantage of Context: Every user request comes with environmental data, such as the time of date, system used, request source, and more. Zero trust access controls should leverage this context to restrict access to only legitimate use of a resource.
- Validate Everything: Zero trust is built on the principle of performing validation before providing access to anything or everything. All resources – including systems, files, applications, etc. – should have access controls in place.
- Minimize Access: Validation requirements should be as granular as possible – i.e. individual applications or files rather than at the system level – and provide minimal access time – i.e. allowing access for a single session. By minimizing access, zero trust limits cybersecurity risk.
- Assume Breach: Unlike perimeter-based security models, zero trust assumes that threats and risks are present within an organization’s systems. Zero trust works to compartmentalize access and risk to minimize the risk to the organization.
- Consistent Enforcement: Zero trust is only effective if it is enforced consistently across an organization’s entire environment, including on-premises, mobile, cloud, and IoT. Inconsistent enforcement can create loopholes that an attacker can exploit to bypass zero trust restrictions.
- Monitor and Log Everything: Data collection is essential to effective zero trust security and incident response. Log data can help to tune and improve zero trust access policies, and, if a cybersecurity incident is detected, to inform incident response and remediation.
How to Implement Zero Trust
Zero trust is about restricting access to all of an organization’s resources, but, in most organizations, data is the most valuable commodity and the common target of cyberattacks.
For this reason, a zero trust strategy should be based on achieving good data security.
Many organizations lack visibility into their data. They don’t know what data they have, where it is, and what’s important. Trying to answer these questions can be an impossible challenge as companies’ data repositories are always growing and data classification is a difficult challenge.
For those organizations that try, 66% of companies say that their data loss prevention (DLP) rules block employees from accessing data even when they are within policy, which hurts productivity and innovation.
A better approach to implementing data security and zero trust is to assume that everything is important.
The first step towards achieving zero trust is gaining insight into how data flows within an organization. The legitimate data flows are the actions that a zero trust policy must permit, and anything else is potentially suspicious and worth investigating.
Learn the flows, use them to build policies, and always monitor.
Zero Trust Starts with Data Security
Code42 commissioned Forrester Consulting to evaluate challenges that organizations face using traditional data loss prevention solutions. Join guest speaker, Chase Cunningham from Forrester and Abhik Mitra from Code42 as they discuss the survey results.Watch the Webinar