Table of Contents
The rapid adoption of cloud computing and increased penetration of mobile technologies means enterprises can no longer rely on network centric perimeter security to ensure data security. Instead, the need is to enable access to various types of users regardless of their location, device, or network. With many businesses offering hybrid working models, accessing applications across multiple devices is a common scenario resulting in more risk exposure to businesses and ‘Trust but verify’ approach is no longer a viable option.
Today we look more in detail about Zero trust security model, what are the advantages of this model in todays’ scenario, how zero trust security model works etc.
What is Zero Trust Approach?
The ‘Trust but verify’ approach relies on if the user is having correct credentials, they are allowed to any application, site, or device they have privileges. This results in higher risk exposure as once the user is a trusted entity by business it can access resources without any hindrance.
On the other hand, the zero trust approach means verification of every request as though it was initiated from an open network. Irrespective of where the request originated or what resources are accessed, the zero trust approach is ‘never to trust, always verify.’
Achieving zero trust security architecture relies on a set of principles and the journey starts from leveraging Identity and access management. Let’s look at these principles more in depth.
Principles of Zero Trust Security Model
- Constant Validation and Monitoring – The zero-trust philosophy assumes attackers reside both internally and externally so no systems / users should automatically be trusted. Zero trust verifies user identity and privileges and system identity and security. The logins, credentials, connection timeouts are re-verified again and again.
- Least Privilege Principle – Zero trust security is all account least privileges access. Giving users only what access they need to minimize user exposure to critical data and areas of the network.
- Access Control on Devices – Zero trust requires organizations to have firm controls in place for devices in addition to controlling access to resources. The system monitors how many unique systems have access to the organization network, ensures every device is authorized, and does assessment to ensure they are not compromised to reduce the attack surface.
- Micro-segmentation – security perimeter is broken down into smaller zones to maintain separate access for different parts of the network. Access to one zone and to another zone requires a separate authentication mechanism
- Lateral Movement Prevention – Zero trust models are designed to prevent attackers moving laterally into a network. Architecture is segmented in such a way that an attacker cannot migrate network microsegments.
- Multi-factor Authentication – uses at least one more authentication technique to verify user identity such as combining passwords with tokens, OTP etc. MFA ensures account security even if password is compromised
Why is Zero Trust Important?
Zero trust model replaces perimeter centric security and ensures that security and access decisions are enforced dynamically based on identity of user, device, and its context. A zero trust security framework dictates that only authenticated and authorized users and devices can access applications and data hosted on cloud. It protects applications and devices from advanced threats prevailing on the Internet.
Use of MFA along with passwords provides stronger security control without the need to recall labyrinthine credentials. SSO (Single sign-on) feature further enhances the user experience and improves productivity of employees to let user’s login to all applications they require and have access without the need to remember multiple passwords for reauthentication.
Solutions which require authentication for both user and device further enhance the security because they require authentication using something the user knows (login and password) and something the user owns (device and security token or key).
Advantages of Zero Trust Security Model
- Limit data exposure from misuse (internal and external) with access / permissions controls
- Protection from data loss due to use of unsanctioned cloud services
- Improve visibility into movement of data between network perimeter and cloud services
- Limit data exposure from remote users and personal devices
- Restrict data loss from improper use of approved cloud services
- Limit or track misconfigured object storage accounts