What exactly is zero trust, why should we care about it, and how does an organization implement it? The answer is simple. In today’s interconnected world, where companies store many of their assets outside of their organization, the traditional “castle and moat” security model no longer suffices.
Implementing a zero trust philosophy is essential for reducing the risk to the enterprise or organization. Additionally, federal agencies are now mandated to adopt zero trust, which will likely cascade into other industries and service contracts. This blog will explore the foundations of a successful zero trust architecture and how to approach implementation for the best results.
What are the tenants of zero trust?
The National Institute of Standards and Technology devised a set of standards for adopting processes that will authenticate and authorize user network access across all federal agencies, and ensure users accept those mechanisms.
Zero trust is not a technology, nor can any single vendor implement it for your company. It’s helpful to think of it as a philosophy that must be adopted and implemented across the entire organization to give your clients, employees, and customers peace of mind over the information they give you to do business.
Trust no one
Zero trust is a philosophy that assumes you have, or very soon will experience a breach and thus relies on a security environment where no one inside or outside your network is trusted. Verification is required from everyone trying to access your network and assets. Hence, zero trust.
Verify everything and everyone
Every access request must be explicitly authorized, regardless of whether it’s a user, device, application, or data. The authorizations behind these requests must be dynamic and based on contextual information, such as the health of the end-user device, data sensitivity, location, and threat environment.
Limit access
If an enterprise finds itself under attack, access decisions are modified accordingly. Encryption is used both in transit and at rest, and networks are segmented and controlled to prevent lateral movement by adversaries.
Monitor closely
Finally, the integrity and security posture of all resources remain constantly monitored to inform access decisions.
Where to begin
First, consider your governance, which includes your policies and procedures within your organization and how they may apply to any of your zero-trust principles.
You also have a policy engine that handles your automation and orchestration within the organization as you mature your processes. To achieve a more mature model, you must continue to take processes and automate them, producing an increasingly stable foundation.
The third layer is analytics and threat detection, which is visibility into your environment. Seeing across all of these pillars is very important to feed data into the policy engine and governance areas.
According to the U.S. Cybersecurity and Infrastructure Security Agency, the pillars of zero trust are identity, devices, networks, applications and workloads, and data.
- Identity includes any person, device or thing that may need authentication.
- Devices are any device that can connect to a network.
- Networks refers to the overall network environment, including your network devices, your network topology, and your network architecture.
- Applications and workloads are comprised applications, both on premises and in the cloud, that provide access to or otherwise contain organizational data.
- Data and everything you want to protect as part of your zero trust architecture is the final pillar.
Implementing a zero trust architecture
How do you implement a zero trust identity architecture based on the NIST reference architecture?
Users on their endpoint attempting to access a resource must go through a policy enforcement point such as a firewall, cloud access security broker (CASB), or secure access service edge (SASE) enforcement product. The resource can be Azure, Salesforce, or even the Internet if data loss protection needs to be enforced.
To establish identity, you can use Azure AD, Okta, One Identity, or pinging, among other identity management solutions. You should also interrogate the device to ensure it has the appropriate posture, patches, and endpoint protection solution using Manage Engine or Microsoft Intune and security analytics like CrowdStrike, Microsoft Defender, Microsoft Sentinel, or Splunk to aggregate the information into your SIM tool.
Various firewall vendors like Fortinet, Palo Alto Networks, Checkpoint, Cisco, Microsoft Defender, and Netskope can be used as policy enforcement points.
The result is continuous trust verification, threat monitoring, endpoint validation, risk assessment, and location and time-based verifications, making it a critical component of zero trust.
Zero trust philosophy in the Cloud
For simplicity, we will focus on AWS, but these philosophies can apply to various cloud platforms, such as Google, Azure, or AWS.
Understanding how to implement a zero trust architecture involves a traditional three-stage approach.
A user enters through the front-end web application firewall into the public subnet of the web tier. From there, they pass through load balancing to a private subnet for the application tier. And finally, they arrive at a database backend (in this case, Aurora, Amazon S3, and Glacier).
- Segmentation is crucial to reduce blast radius. In this case, apply segmentation at both the public and private subnet levels. Security groups also play a significant role in this architecture, acting as a dynamic firewall. Since static IP addresses aren’t always available, security groups ensure only the applicable web tier servers can reach the application tier servers.
- Authentication leverages mutual TLS running through every communication with the help of Amazon’s Certificate Manager. Congnito also plays a role in ensuring all users are authenticated. AWS Identity and Access Management controls roles and access to resources.
- Detection uses platforms such as Amazon CloudWatch monitoring logs and Guard Duty to acquire threat intelligence. Implementing these measures brings together all seven tenants from NIST in a single application deployment.
Establishing a solid security foundation
In implementing a zero trust architecture, it is crucial to establish a solid security foundation, shifting from a traditional perimeter-based security model to one that focuses on securing every user, device, and network resource, wherever they are.
The NIST and CISA zero trust models are great examples to use as an architectural blueprint. It is also essential to assess your current maturity across the various pillars to see what you already have in your toolkit that you can reuse and function within the environment.
Starting with identity is also a great way to establish authentication—achieved through tools like Azure ID, pinging, or Okta. Data classification is also critical in designing a zero-trust philosophy.
Prioritizing and controlling sensitive data through a data classification policy ensures you can label and identify where it needs to go and how you want to keep the reins on those things. Remember that this is a journey and not a product, so prioritizing and protecting the data is key.
Safeguard your personal use of IT at home
In an age where cybersecurity threats lurk around every virtual corner, it’s imperative to apply the principles of zero trust not only in corporate environments but also your personal use of IT at home.
So, what can you do at home to fortify your digital defenses and stay safe in this interconnected world?
- Start by adopting a skeptical mindset, assuming that no device or connection is inherently secure.
- Regularly update your operating systems and software to patch vulnerabilities, and employ strong, unique passwords for every online account.
- Implement two-factor authentication wherever possible to add an extra layer of security.
- Be cautious when clicking on links or downloading attachments, even if they appear to be from trusted sources.
- Utilize a reputable antivirus program and keep it up to date.
- A more advanced step is to segment your home network to isolate smart devices from critical personal information, ensuring that potential breaches don’t compromise your sensitive data.
By embracing zero trust practices in your everyday digital life, you can create a resilient fortress for your personal IT security.
Learn more about CISA Secure Our World campaign for safeguarding your personal devices.
Deploy your zero trust architecture with CBTS
The product landscape has become inundated with zero trust platforms and applications. Partnering with an IT solutions provider to guide you in how to implement zero trust solutions successfully is more important than ever.
While no single vendor can perform all protection information, CBTS has many offerings designed around zero trust, including assessments, roadmaps, architecture planning, implementation services, and managed services. Using an external group for 24/7 threat management is essential for most organizations.
The experts at CBTS are here to guide your organization as you develop, deploy, and maintain your zero trust architecture. Contact us today for more information about how zero trust can take your organization’s security posture to the next level.