Article

Zero trust security: The zero trust model

SecurityZero Trust
Time to read: 13 minutes

What is zero trust?

Zero trust is an IT security framework originated by Forrester in 2010. The zero trust model introduced a new approach to security that overturned the long-standing castle-and-moat model, which has lost efficacy with the explosion of mobile, remote, and cloud computing and the resulting porous perimeters. The zero trust model is predicated on the assumption that there is no longer a network edge, as networks can be local, cloud, or hybrid with resources and users widely distributed.

Watch this webinar on zero trust and securing the enterprise's digital transformation with identity.

The premise of the zero trust model is that no user—human or non-human, from inside or outside a network perimeter—should be trusted until they meet access requirements. Access should be based on least privilege (i.e., the minimum access required for only as long as it is needed).

Following the principle of least privilege, the zero trust model denies access to all digital resources by default, with access granted on an as-needed basis with the minimum necessary to perform jobs or complete specific tasks.

When access is granted to applications, data, services, and systems, it is granular and siloed to the greatest extent possible.

Within the zero trust model, trust is established based on context, such as a user’s identity and location, the security rating of the access point, or the application or service that is requesting access. Users must be authenticated and authorized before being granted access. They must also be continuously validated against policies, security configuration, and security health.

Zero trust and NIST 800-207

The first version of NIST (National Institute of Standards and Technology) Special Publication (SP) 800-207 was announced on August 11, 2020. Designed for federal cybersecurity policies and programs, NIST 800-207 also provides a vendor-neutral, comprehensive zero trust model and a roadmap to implementing a zero trust architecture (ZTA).

NIST 800-207 offers guidance for designing and implementing a zero trust model, including outlining the core components of a ZTA. There are seven tenets of a zero trust model:

  1. Access to individual enterprise resources is granted on a per-session basis:
  2. Access to resources is determined by dynamic policy:
  3. All communication is secured regardless of network location:
  4. All data sources and computing services are considered resources:
  5. All resource authentication and authorization steps are dynamic and strictly enforced before access is allowed:
  6. Information is continuously gathered about the current state of assets, network infrastructure, and communications to improve security posture:
  7. The integrity and security posture of all owned and associated assets are monitored and measured:
  8. Access should only be granted for the least privileges needed to complete the task
  9. Authentication and authorization to one resource should not automatically grant access to a different resource
  10. Trust in the requester is evaluated before access is granted
  11. Apply least privilege principles to restrict accessibility
  12. Define what resources it has, who its members are, and what access to resources those members need
  13. Request asset state, such as:
  14. Set of access rules based on attributes that an organization assigns to a subject, data asset, or application
  15. Device characteristics (e.g., software versions installed, network location, time/date of request, previously observed behavior, and installed credentials)
  16. Behavioral attributes (e.g., automated subject analytics, device analytics, and measured deviations from observed usage patterns)
  17. All access requests must meet the same security requirements, regardless of whether requests are from internal or external users
  18. All communication should:
  19. Assume that network location alone does not imply trust
  20. Be conducted in the most secure manner available based
  21. Protect confidentiality and integrity
  22. Provide source authentication
  23. A network of multiple classes of devices
  24. A network with small-footprint devices (e.g., Internet of Things, or IoT) that send data to aggregators and storage
  25. Bring Your Own Device (BYOD) (e.g., mobile phones, tablets, and laptops)
  26. Systems sending instructions to actuators and other functions
  27. X as a service (XaaS), such as software as a service (SaaS) and infrastructure as a service (IaaS)
  28. There is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication
  29. An enterprise implementing a zero trust model is expected to have Identity, Credential, and Access Management (ICAM) as well as asset management systems in place; this should include continuous monitoring with possible reauthentication and reauthorization occurring throughout user transactions
  30. Authorization and authentication processes should be defined and enforced by policies (e.g., time-based, new resource requested, resource modification, anomalous subject activity detected) that strive to balance security, availability, usability, and cost-efficiency
  31. Collect data about asset security posture, network traffic, and access requests
  32. Analyze data
  33. Leverage data analytics insights to improve policy creation and enforcement
  34. Use analytics to provide context for access requests
  35. Treat assets discovered to be subverted, have known vulnerabilities, and/or not managed by the enterprise differently
  36. Establish continuous diagnostics and mitigation to monitor the state of devices and applications
  37. Evaluate the security posture of the asset when considering a resource request
  38. Monitor the application of patches and updates
  39. Use an alerting and reporting system to provide actionable data about the state of enterprise resources

How zero trust works

The zero trust model works by combining a number of security technologies, such as authentication, identity management, file access controls, and endpoint security to verify and authenticate user identities continuously. Key functions that drive the working of a zero trust model include:

Discover all users and what they access

  1. Classify resources based on risk
  2. Establish access policies for resources
  3. Segregate users based on role and function
  4. Understand all users, data, and IT resources

Ensure real-time visibility into users’ identity attributes

  1. Applications installed on endpoints
  2. Behavior patterns
  3. Credential privileges on each device
  4. Endpoint hardware type and function
  5. Firmware versions
  6. Operating system versions and patch levels
  7. User identity and type of credential
  8. User location

Monitor access and enforce policies

  1. Enforce policies quickly and consistently
  2. Monitor and authenticate all access requests against policies
  3. Validate the context of users’ access

Develop and implement an incident response and resolution

  1. Adjust network segmentation as required after an issue is detected or an incident occurs
  2. Prepare for and execute targeted action in response to an incident
  3. Quarantine suspicious users
  4. Revoke access for individual users or devices that exhibit anomalous behavior

Analyze and improve

  1. Evaluate and adjust policies and authorization parameters
  2. Execute remediation tactics to reinforce protection
  3. Implement updates to improve security based on analytics

Zero trust use cases

Use cases for the zero trust model include:

  1. Gain access control over cloud and container environments
  2. Implement network microsegmentation
  3. Increase protection against identity-centric attacks, such as:
  4. Meet security standards to maintain cyber insurance
  5. Minimize business and organizational risk
  6. Need additional protection not provided with VPN deployments used to secure remote access
  7. Protect an infrastructure deployment model that includes:
  8. Reduce the risk of a data breach
  9. Secure access by third parties working inside a corporate network
  10. Support compliance initiatives to adhere to government, industry, and corporate requirements
  11. Thwart malware and other cyber attack vectors
  12. Insider threats
  13. Ransomware
  14. Supply chain attacks
  15. Legacy systems
  16. Multi-cloud and hybrid-cloud environments
  17. SaaS applications
  18. Unmanaged devices

Zero trust model core principles

The following are the core principles of the zero trust model, several of which are drawn from NIST 800-207. Note that references to users include people, devices, systems, and applications.

Attack surface minimization

A zero trust model uses strict access control to minimize the network attack surface. Users can only access the minimum resources they need to do their jobs.

Context collection

Following NIST 800-207, the zero trust model directs the gathering and analysis of data for verification. Among the types of data recommended to authenticate users and establish trust are:

  1. Anomalies
  2. Application Program Interfaces (APIs)
  3. Data classification
  4. Device health
  5. Endpoints that are used to access data
  6. Threat intelligence
  7. User credentials, including single sign-on (SSO) credentials
  8. User location
  9. Workloads and services

Elimination of open connections

With the zero trust model, every open connection should be terminated. This allows for real-time traffic inspection, including encrypted traffic, before it reaches its destination to stop the propagation of malware and ransomware.

Explicit and continuous verification

The requirement for explicit and continuous verification is the source of the zero trust mantra—never trust, always verify.

The zero trust model requirement eliminates trusted zones, credentials, and devices by requiring continuous verification—no users should be automatically trusted.

Three key elements must be in place to support this part of the zero trust model:

  1. Dynamic policy model deployment processes that can be deployed quickly and dynamically to address changes in workloads, data, and users
  2. Logins and connections should be set to time out periodically once established, forcing users to be continuously verified
  3. Risk-based conditional access that enables continual verification without impacting user experience by only interrupting workflows if risk levels change

Granular context-based policies

With a zero trust model, dynamic, adaptive policies are used to reassess users’ access as the context changes continually. These policies are implemented to verify access requests and rights based on a variety of contextual criteria, such as:

  1. Application being requested
  2. Device
  3. Location
  4. Type of content
  5. User identity

Lateral movement prevention

The zero trust model is designed to prevent authorized users from moving within a network after gaining access. This is referred to as lateral movement. Several elements of the zero trust model enable the mitigation of lateral movement, including microsegmentation, monitoring, and continuous verification.

Least privilege access

The enforcement of least privilege access is foundational to the zero trust model. This approach to controlling the exposure of resources grants users only as much access as they need to do their jobs. In essence, least privilege provides access strictly on an as-needed basis.

Microsegmentation

In the zero trust model, microsegmentation breaks security parameters into smaller regions on separate parts of a network, according to data classification, to restrict users’ access to constrained areas. If a user access one area, they cannon access another area without revalidation and authorization.

Monitoring and alerting

The zero trust model requires continuous monitoring with alerts when anomalies are detected. Monitoring provides the visibility needed to determine if policies are working and if there are any vulnerabilities.

Time is of the utmost importance when issues are detected, which is why automation is a necessity to implement the zero trust model effectively. Among the areas that require attention are user behavior, data movements, network changes, and data alterations.

Implementing zero trust

Three key phases for implementing a zero trust model are:

  1. Visualization of connections between all resources
  2. Mitigation of risks and impact of a successful attack
  3. Optimization
  4. Gain visibility into vulnerabilities and risks
  5. See all entities, including endpoints, identities, and workloads
  6. Understand all resources and associated access points to assess risks
  7. View potential attack paths and at-risk resources
  8. Detect and stop threats
  9. Establish processes and identify tools to automate threat detection and response
  10. Help prioritize issue response
  11. Prevent lateral movement
  12. Reduce the impact of attacks that could result in a data breach
  13. Extend zero trust processes and protocols to all areas of IT infrastructure
  14. Implement testing to ensure the efficacy and usability of systems and processes
  15. Use analytics to identify vulnerabilities and areas for optimization

The steps to implement a zero trust model, which are also referred to as the seven pillars of a zero trust model, are:

  1. Automation and orchestration
    Leverage automation and management tools to implement and enforce the zero trust model
  2. Data security
    Isolate sensitive data from everyone except those who need access
  3. Device security
    Identify and validate user-controlled and autonomous devices attempting to connect to the network
  4. Network security
    Microsegment and isolate sensitive resources
  5. Workforce security
    Identify and validate the user attempting to connect to the network
  6. Visibility and analytics
    Use technology and artificial intelligence (AI) to automate processes, such as anomaly detection and configuration control, and end-to-end visibility
  7. Workload security
    Identify and validate applications, digital processes, and public and private IT resources

CISA’s zero trust maturity model

The Cybersecurity and Infrastructure Security Agency’s (CISA) developed the Zero Trust Maturity Model (ZTMM) to guide all federal agencies and all organizations that work with them toward a zero trust model for security.

The CISA zero trust model has five pillars based on the foundations of zero trust:

  1. Applications and workloads
    Secure all applications and workloads (i.e., on-premises, in the cloud, or hybrid)
  2. Data
    Secure all data, whether at rest or in transit, using encryption and access controls
  3. Devices
    Secure all devices that connect to an organization’s network
  4. Identity
    Authenticate and authorize users before granting access to resources
  5. Networks
    Secure all network traffic, regardless of the user’s location or resource, and implement network segmentation and microsegmentation.

In the CISA zero trust model, identity has four states of maturity defined:

  1. Traditional
    Identity authenticated with static access for entity identity
  2. Initial
    Identity authenticated with validation of multiple entity attributes
  3. Advanced
    Identity authenticated using phishing-resistant attributes
  4. Optimal
    Identity is continuously validated (i.e., not just when access is initially granted)

The CISA zero trust model also identifies essential capabilities:

  1. Visibility and analytics to optimize policy decisions and help security teams take proactive defensive actions before incidents occur
  2. Automation and orchestration are enabled with tools and workflows that support security response functions
  3. Governance to enable accountability in managing and mitigating security risks

The zero trust model optimizes existing security controls

Implementing a zero trust model requires rethinking and reconfiguring systems to apply the core principles. It also entails adopting complementary systems that help address the disintegration of traditional enterprise perimeters, with most enterprises’ resources spread across private data centers and multiple clouds with even more hosted applications and storage.

Many organizations that have deployed a zero trust model have seen significant enhancements to overall security and a reduction in data breach and unauthorized access incidents.

How mature is your identity security strategy?

Discover the 5 horizons of identity security.