From perimeter security to zero-trust policy.
The term “zero trust” was first coined by Stephen Paul Marsh 1994 and in 2010, the analysts at Forrester revived the concept. When introducing a zero trust concept, businesses have to rethink their cybersecurity setup. The days of perimeter security that leverages firewalls and other technologies to isolate a business’s IT landscape are numbered. A perimeter-based approach is much like a castle and its moat. Everything within the castle walls, i.e. the people and devices, is trusted and they have comprehensive if not unlimited access to all systems.
Zero trust is not a product or service, but a holistic approach to information security that doesn’t trust any user, transaction or network traffic until verified. It’s a security approach that requires all users, processes and systems, both within and outside of the corporate network, to be authenticated and authorised. Security configurations and states must also be continuously validated before access to applications and data is granted.
This approach is based on a zero trust framework of advanced technologies and processes that verifies user identities and the status of end devices and system processes to ensure system security is right up-to-date.
Essentially, a zero trust framework consists of:
- Zero Trust Network (network fabrics, zoning, NDR, SASE and SD-WAN)
- Zero Trust Devices (OS patching, vulnerability management, EDR/XDR, MDM, disk and data encryption)
- Zero Trust Network Access (NAC, Windows Hello/GPO, 2FA/MFA, fingerprint, FIDO2, PKI, ZTNA client software)
- Zero Trust Workload (users and endpoints, malware and ransomware protection, application detection, firewall, WAF, CASB, API, IoT, microservices)
Technologies and processes include:
- Multi-factor authentication (MFA)
- Identity and Access Management (IAM)
- Privileged Access Management (PAM)
- Next-generation endpoint security technology (Endpoint Security Suite, EDR, XDR)
- Security management – Orchestration, monitoring, analytics, SIEM, NOC/SOC and MDR (Managed Detection and Response)
Basic principles of a zero-trust security model.
There are three basic rules when it comes to implementation:
- Ensure that all resources can be securely accessed no matter the location
Until you can establish that access is allowed and safe, assume that all data traffic is an attack. Encrypting legal internal traffic can be an extra step in the implementation process.
- Keep all rights to a minimum and establish strict access controls.
In this way, you can be sure that people are unable to access data and applications they have no authorisation to view. The aim should be to implement a ‘principle of least privilege’.
- Check and log all traffic. Even access attempts that legitimate could be attacks, particularly if a user’s identity has been stolen. The switch to a zero-trust model means a change in mindset from ‘trust everyone and verify’ to ‘verify and trust no-one’ and tools such as intrusion detection systems, log analyses and SIEM systems can help achieve just that.
What does this actually mean?
Zero trust won’t be a success without a little bit of effort. You need time, investment and the trust of your managers.
Check user permissions. Each user should only be able to do what they need to to get their job done. That costs time, but not money. Remember though, user permissions are only one piece of the security puzzle.
Network segmentation is quite simple and doesn’t cost much and the starting point would be VLANs. At the very least, this makes data traffic considerably easier to control. However, VLANS offer absolutely no security. Data traffic can only be controlled when in-house traffic is managed through a separate firewall or an intrusion detection system.
This is where the work comes in—analysing data traffic. All the data traffic monitoring tools we know are useless without people because analyses
a) are a permanent process and
b) constant changes are a given.
Verifying data traffic demands an ongoing effort to adapt the rules. The good news is, visualising traffic is easy with professional tools such as an SIEM. You’ll be surprised what’s going on in your network without you even knowing it. On top of these SIEM systems, leveraging an SOC (Security Operation Centre) can also bring multiple benefits.
If you’d like to find out more about zero trust or are interested in a security strategy consultation, please feel free to get in touch. In a workshop, we can discuss developing a security concept that works best for your business.