Traditional IT security uses the castle-and-moat model to protect networks and data. While the moat does a good job of keeping bad actors out, it's the only line of defense — if attackers manage to sneak inside, they're trusted by default.
Zero Trust takes a different approach by making no distinction between the outside and inside of business networks. Instead, all users and devices are treated as risks until proven otherwise.
Introduction to Zero Trust
Never trust, always verify.
This is the primary principle of Zero Trust. By requiring the authentication of users and devices inside and outside secure networks, organizations can reduce the risk of attacks, limit the impact of incidents, and minimize the fallout of compromise.
Definition of Zero Trust
Zero Trust distrusts devices and users by default, regardless of their network location. Zero Trust is similar to the perimeter security model for access requests outside secure networks: Users must prove their identity before access to applications or services is granted. Inside the network, however, traditional security assumes trust, while Zero Trust requires users to re-authenticate to access additional apps or services.
Consider an employee working from home. Under a traditional security model, verification happens once: When they first log in. Unless they log out or attempt to access a specific service that requires additional privileges, they are largely given carte blanche access to networks.
Under a Zero Trust approach, every request for access or resources is met with an authentication challenge.
Evolution of Zero Trust
The widespread adoption of cloud computing spurred the development of Zero Trust. In 2004, security researcher Paul Simmonds suggested that the corporate IT perimeter was collapsing and coined the term "deperimeterization," and argued that a new security model might be required to manage these environments.
In 2010, research analyst John Kindervag began using the term Zero Trust to describe a security approach that is distrustful by default, and in 2018 NIST released SP 800-207, which established guidelines for core Zero Trust components. And in 2023, CISA published version 2.0 of its Zero Trust Maturity Model to help companies make the transition.
Key concepts and main principles of Zero Trust
There are three main principles of Zero Trust: Least privilege access, continual monitoring, and microsegmentation.
Least privilege access
The principle of least privilege provides users with the exact privileges they need to complete a task. When the task is finished, these privileges are revoked. By narrowing the scope of access, this principle lowers the potential impact of compromise.
Continual monitoring
In a Zero Trust model, applications and services are inaccessible and often invisible by default. Access must be directly requested, and users must pass authentication checks. To ensure these checks are effective, businesses must continually monitor devices and connections for odd behavior and must regularly reauthenticate users to ensure security.
Microsegmentation
Microsegmentation is the process of creating multiple security zones within a larger IT environment. Users with access to one zone cannot access any other zones without authentication.
CISA also defines five pillars of Zero Trust maturity:
Identity
User identities must be authenticated before granting access. To achieve this goal, businesses often use solutions such as single sign-on (SSO) and identity and access management (IAM) systems.
Devices
Devices include desktops, laptops, mobile phones, and connected IoT technologies. To create a Zero Trust environment, companies must keep and maintain a current inventory of all devices.
Networks
Networks must be fully mapped and then segmented into smaller, secure sections to limit risk.
Applications and workloads
Applications and workloads are not exempt from Zero Trust practices. This means that apps and services must also be authenticated and monitored to ensure they are operating as intended.
Data
Organizations must collect and catalog their data to determine the level of security required.
Benefits of Zero Trust
Adopting a Zero Trust model offers several benefits for organizations.
Enhanced security posture
As noted by Forbes, 94% of companies now use some type of cloud services or software. These cloud solutions may be public, private, or hybrid. They may be located on-site, in a collocated data center, or at a dedicated cloud facility. The result? Diversity in where and how data is stored and processed significantly reduces IT visibility. As a result, it's easier for attackers to slip through network cracks.
Zero Trust improves security posture by trading the perimeter for the process. Instead of taking on the impossible task of monitoring and managing moving cloud borders, Zero Trust focuses on the origins of potential threats: Users and devices.
Protection against insider threats
Insider threats are costly and time-consuming. According to recent data, the average cost of an insider threat rose to $16.2 million in 2023 and required 86 days to fully contain.
In addition, these threats are often harder to detect, since they start with verified users and are often accidental. Zero Trust provides protection against inside threats by requiring users to reauthenticate each time they access a new service or application. Consider a device that has been infected with malware. After users log on to corporate networks, the malware activates and attempts to access secure services. The secondary authentications required by Zero Trust help limit the reach of compromised devices.
Adaptability to modern IT environments
Modern IT environments are not static. From the rise of work from home to the adoption of multi-cloud environments to the increasing use of edge computing, businesses need security policies that can keep pace. Because Zero Trust focuses on verification rather than permission, it can be applied to any IT environment.
Implementing Zero Trust
To effectively implement Zero Trust, several components are critical.
Identifying critical assets
Not all data requires the same level of security. As a result, organizations should start by identifying critical assets, such as financial data, personnel information, or intellectual property. Once a hierarchy of data priority is established, companies can deploy Zero Trust policies in alignment with potential security risks.
Implementing strong authentication
Zero Trust won't work without strong authentication. This means that usernames and passwords aren't enough. Instead, companies need to implement multifactor authentication (MFA) strategies to reduce potential risk.
Consider an employee whose login details are compromised. If a Zero Trust model simply asks for these credentials multiple times, attacks aren't stopped, they're merely delayed. By requiring users to provide additional identification factors such as one-time text codes, USB sticks, or biometric verifications, Zero Trust becomes a roadblock for malicious actors.
Continuous monitoring and access controls
Zero Trust only works if organizations know what's happening, when it's happening, and where. As a result, continuous monitoring is critical. Once companies identify areas of high value and high traffic, they should deploy access controls to ensure only authorized users are permitted.
Zero Trust in Practice
The concept of Zero Trust is simple: Assume nothing, verify everything. But what does this look like in practice?
Zero Trust network architecture
Zero trust network architecture (ZTNA), also called Zero Trust Network Access, is a framework that provides users remote access to secure applications. In this respect, ZTNA resembles a virtual private network (VPN). Where it differs is that ZTNA connections only allow users access to approved resources, not the network at large.
Zero Trust and cloud security
As companies increase their use of the cloud, the number of authorized (and unauthorized, or "shadow IT") apps is growing exponentially. Zero Trust can help reduce cloud risk by permitting only authenticated cloud workloads access to data and compute resources; other applications are denied.
Zero Trust use cases
One potential Zero Trust use case is providing secure access for third parties, such as suppliers or manufacturers. Using a combination of ZTNA and microsegmentation, third parties can be assigned to specific security categories which include access to specific services and resources and nothing more.
Steps to Adopt Zero Trust
To adopt Zero Trust, start with three steps:
Step 1: Assessing current security measures
Before moving to adopt Zero Trust, companies should assess current security. How many breaches have been identified in the last six months? How many attempts? How long did it take IT to detect and respond to these threats? By understanding current security posture, organizations can pinpoint areas that would benefit the most from Zero Trust, and then scale up deployment from there.
Step 2: Developing a Zero Trust roadmap
Zero Trust doesn't happen overnight. If companies rush the process, they could end up creating more problems than they solve. As a result, it's important to develop a roadmap. For example, businesses might start with one or two high-value applications by enacting specific security policies and authentication rules. Once this framework has been tested and has been successful, it can expand to other applications or services as indicated on the roadmap.
Step 3: Collaborating with stakeholders
It's also critical for companies to collaborate with stakeholders to ensure a smooth transition to zero trust. Common stakeholders include staff, investors, and customers — each group has different access requirements and should be given different permission levels. By coordinating with stakeholders prior to deployment, businesses can help prepare them for Zero Trust expectations and authentication.
Zero Trust takes an evidence-based approach to network and software security. Instead of assuming good intent once users and devices have passed initial authentication checks, Zero Trust requires additional verification for each service or application access request. Coupled with the principle of least privilege and continuous monitoring efforts, a Zero Trust approach can help companies significantly reduce their risk of compromise.
Streamline your Zero Trust deployment with SSO and MFA solutions from LastPass. Start your trial today.
