There is a growing need to adopt zero trust security principles due to today’s diverse, multi-cloud IT environments and hybrid workforces. But confusion over zero trust implementation leads organizations to believe that they can’t achieve zero trust without a shiny new dedicated zero trust security solution.
The truth, however, is that zero trust is a strategy you follow rather than a specific technology you procure. This article overviews zero trust and highlights how your organization might be closer to achieving it than you think.
Zero Trust: A Brief Primer
Zero trust security removes any implicit trust given to users, devices, or other assets based on their location or ownership. Legacy perimeter-based security approaches are no longer sufficient in a world where most businesses have remote users and use cloud infrastructure. The boundary between the enterprise network and the external world is no longer clearly defined.
Consider for a moment the complexity of modern IT infrastructures to understand why this boundary is no longer clear. A typical enterprise uses the services of multiple cloud providers for low-cost storage, SaaS applications, and infrastructure for software testing and development. Employees and contractors connect remotely to corporate resources, often from their own laptops or mobile devices. Companies with central headquarters and remote branch locations add even more complexity into the mix.
The zero trust mantra is to “never trust, always verify”. This mantra shifts defenses away from static perimeter-focused approaches to dynamically focusing on authenticating and authorizing users, devices, and other assets. The overarching aim is to better protect resources (data, applications, services) regardless of the location of the user or device connecting to those resources. Continually assessing access privileges and making dynamic access decisions while not disrupting user productivity are pivotal elements in the success of a zero trust strategy.
John Kindervag coined the zero trust approach back in 2010 when he worked as an analyst for Forrester. However, zero trust only truly gained traction in the last few years because perimeter-centric security remained the norm until cloud adoption became mainstream and employees began regularly working remotely.
By providing no implicit trust and assuming an attacker is present, businesses can analyze the risks to their assets and enforce protection measures. In a zero trust environment, these measures include least privilege access principles and assessing the security of each access request to limit lateral movement and prevent data breaches.
Zero Trust Architecture: Policy and Technology
Zero trust depends on the interaction between policy and technology. Policy enforcement points (PEP) could be gateways, devices, or agents installed on client devices to enable, monitor, and cease connections between users/devices and enterprise resources. The PEP communicates with a centralized policy engine, which is a component that ultimately decides whether to grant, deny, or revoke access to specific resources.
The zero trust policy engine is tuned based on specific enterprise security policies (data access, compliance, etc) and inputs from other sources, including identity management solutions, public key infrastructure, SIEM, threat intelligence feeds, and activity logs. A policy engine could be a specific cloud service, it could form the basis of vendor solutions that are marketed as providing zero trust, or it could be custom-coded and layered on top of existing identity management solutions.
Two Key Zero Trust Approaches
Two central components to zero trust are identity components and network components, and the foundation of a basic zero trust strategy may be identity-driven or based on protecting resources by network-driven implementations. A comprehensive zero trust strategy usually includes elements from both of these approaches.
The identity-driven approach uses identity (of both users and devices) as the key component of policy creation and enforcement. Granting each resource request factors the user’s access privileges, the device used, location, and other contextual inputs into the ultimate decision made by the policy engine.
A network-driven approach focuses on micro-segmentation of the network. With micro-segmentation, you split your IT resources up into similar groupings and allocate them to a unique network segment that’s usually protected by a gateway device, such as a network switch or next-generation firewall. Identity governance still plays a role in determining the resources that users can access, but it’s the gateways that protect each resource or group of resources rather than an identity solution.
Where Are You On Your Zero Trust Journey?
A 2022 report by the Cloud Security Alliance (CSA) on the state of zero trust security found that 90% of companies are in the process of implementing zero trust strategies. But businesses remain unsure about how long this will take or where they currently are on their journey. Much of this confusion stems from marketing campaigns that convince security leaders that they may need to replace much of their existing suite of security solutions with zero trust tools.
One critical point to understand about zero trust is that your business can achieve it in many different ways. There is no one single solution that “does” zero trust—a carefully selected combination of tools sets you on the right path. And, most importantly, there is a good chance you’re already using several solutions that can form the basis of a zero trust ecosystem.
Here is a brief list of solutions that have a role to play in achieving zero trust. Look through this list and take note of which ones are already in use at your business.
- Software-defined WAN SD-WAN: During the pandemic, many businesses replaced VPNs with SD-WAN to provide a more effective and secure method of connecting remote users to enterprise resources. SD-WAN works alongside zero trust to facilitate secure remote connectivity that doesn’t cause performance bottlenecks.
- Attack surface management: An important part of zero trust is discovering, categorizing, and monitoring for risky changes in the entry points to your network. If you have an attack surface management solution in place, you may already have these capabilities.
- Multifactor authentication (MFA) and Access Management: A successful Zero trust implementation starts with an accurate assessment of Identity and a solid access management tool. By requiring users to present two or more categories of evidence for authentication to business apps and services, you strengthen access security across your environment in line with zero trust principles. You may already have this in place for some or all of your business apps. In addition, it is important to have an access management solution to control who can access which application with what kind of role.
- Identity management: Identity management systems have a pivotal role to play in zero trust, and there’s a good chance you’re already using one. These systems help create, store, and manage enterprise user accounts and their associated identity records. Critical information for enforcing access decisions is referenced in the identity management system, and it includes names, roles, access attributes, assigned assets/resources, and PKI certificates for machine identities.
- Security information and event management (SIEM): Many businesses use SIEM solutions to collect and analyze log and event data from multiple tools and applications. In zero trust, the information from SIEM solutions can be fed into a policy engine to inform access decisions about real-time potential threats.
Without necessarily even knowing it, your business may well be already underway in its zero trust journey.
How i-Sprint Accelerates Your Zero Trust Implementation
While you might be closer to zero trust than you think, the roadmap for most businesses is a multi-year engagement. i-Sprint can accelerate your zero trust implementation with two solutions:
- AccessMatrix™ Universal Authentication Server (UAS) meets the zero trust need for strong authentication requirements. Multiple authentication mechanisms and mobile authentication are supported.
- AccessMatrix™ Universal Access Management (UAM) provides web access management, and a set of security APIs for developers to tightly integrate web and non-web applications based on your access control policy. This policy-driven approach aligns your multi-tier applications, running on multiple heterogeneous platforms, with zero trust access principles.