What every organization should consider when implementing zero-trust.
July 24, 2019
The following is Part I of a two-part series on implementing zero trust. Below we will lay the groundwork for any organization looking to implement zero trust. Part II is a deeper discussion into what organizations should consider, with a checklist to help you evaluated various zero-trust solutions.
Zero Trust is an increasingly common term that is heard in the security industry. It’s both a mindset for thinking about security as well as a well-architected solution that helps to minimize risk from a changing working environment as well as an increasingly hostile world.
Zero trust is an active approach and model that integrates continuous, context-aware analysis and verification of trust, in an effort to help ensure that users and devices on a network are not doing anything malicious.
The basic idea behind zero trust is the assumption that all devices and users are untrustworthy until proven otherwise.
Even after a user or entity is proven to be trustworthy once, zero trust models do not by default trust the same user or device the next time they are seen by the system. Trust in the zero-trust model is never taken for granted, but is based on observation and regular authentication to help limit risks.
The concept of zero trust is often associated with the Software Defined Perimeter (SDP), which is an effort that originally began development under the auspices of the Cloud Security Alliance (CSA).
In the general SDP model, there is a controller which defines the policies by which agents can connect and get access to different resources. The gateway component helps to direct traffic to the right data center or cloud resources. Devices and services make use of an SDP agent which connects and requests access from the controller to resources. Along the way, device health checks, user profiling including behavioral data and multi-factor authentication mechanisms are engaged to validate security posture.
The zero trust model says that at every stage of an agent or host connection, there should be a security boundary that validates that a request is authenticated and authorized to proceed. Rather than relying on an implicit trust after the correct username and password, or access token has been provided, with zero trust by definition everything is untrusted and needs to be checked prior to providing access.
Zero trust is a great idea to help organizations reduce the attack surface and limit risks, but it is not without its complexity and implementation challenges.
A key challenge with some SDP zero trust implementations is that they are based upon on-premises deployment approaches, with a need for device certificates and support for the 802.1x protocol for port-based Network Access Control (NAC).
Enabling full support, end-to-end across multiple public cloud and on-premises deployments can often be a tedious and time-consuming task.
Though it might seem like a misnomer, there is often a need for organizations to trust a zero trust solution since there tend to be data encryption termination requirements.
Typically an organization will already have various security tools in place, including VPNs and firewalls. How a zero trust solution provider is able to navigate that minefield is often a key challenge.
Whether a zero trust solution is deployed is often a function of how easy it is to actually get set up.
To learn more about how zero trust can help your organization:
September 02, 2019
Part II of our two-part series on implementing zero trust takes a deeper dive into what organizations should consider, with a checklist to help you evaluated various zero-trust solutions
July 22, 2019
Learn why the age of implicit trust is coming to an end, what zero trust is all about and why it matters.
IT has a reputation of always saying "no". Black Hat 2019 challenged attendees and innovators to turn IT into the "department of yes".