For the best web experience, please use IE11+, Chrome, Firefox, or Safari

The Zero Trust Security Model

 

The Zero Trust slogan is ‘Never Trust, Verify Everything’.

To truly protect your organization today, you must implement a Zero Trust security model and operate by its core principles of:

  • Continuous verification
  • Limit the potential blast radius of a breach
  • Automate analytic collection and threat responses

Zero Trust security continuously verifies user-access permissions (human and machine) to all requested resources (on-prem, cloud and hybrid), and monitors and compares user actions to baseline behavior analytics to check for anomalies that may require elevated verification and/or immediate action.

Benefits of Zero Trust

1. Protect what’s essential to your organization

The Zero Trust model protects what’s essential to your organization – your people, your applications and your data – in a way that supports the modern, cloud-first, remote-working way that business is done today. It goes far beyond the traditional perimeter-based security where it was assumed that all your resources reside within your protected network and all users were safely vetted at login. The modern enterprise infrastructure is distributed across multiple physical sites; countless virtual machines; public and private cloud systems; and any number of platforms, environments and operating systems. And users work remotely and access with multiple devices. The traditional perimeter model is obsolete.

2. Enable and secure your digital transformation

Safely integrate cloud and SaaS-based resources, enable your users to work from nearly anywhere and connect with multiple devices. Zero Trust Architecture boosts your network security, information security, and cloud security. By closing down vulnerabilities in your system, the risk of malicious malware, phishing, unauthorized user access and compromised identities decrease significantly.

3. Limit potential breach damage

Every connection, every user and every resource are a possible entry point for bad actors. With Zero Trust, access control is not granted until the user’s permission and identity are verified. Because of this, potential damage from a breach is limited and more easily detected. You can control user access to only the resources they need to do their job, no more, no less.

4. Implement Just-in-time (JIT) provisioning

Protect assets by tightly controlling access to resources with the ability to provision as needed on the fly with workflows, i.e. JIT Provisioning, that protect the user and the asset. It also saves valuable IT helpdesk time as well as allows your organization to safely scale access as needed for peak periods.
Making Zero Trust Real 02:16

What is Zero Trust Security?

Zero Trust Security is a proven model for implementing robust and selective cyber security. Zero Trust involves removing vulnerable permissions, unnecessary access and excessive access in favor of specific delegation and proper provisioning with fine granularity.

  • Enabling Zero Trust eliminates the sharing of admin passwords and allows individual and dynamic authentication for every administrative action.
  • Ensuring Least Privileged involves issuing just the permissions an admin requires to do their job – no more and no less.
  • An effective Zero Trust architecture improves enterprise security posture and compliance while simultaneously reducing exposure of sensitive data and assets to potential intrusion.

What is Zero Trust Architecture?

According to the National Institute of Standards and Technology (NIST), Zero Trust Architecture (ZTA) is an enterprise cybersecurity architecture based on zero trust principles, designed to prevent data breaches and limit internal lateral movement.

Zero Trust Architecture (ZTA) aims to strengthen an organization’s cybersecurity and protect its assets from threats. It acknowledges that threats exist both inside and outside the traditional network perimeter and assumes that security breaches are inevitable. More importantly, it allows users to access only what they need to perform their jobs. Finally, it identifies anomalous or potentially malicious activities to prevent cyberattacks from spreading across the network.

What are the seven core tenets of Zero Trust model (NIST SP800-207)

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy — including the observable state of client identity, application/service, and the requesting asset — and may include other behavioral and environmental attributes.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture

How do we make Zero Trust real?

To make Zero Trust achievable for organizations, an integrated approach with a unified identity security platform is required. Creating well-thought-out practices to secure and manage identities can be a very complex task, but the critical piece of the security pie is how they are implemented. Zero Trust replaces classic perimeter defense with identity-based constant, dynamic control. Managing and securing those identities thus becomes the focal point of all ZT projects, and a unified identity security platform becomes the enabler of the new security posture.

Why Do I Need Zero Trust Security?

Between Q1 and Q2 2021, the number of data breaches increased by 38%. In 2021, the average cost of a data breach was $4.24 million, compared to $3.86 million in 2020. Further, by 2025, damages due to cybercrime are estimated to exceed $10.5 trillion. To manage such threats, IT security investments have increased. And yet, 78% of IT security leaders believe that their organizations are not sufficiently protected against cyberattacks. To address this challenge, many enterprises are adopting the Zero Trust security model.

The traditional trust model assumes that everything inside the organization’s network can be trusted. Zero trust security is radically different. It recognizes that “trust” equals “vulnerability.” To secure your organization’s network from threat actors, you must completely eliminate this vulnerability. And that’s why you need Zero Trust security.

Where do I start my journey to Zero Trust?

For most organizations, implementing Zero Trust is already an ongoing security project that defines all their efforts in this space. The key to building out is identity: securing identities, implementing correct and durable processes to manage identities, and pulling privileged identities under complete control and monitoring. When these fundamentals are in place, organizations can step up to implementing least privilege stances, constant authentications and begin investing in next generation technologies like ZTNA which radically depart from the legacy systems currently in use.

A simple way to start the journey would be to implement zero trust (and trust networks) is to use segmentation to create isolated zones based on security policies. For example, a network can have a high-trust zone for internal users and devices, a low-trust zone for external users and devices, and a no-trust zone for untrusted or unknown entities. Each zone can have different authentication and authorization mechanisms, encryption standards, firewall rules, and monitoring tools. This way, segmentation can help reduce the attack surface, limit the lateral movement of attackers, and enforce the principle of least privilege.

What are the prerequisites for getting started building a zero trust architecture?

Zero Trust success starts with casting the net wide enough in order to tackle identity sprawl. This means focusing not just on people, but also on machine identities and ever-expanding accounts as organizations move to a multi-generational, hybrid and edge, IT landscape. If you draw the circle too small, you stand to leave the side door open to bad actors.

Another key prerequisite is to shift your mindset from the historical approach of seeking to protect everything – by optimizing for security at the perimeter – to assuming that compromise is inevitable and instead optimizing investments to verify everything. By leveraging contextual awareness, session monitoring, and behavior analytics, organizations can more quickly and efficiently anticipate, detect, and take corrective actions on emerging threats to the organization.

Finally, Zero Trust can be challenging to implement into an already existing infrastructure because they must be retrofitted to fit the existing network. For existing systems, applications and networks, IT managers need to determine how Zero Trust can be overlayed into the existing environment.

Debunking the Top 5 Zero Trust Security Myths

What are the biggest blockers in getting started with zero trust principles?

A primary blocker to delivering on the promise of Zero Trust is the fragmented nature with which most organizations address access rights today. The average large enterprise uses 25 different systems to manage access rights (source: The 3rd Annual Global Password Security Report). This siloed approach causes limits visibility, and causes gaps, inconsistencies, and even more risk. The underlying complexity of this approach also forces organization to grant always-on privilege.

Many forward-looking organizations aspiring to implement Zero Trust are now looking at the problem differently. By viewing the problem in a more holistic fashion and taking a unified approach to identity security – bridging silos and ensuring all identities are correlated and visible – they are able to better and more quickly add, remove, and adjust privilege just in time, which is a cornerstone of a Zero Trust strategy.

A second, and related, blocker is the lack of automation around integrated workflows between applications. Given the disjointed nature of how many organizations pursue Zero Trust, this is common. Even when organizations bring together best-of-breed solutions together to address the various elements of Zero Trust (e.g., identity and privilege), there is a good deal of friction given the products are not integrated. In order to streamline activities and attain optimal results, organizations should prioritize automated orchestration.

What’s most likely to cause project failure with zero trust initiatives as an organization gets underway?

Many of the reasons Zero Trust projects fail are already listed above – e.g., not casting the net wide enough across all identities, failing to shift your mindset to focus on continuous verification, and pursuing this strategy in a fragmented fashion.

One additional point of failure is thinking small and short term. Even in the early stages of planning, it is important to recognize that the threat landscape – as well as the IT landscape -- are no longer static. It is important to implement a cybersecurity strategy that is flexible and dynamic, which is not locked into a specific set of processes or constrained by your hybrid infrastructure. By becoming continuously adaptive, you can quickly pivot to changes in user roles/responsibilities, to changes IT infrastructure, and of course to new and developing threats

Get started now

Make Zero Trust a reality at your organization