Thanks to the recent publication of the National Security Agency’s (NSA) Network Infrastructure Security Guidance report, weeding out common network weaknesses and vulnerabilities have shot to the top of the agenda for many business decision-makers.
After all, the average financial fallout of a data breach has reached an eye-watering $4.24 million – a 17-year high. Today’s organizations must prioritize data security and the benefits of a Zero Trust Architecture (ZTA), but before we go any further, let’s take a closer look at what ZTA is and where this concept came from.
What's Zero Trust?
Also known as perimeterless security, Zero Trust is a security model based on a framework of principles for the design and implementation of IT systems to address cyber threats in increasingly decentralized environments. Users must be authenticated, authorized, and continuously validated before being granted access to systems and data. In short, Zero Trust inherently trusts no one.
Hackers’ point of entry is often not their target location within a network. Instead, they identify a vulnerability in one area and move laterally until reaching their target. ZTA prevents this from happening by forcing users to identify themselves at multiple points –essentially limiting the damage a bad actor can do.
Zero Trust isn’t a new concept. It was first presented in 2009 by John Kindervag, a former principal analyst at Forrester Research. However, its popularity has exploded over the past two years. In fact, a 2021 Microsoft report found that 90% of security decision-makers were familiar with the concept, up from just 20% just a year ago. This trend has no doubt been catalyzed by the growth of remote working and increased cloud adoption. Not to mention the skyrocketing number of cyberattacks – which look to grow further based on recent warnings from the White House about incoming Russian cyberattacks on U.S. businesses.
“OK, but how can I implement Zero Trust in practice?”
There’s no one-size-fits-all model for implementing ZTA. However, organizations should typically consider the following:
- Identity governance: Ensure that you’re managing and securing all user identities through robust policies and access entitlements. Role-based access controls can help you enforce these policies by leveraging user roles to grant access to the systems and applications they need to do their jobs, and nothing more.
- Privileged access management: Privileged accounts are those with the highest level of access and pose a greater security risk than the average user given the degree of sensitive information that could be exposed. Adhere to the principle of least privilege by providing just enough access to third parties or admins to complete a task through granular policy control at the system level.
- Multifactor authentication (MFA): One of the most common initial attack vectors is compromised user credentials, which is what MFA aims to prevent. This layer of security requires two methods of authentication before granting access to a system or application: something you know (password or PIN), something you have (smartphone or token), and something you are (biometric data).
- Single sign-on (SSO): Security is only as good as those who use it, and when security is noticed by users, it’s often ignored. In fact, 57% admit to writing down passwords on sticky notes while many other users share credentials with colleagues. SSO enables organizations to implement stronger security by eliminating the need to remember and repeatedly type usernames and passwords to access systems.
- Zero Trust Policy Engine: As National Institute of Standards and Technology (NIST) documents describe, this is the “brains” of your ZTA. Every single time a digital identity, whether it’s a person or machine, tries to access an enterprise resource, the ZTA policy engine is asked whether it should access it. Of course, you set the parameters for your policy engine. Effectively, if your digital identity management is tight, you can also use the ZTA policy engine to remove some username or password requirements, as well as MFA requirements. Essentially, you can improve security while providing easier access – doesn’t, that sound familiar?
Identity and access management – it's time to get your house in order
Effectively managing and securing digital identities is arguably the most important component of ZTA. Simply put, without an identity and access management (IAM) strategy in place – you can forget Zero Trust. Or, at least forget any of the benefits that come from it.
There’s a huge range of tools that organizations can use when implementing their IAM strategy but having the above solutions in place is just one piece of the puzzle. Thanks to an array of legacy systems that most organizations still have, it’s common to see one tool for provisioning and deprovisioning, another for MFA, a third for SSO, and so on. Without intending to do so, organizations with this type of fragmented approach often introduce the very risks they’re trying to avoid.
Instead, forward-thinking organizations should be looking to consolidate these tools with a unified strategy that eliminates gaps and enables a single point of control.
All in all, it’s hard to overstate the sheer number of cybersecurity-related challenges currently facing organizations. Admittedly, for many, it’s a case of figuring out how to secure systems, data, and users in the immediate term. But once they’re done firefighting, implementing ZTA – grounded in an effective identity and access management strategy – is a no-brainer.