The network perimeter security paradigm, where it is assumed that entities outside the perimeter or enterprise zone are potentially unsafe and no one inside the perimeter will harm the system, is taking a beating in this digital age, with an ever-growing number of remote users armed with their own devices coupled with significant adoption of cloud-based architectures.
Perimeter security paradigm allows an employee, just based on the fact that he or she is on the LAN, in other words, within the perimeter, access to information systems and applications relatively easily. At the same time, it remains hard to obtain access from outside the network. All devices and credentials inside the perimeter are trusted by default. In some cases, the attacker has only one wall to pass through, usually the physical security or the network boundary. The vulnerability in this paradigm was further aggravated because businesses do not have their data in one single location, which made it difficult to have one single security control over the entire network.
This paradigm was challenged in the year 2010, and a better approach called Zero Trust Security was proposed. With subsequent adoption by Google, this paradigm started gaining popularity.
In this article let us look at:
Zero Trust Security is a holistic approach to network security. It is strictly required of all individuals and services that request access to a resource on a network to go through strict authentication and authorization regardless of their location, either within premises or outside. The thinking behind Zero Trust Security is that an attack can be orchestrated both within and outside the enterprise, and both should be subjected to the same level of security screening.
Zero Trust Security being an approach or a paradigm towards network security does not have a specific technology associated with it. It incorporates several different principles and technologies. One important technique used in ZTS is Microsegmentation. It is nothing but breaking the perimeter into smaller zones allowing separate security access to different parts of the network.
Another core concept belonging to Zero Trust Security is Multi-Factor Authentication (MFA). You usually see an MFA in action when completing a transaction through your mobile banking app, where an OTP is required even after entering your PIN.
A holistic approach demands significant controls on the device, ensuring each device is authenticated and authorized appropriately.
Zero Trust Security comes from the word ‘Zero Trust”, first counted by an analyst, John Kindervag, in 2010, at Forrester Research Inc. In his research paper, he highlighted that all network traffic isn’t secure and that any request for access to access any resources must be granted in a secure way. The original concept was centred around data-centric network design using micro-segmentation for greater granular control, limiting the lateral movement of attackers once the perimeter is breached.
As mentioned before, Zero Trust Security is a holistic approach encompassing principles and various techniques and does not represent one single technology in particular. It relies on a number of existing technologies and governance processes and seeks to secure the entire enterprise environment.
Zero Trust Security espouses a few principles, which are listed below.
With no concept of “trusted source” in ZTS, it mandates that every access request must be authenticated and authorized in an encrypted way.
Prevention techniques look to make the probability of a breach close to impossible and ensure damage is minimum even if there happens to be a breach. MFA and Microsegmentation techniques are popular forms of prevention techniques. Another one is least-privilege access which allows only the lowest level of access to any user or device, just enough for the user to be able to execute his or her task.
In order to minimize what is called the “breakout time”- the window between the first compromise and the next attack, real-time monitoring systems should be employed by enterprises to minimizing any potential damage.
A broader security strategy that incorporates a variety of endpoint monitoring, breach detection and targeted response should be adopted by the business as a whole to ensure their networks are safe from hacks.
There are many technologies that can help you implement Zero Trust Security architecture in your enterprise, like MFA, IAM or micro-segmenting parts of your IT infrastructure. But this, according to experts, will not holistically bring in ZTS. The need is to use these technologies to enforce the idea that you get access only when you can prove conclusively that you are who you claim you are. Experts also suggest not tinker with your legacy systems when trying to bring in ZTS; instead, they suggest introducing the Zero Trust Security framework as part of the digital transformation of legacy systems, like when moving to the cloud.
There are a few steps that accomplished research and analysis group, Forrester proposes, that will help you implement a Zero Trust Security Model.
Identify locations, methods of storage, type of encryption and everything related to your valuable data.
Document the flow of sensitive and valuable information. Who can access, which systems it can go through and who can access those systems?
Build micro-segments around the flow of your valuable and sensitive information.
Continuous monitoring of data assets and data flows should be done regularly, keeping track of certain conditions with respect to data access and the location it is being accessed from.
Manual intervention can slow down the ability to respond to potential threats. It is important that the response is automated and orchestrated as much as possible.
ZTS is a strategic investment and never a tactical, knee-jerk reaction to an adverse security event. It is an approach to achieving better security for your enterprise while technologies come and go.
So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give you an edge in this competitive world.