Historically, many organizations have used a perimeter-focused security strategy. However, this strategy has its limitations and fails to meet the needs of the modern organization. The zero trust security model is designed to secure today’s networks against cyber threats and helps meet the requirements of new regulations, such as the Cybersecurity Maturity Model Certification (CMMC).
The zero trust security model eliminates the implicit trust built into legacy security models. A zero trust architecture bakes the philosophy of zero trust into an organization’s network and security architecture. This means that even within an organization, there is the assumption that at any given point, a person’s security credentials could be compromised and create a breach in security, which is one of many examples of its application. Each user, device, and network connections must be authenticated and continually authorized.
Zero trust works by applying a “trust but verify” approach to access requests for corporate resources. Each user, application, and system within the enterprise is assigned a set of permissions based on the principle of least privilege, which states that an entity should only be granted the permissions needed to do their job.
When an access request is made for a corporate resource, it is evaluated based on this collection of permissions. If the request is valid, then it is approved. Otherwise, it is blocked. This process is applied to every request for every asset, minimizing the access granted based on a single access determination.
The National Institute of Standards and Technology (NIST) defines seven key tenets of zero trust in NIST SP 800-207, titled Zero Trust Architecture.
The first tenet of zero trust is that everything that an organization owns is considered a resource that should be protected under a zero trust policy. This includes all of an organization’s data and its computers, including on-premise and off-premise (cloud-based and remote) systems.
In the past, many organizations used a perimeter-focused security strategy, where everything and everyone within the perimeter was “trusted” and everything outside it was “untrusted”. Under a zero trust policy, access requests from inside the network are subject to the same level of scrutiny as ones originating from outside.
In a zero trust environment, the requestor’s access to resources is determined on a per-session basis. This means that approval to access a resource in the past should not mean that access should automatically be granted now. Authentication and access controls must be applied for every session.
Access requests are granted or denied on a case-by-case basis, determined by role-based access controls (RBACs) and other factors. Not only should access be managed based on the principle of least privilege, but behavioral and environmental attributes can play a role as well. For example, access may be denied if a request is made from a suspicious location, at an odd time, from a device exhibiting unusual behavior, or a resource becoming non-compliant with organizational policies.
Zero trust policies are designed to ensure that access requests are only granted to legitimate users and appropriate devices, but the security status of the device should be considered as well. A compromised device could put corporate resources at risk, so a zero trust architecture should include the ability to evaluate the security of a device and allow or deny access based on this analysis.
An organization’s zero trust policies should be continually adapting based upon newly available information. For example, a legitimate user with a legitimate device may be denied access to resources if their pattern of requests indicates an insider threat or a compromised account.
Zero trust policies should be based on the organization’s current state and threat landscape. Companies should continually collect data about the state of their networks and use this information to develop new policies.
Zero trust has become a goal not only of organizations but of regulators as well. Many regulations, such as CMMC will likely require a zero trust architecture as part of their compliance process in the near future. This helps to minimize risk to protected data by making it more difficult to access or breach sensitive information.
Adopting zero trust requires a new approach to security, and this new security model is increasingly required for regulatory compliance. Learn more about your compliance responsibilities and how to achieve them with Hyper Vigilance. Contact us today.