Over the last several years, one of the trendiest topics has been the idea of zero trust security. In Microsoft’s Zero Trust Adoption Report from last year, Microsoft claims that the rapid hybridization of the workplace has rapidly accelerated the adoption zero trust strategies, now at least partially adopted at 72% of organizations. If you take a look at just about infosec social media platform you’ll see many a post, video, or podcast extolling the virtues of zero trust security. But to many, it is a nebulous concept at best, a buzzword for the maximal extension of the principle of least privilege. While it can seem like a marketing buzzword if you stare too long into the depths of infosec social media, there’s more to it than that.
What is Zero Trust
Zero trust design philosophy is just that, a way of thinking. Networking powerhouse Palo Alto defines zero trust as a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. In most modern systems and network architectures, trust is an integral part of understanding your risk. If you choose to update a Windows laptop, you have to trust that the update being pushed by Microsoft will be legitimate. In a trust-based security process, security teams take a “trust, but verify” approach where there is an implicit understanding that this is probably a genuine Microsoft update, but we should verify before we push this out to our fleet of laptops.
Zero trust takes this way of thinking and flips it on its head—instead preferring a “never trust, always verify” approach that actively presumes that any digital interaction may be malicious. It involves using every method possible to verify the authenticity of an actor before engaging with them in any way. This lack of trust applies to the network interior as well, so as to prevent hostile lateral movement throughout the network thanks to a single weak point that gives an attacker a foothold. Since zero trust assumes malicious intent and verifies authenticity to the fullest extent possible, zero trust security relies on extensive identity management processes, strong authentication methods, network segmentation, and defense in depth to limit lateral movement throughout a network or system.
What it’s not
If you come away from this article with one idea, let it be this; zero trust architecture IS NOT a product, it’s a set of principles. There is no single product that can implement zero trust architecture in an enterprise-wide manner. That isn’t to say that there aren’t programs and platforms that exist to support zero trust security implementations, just that there is no silver bullet solution that does everything for you. Implementing an enterprise-wide zero trust strategy would require immense effort with product support that facilitates the management of this new method of conducting cybersecurity. It also isn’t the end-all-be-all of cybersecurity. While it does have vast security benefits over traditional trust-based processes when implemented properly, it isn’t infallible, and it does come with a hefty amount of overhead due to design complexity. Because of the requirements for strong identity management and authentication methods, zero trust architecture also still requires a solid foundation upon which a rigorous security program can be built.
According to Cloudflare, some of the most important aspects of supporting zero trust architecture are:
- Continuous monitoring
- Applying the principle of least privilege
- Maintaining strong device access control
- Data flow segmentation
- Multifactor authentication
Zero trust architecture requires that organizations are on top of the ball with verifying and validating that a user, agent, or device has the right privileges and that their identity is continuously challenged. It also requires that the organization identify and categorize all known service and privileged accounts, since policies need to be created and controls put into place for how they are able to interact with business services. Having an accurate and continuously updated device inventory is critical for validating who and what is attempting to access company resources. Zero trust processes rely on real-time visibility into the status of hundreds or thousands of users and devices, something that we are particularly suited for.
Continuous monitoring is just a piece of the puzzle for implementing zero trust concepts within your cybersecurity strategy, but it is perhaps the most significant. CnSight looks from within your organization, providing an executive-level cyber risk, effectiveness, and performance management view that works for organizations of all sizes. Our solution uses Cybersecurity Performance Indicators (CPI) to evaluate the performance of your cybersecurity program, which is essential for implementing zero trust security. With modern tools like CnSight, it’s easier than ever to continuously monitor your organizations’ zero trust processes and tools. Bolster your cybersecurity resilience by deploying CnSight to help manage risk, manage your cybersecurity performance, and align your day-to-day cybersecurity performance with your strategic goals.
