Zero Trust is a cyber security model which considers any request, whether it is within or outside an organisation, as a potential breach. It requires every request to be verified, encrypted and authorised before granting access. The execution of this program combines advanced technologies such as identity protection, risk-based multi-factor authentication, and robust cloud technology to verify or authenticate a system or user and then considers access as per the request.In traditional or on-premises network architecture, devices and users connecting to the networks were regarded as “trusted.” The activity could be limited using a firewall and hardwired connections. However, this trust model was depleted with the emergence of wireless networks. Zero trust is a way for companies to reduce risk by continuously verifying access.
Basic Principles of a Zero Trust Program
These are the basic principles that guide a Zero Trust program:
Even though the second method is more commonly used, the same principles apply to the greenfield or pure zero trust creation, but the scope and scale for each step differ significantly.
Implementing this program is a steady and constantly introspective process. Therefore, it will help for businesses to know the steps to create the ideal zero-trust program:
The surface of attack is constantly expanding, making it difficult to shrink, define or protect against, and working tirelessly to reduce it is not viable in today’s ever-evolving landscape of threat. Therefore with zero trust, an organisation can determine and focus on its protect surface rather than its attack surface on a macro level.
The protect surface comprises sensitive data, assets, applications and services, also known as DAAS, which are the most valuable resources for the organisation. Examples of DAAS in protecting surface may include -
Once the organisation defines its protection surface, it can create a micro perimeter with its policy statements which are precise, understandable, and limited.
The way the traffic travels across a network decides how it should be safeguarded. Hence, it is crucial to understand the contextual insights around the interdependencies of a company’s DAAS. Analysing how particular resources function allows the organisation to enforce proper controls will provide valuable context. These controls will help protect their data and not cause any hindrance to the workings of a business.
The networks of Zero Trust are fully customisable and are not obtained from a universal or single design. The architecture is, in fact, constructed based on the protected surface. After the organisation has defined its protection surface and mapped the flows respective to the requirements of its business, it can create a Zero Trust architecture. They can start the process via a Next-Generation firewall. It acts as a segmentation gateway through which the company can enforce additional layers of access and inspection control to layer 7 (the topmost layer of the open systems interconnect model, also known as the application layer).
After the network is built, the company will need to formulate a Zero Trust policy. This can be done by using the Kipling method - a process of listing down questions either randomly or with a more specific purpose and answering based on the situation at hand. This will allow the organisation to determine who will have access to the resources. Using this method will define the following questions:
With such stringent policy enforcement, an organisation can be assured that only legitimate and allowed traffic is permitted to access the secured data.
The final step constitutes reviewing all logs, whether external or internal, all the way through layer 7 and focusing on operational aspects of the Zero Trust program. Since the model of zero trust is a reiterative process which inspects and logs all traffic, it will provide beneficial insights as to how to enhance the network over time.
Zero Trust is not a technology project but a shift in organisational culture. Companies should address and assess the potential impact zero trust programs can have on end-users, business stakeholders, operational teams and relevant third parties. This protection can help build a strong foundation of trust. Elimination of implied trust from an enterprise will most likely be the key to developing trustworthy transformation digitally.
Gajshield’s data security solutions can help you build an ideal zero-trust security ecosystem to protect your data. Kindly contact us to know more about our data security solutions.