Zero Trust security model explained: what is Zero Trust?

This blog was written by a third party author

What is Zero Trust?

Zero Trust is a cybersecurity model with a tenet that any endpoint connecting to a network should not be trusted by default. With Zero Trust, everything and everyone— including users, devices, endpoints —must be properly verified before access to the network is allowed.

The protocols for a Zero Trust network ensure very specific rules are in place to govern the amount of access granted, and are based upon the type of user, location, and other variables. If the security status of any connecting endpoint or user cannot be resolved, the Zero Trust network will deny the connection by default. If the connection can be verified, it will be subject to a restrictive policy for the duration of its network access.

Zero Trust networks operate under the least-privilege principle, in which all programs, processes, devices or users are limited to the minimum privileges required to carry out their functions. Access rights don’t need to be too restrictive; privileges can range from full access to no rights at all, depending on the circumstances.

Think of it like the government or military’s “need-to-know” policy.

It’s essential to make the distinction that Zero Trust is not a technology and more of a holistic approach to network security. However, achieving Zero Trust Architecture (ZTA)  in today’s threat landscape does require some form of automation, especially in support of a dynamic policy, authorization and authentication. Automated technology is an essential tool for obtaining access, scanning and assessing threats, adapting to behavior changes, and continually re-evaluating confidence in communications.

Where did Zero Trust begin?

The concept of Zero Trust is largely credited to Forrester Research analyst John Kindervag, who published a paper outlining the framework in 2010.

Shortly after the paper’s publishing, Google began adopting the process, and soon, the tech world caught on.

Why is Zero Trust so important today?

As the work from home (WFH) model is adopted by more organizations to meet the demand of a reshaped economy, scores of endpoints are originating from outside of the protected corporate perimeter. The challenge of managing these connections is increasing dramatically — and protecting personal, financial, and customer data is paramount.

The network and workplace of the future, where more remote connections are the norm rather than the exception, has arrived faster than anyone imagined. Architectures like Zero Trust are a critical component for enabling secure, adaptable, and agile networks and systems.

What are the core principles of Zero Trust?

One of the primary strategies necessary for successful zero trust implementation is network segmentation. Separating your network into smaller networks ensures devices, servers, and services containing sensitive data are isolated from the rest of the network. This process keeps a potential attacker contained within the network segment they’ve accessed.

Further, micro-segmentation is crucial, as it adds another preventative layer in reducing lateral network movement.

Much like network segmentation, the foundations of Zero Trust include other facets of robust security hygiene:

• Application of authentication and encryption for all communications independent of location, performed at the application layer closest to the asset in the network
• Following comprehensive vulnerability and patch management procedures
• Continuous monitoring of device and application state to identify and address security vulnerabilities as needed, or act on their access privileges accordingly
• Controlling and monitoring all traffic as access is provided — to improve security posture and create, adjust and enforce policy

How do I implement the Zero Trust model?

Achieving Zero Trust can be a lengthy process and is not something you can simply turn on. The challenge lies in planning and implementation, which cannot be overlooked.

As an organization begins its journey to Zero Trust, it must first realize that it is, in fact, a journey — consisting of assessing, planning, architecting and designing, piloting, and implementing.

To help on this journey, your high level 5-step roadmap should include the following:

1. Start with a strategy. Answer these questions: Why Zero Trust? What are your overall business goals? Which networks will you target? Map goals to the cyber threats to mitigate risk. Involve the right people and departments in this process.

2. Define the what, where, and who of protection. As you develop your strategy, define what it is you need to protect. What type of data and which business assets need protection? Next, identify where that data is stored, where it is going, and who or what is handling that data.

3. Assess your organization’s readiness. Perhaps you already have some Zero Trust elements on your network today. Having an understanding of what you currently have implemented in your environment, how that can meet the Zero Trust tenets, and what needs to change to achieve Zero Trust can be very effective in developing the overall architecture. Organizational self-awareness will simplify the process and allow for the proper allocation of resource, time, and financial budgets.

4. Design and build architecture and policy. The ZTA outlines what authorization means to your organization and how it looks and should define how much of your architecture is made up of software-defined perimeters, micro-segmentation, or governed by identity. Once you determine where the crown jewels are versus the least sensitive systems within your network, a pilot program to work out the kinks can be designed. Next, you can formulate your Zero Trust Policy, which should incorporate a score-based trust algorithm. The policy should balance trust with risk elements and adjust access authorizations accordingly.

5. Finally, monitor and maintain. Once you’ve established your Zero Trust environment, it needs the same regular care and feeding as any implemented security initiative. Here, analytics and automation play a key role in dynamically adjusting policy based on activity and threats. Proper monitoring of your implementation is key to a continuous Zero Trust state.

Where can I learn more about Zero Trust?

Want to dive deeper into the world of Zero Trust? Derrick Johnson, National Practice Director for Secure Infrastructure Services within AT&T Cybersecurity Consulting, has authored a comprehensive three-part blog to demystify some of these concepts.