Traditionally, organizations adopt the perimeter-based security model which takes a “Trust but Verify” approach. The model is based on the principle that threats come from outside the established security perimeter, while everyone and everything within this perimeter is reliable and can be trusted. Consequently, the model focuses is on implementing state-of-the-art perimeters to protect valuable enterprise data within corporate strongholds as well as to keep bad actors out. The trusted entities are granted access to enterprise resources but are required to be monitored. However, due to inefficient monitoring and verification, this access to enterprise resources is often exploited by both internal and external threats.
The current business environment which is much more complex and collaborative has rendered the perimeter-based security model obsolete. The model cannot provide the needed level of protection for the increased attack surface associated with enterprise data being more mobile than ever. The security perimeter is now blurred. Corporate information now resides both within and outside the established network perimeter and is accessed not only by internal users but also by vendors, customers, and all kinds of collaborators. In the modern enterprise environment, trust equals vulnerability and must be eliminated entirely. Everyone and everything must be regarded as a threat until proven otherwise regardless of location or asset ownership. This is the concept of Zero Trust.
The Zero Trust model aims to move defenses away from the static, network-based perimeters to focus on users, assets, and resources. The Zero Trust adopts a Never Trust, Always Verify approach. The Zero Trust model assumes that the threats are already behind the network perimeter and as such applies strict controls on all user and device access. The Zero Trust model utilizes strategies and technologies like microsegmentation, identity access management, multi-factor authentication, encryption, data analytics, compliance monitoring, file system permissions, and orchestration to achieve its goals of preventing unauthorized access to data and services and making access control and decisions of access control as granular as possible.
Recommended steps for implementing for Zero Trust security in your enterprise environment are:
- Identify all your assets and determine the associated risks. What are your most valuable assets? What level of protection does it require? How does data flow within your environment?
- Break up your network into segments. This is important because network segmentation facilitates the implementation of granular access control, one of the goals of the Zero Trust model.
- Established an access control policy that determines who/what you will let in, and what they will be able to do within your environment. This policy must be clear and particular granting access per user, per process, per application, and per role. Controls must ensure that access to one environment never means automatic access to others.
- Train your people on the importance of security and the best practices for enterprise security. This is important in the drive for the success of your Zero Trust initiative as employees and contractors represent a significant risk, even if unintentionally.
- Implement the principles of least access. Both least-privilege and least-functionality access must be enforced. Access should be only on an as-needed basis.
- Employ data analytics to maintain and monitor your ecosystem. Data on your systems and networks should continually be collected and analyzed to verify the success of your Zero Trust initiative.
With the increasing numbers of remote users, cloud-based assets, and bring-your-own-device policies blurring the defined network perimeter, organizations must look to adopt the Zero Trust model to ensure the security of their valuable resources. Implementing the Zero Trust model can provide a number of important business benefits including facilitating the implementation of innovative solutions securely to cater to new business demands, providing organizations with the ability to respond more effectively to potential threats, and achieving better compliance with regulations.