Zero Trust Model of Information Security: Principles of Trust Architecture
In today’s reality, the term “Zero Trust” has become one of the most popular fuzzwords of cybersecurity along with AI (Artificial Intelligence) and ML (Machine Learning). This is the reason why I want to place your attention on the Zero Trust Model of information security and help you to form a clear image of what is Zero Trust architecture.
Zero Trust Meaning
Zero Trust was implemented by John Kindervag, while he was holding the position of a vice president and principal analyst at Forrester Research. John created this model based on the completion that traditional security models operate on the out-of-date belief that everything inside the network of an organization should be trusted.
Zero Trust is a model of IT security. It requires strict identity verification for every person as well as a device in order to access sources on private networks, and no matter whether they sit within or outside of the network perimeter. There isn’t any single specific technology that is associated with Zero Trust. Zero Trust architecture is a complete approach to network security that combines multiple principles and technologies.
Zero Trust Model of Information Security: Best Principles
According to Microsoft’s message, these days organizations need a new model of security that will more effectively adapt to the complexity of the modern environment, embrace the mobile workforce, and protect people, devices, apps, and all the data regardless of where they’re located. Zero Trust Identity seems to be a good solution as it provides:
Mobile access: The users are empowered to work more securely everywhere and always, on any device.
Cloud migration: The digital transformation is enabled with intelligent security for the current complex environment.
Risk mitigation: The security gaps are closed and the risk of lateral movement is minimized.
Now let’s come to the most essential principles of the Zero Trust Model of information security:
Zero Trust Principle #1 Verify Explicitly
Zero Trust always authenticates and authorizes based on any kind of available data points, that include:
service or workload
Zero Trust Principle #2 Use the Least Privileged Access
This principle helps to limit user access with:
JIT (just-in-time) and JEA (just-enough-access),
risk-based adaptive policies,
This least privileged access considers providing the users only with so much access as they need. This sounds like transmitting information on a need-to-know basis. Such an approach minimizes the exposure of each user to the sensitive parts of the network. As a result, the main goal is to help secure both data and productivity.
Zero Trust Principle #3 Assume Breach
As for this principle, it supports minimizing blast radius for breaches as well as preventing lateral movement by segmenting access by the network, users, devices, and also app awareness. It becomes possible to verify all sessions that are encoded end to end. We may also use analytics to get visibility, drive threat detection, as well as improve defenses.
Zero Trust Principle #4 Microsegmentation
Zero Trust networks utilize micro-segmentation. This is the process of breaking up security perimeters into smaller zones in order to keep separate accesses for separate parts of the network. For instance, a network that includes files in a single data center that, in its turn, utilizes micro-segmentation, may combine dozens of separate, as well as security zones. Any person or program that has access to one of these zones will never be able to access the other zones without getting separate authorization.
Zero Trust Principle #5 Multi-Factor Authentication
MFA (Multi-factor authentication) is another core value of zero-trust security. The MFA just refers to the requirement of more than a single piece of evidence in order to authenticate a user. Here it isn’t enough to just enter the password to gain access. The 2FA (2-factor authorization) is a common application of MFA. This app is used on famous online platforms such as Facebook and Google.
The users who enable 2FA application for those services, in addition to entering their password, also have to enter a code that is sent to another device, for instance, the mobile phone. As a result, this principle requires providing two-step of evidence to verify that they really are who they claim to be.
Zero Trust Principle #6 Control on Device Access
Besides all the controls on user access, the Zero Trust architecture also provides strict controls on the device access. These systems control for example, how many different devices try to access the network. Such an action pretends to make sure that every device is authorized. The control on the device access further minimizes the possibility of the attack surface of the network.
Companies that Trust Zero Trust Security
1. Cisco Systems: The CEO of the Cisco Systems - Chuck Robbins focused on security as one of the key focus areas. The company has well-known offerings across the endpoints, network and cloud security services.
According to the MSSP Alert, Cisco’s $2.35 billion buyouts of Duo Security in 2018 advances the zero-trust efforts of the company. And still, Cisco takes steps to engage the MSPs in the SMB sector.
2. Microsoft: The main of Microsoft’s Zero Trust push includes Office 365 users as well as related security offerings to assure the cloud productivity suite. Undoubtedly, most major MSSPs offer security services that protect Microsoft’s system software as well as applications. However, it was only over the past years when Microsoft truly started to realize and target MSPs in the SMB sector.
3. Cyxtera Technologies: This firm is a secure infrastructure and colocation provider that supports more than 3,500 enterprises, agencies as well as service providers. Cyxtera Technologies works with multiple MSSPs and Managed Detection and Response (MDR) providers.
To Sum Up
The philosophy behind a zero-trust network considers that there are attackers not only within but also outside of the network. As a result, neither users nor machines should be automatically trusted.
If you are interested in how implementing zero-trust security, you should know that until now, the Zero Trust model required in detail implementation, focusing on the critical principles and technologies that we already considered above. However, thanks to Cloudflare Access, currently, any organization can immediately and easily implement a Zero Trust model of information security system on their network.