Zero Trust
What is Zero Trust?
Zero Trust is an approach to enterprise cybersecurity that emphasizes data and service protection through strong security policies around user identity verification, device compliance validation, and least-privilege access.
Zero Trust is based on the premise that trust in users or devices accessing the enterprise network must never be granted implicitly or by default but must always be verified—even if the user/device is connected to a permissioned network or has been verified in the past.
Zero Trust is not a prescriptive architecture for enterprise security, but rather a collection of principles and concepts that can help enterprise SecOps teams enforce least privilege per-request access decisions and better secure their IT systems against unauthorized access.
What is Zero Trust Architecture?
A Zero Trust Architecture is an enterprise security architecture based on Zero Trust tenets and assumptions, designed to prevent unauthorized access to the network, limit lateral movement inside the network, prevent data breaches, and avoid cyber attacks that could impact service availability and degrade the customer experience.
READ: Learn about the role of Zero Trust Architecture in Securing U.S. Elections
How is Zero Trust Different from Traditional Cybersecurity Approaches?
Traditionally, SOC teams have focused their efforts on defending enterprise networks at the perimeter. In this paradigm, authenticated users and devices are allowed past those perimeter defenses and granted access to a wide collection of resources that reside inside the enterprise network.
With Zero Trust, SOC teams no longer focus on managing the security perimeter. Instead, SOC teams focus on implementing systems to:
- Continually authenticate users/devices on the network,
- Authenticate and validate every request to access resources, and
- Grant resource access on the network only to users/devices that need access for a specified purpose.
What are the Tenets of Zero Trust?
Data Sources and Computing Services are Resources
In the Zero Trust paradigm, all data sources and computing services on the enterprise network are considered resources and therefore subject to the organization’s security policy. Even user-owned devices may be considered resources if they access data or computing services on the enterprise network.
All Communication Must Be Secured
All communications should be conducted in the most secure manner available. A request for access to an enterprise resource should never be granted on the basis that the request came from a device on the enterprise network infrastructure. Network location does not imply trust, and all requests should be authenticated, regardless of where they originated.
Access to Enterprise Resources is Granted on a Per-Session Basis
In a Zero Trust architecture, access to any individual enterprise resource is granted to users/devices on a per-session basis. Access should also be granted with the least privileges needed to complete the task. Authorization to access one resource and perform a specific task does not guarantee that repeat access or access to other resources will be permitted.
Access to Resources is Determined by Dynamic Policy
Enterprise SOC teams control access to resources by defining what resources the enterprise has, identifying the users who access those resources, and determining which access privileges should be held by each user group. Access requests are evaluated using dynamic policies that incorporate factors like device characteristics, user behavior, and environmental attributes to determine whether access should be permitted.
The Enterprise Monitors the Security Posture of All Assets
In a Zero Trust paradigm, no asset on the network is inherently trusted. Instead, SOC teams must continuously monitor the security posture of all owned and associated assets. Assets whose security status is compromised may be treated differently (e.g. not allowed to access enterprise resources) than assets that have been deemed secure.
Authentication and Authorization are Strictly Enforced
SOC teams implementing Zero Trust use tools like Identity and Access Management (IAM) systems and multi-factor authentication (MFA) to authenticate users before granting access to enterprise resources. Reauthentication may be triggered by certain user actions, such as requesting a different resource, changing or modifying a resource, undertaking suspicious or anomalous activity, or timing out.
The Enterprise Uses Information to Improve its Security Posture
SOC teams must collect, process, and analyze data about the security posture of network assets and resources to gain insights that can be used to improve the organization’s overall security posture.
What are Five Assumptions of Zero Trust Networks?
1. The Enterprise Network is Not an Inherent Trust Zone
SOC teams should always “assume breach” and act as if an attacker has already penetrated the enterprise network. As such, SOC teams should keep all communications secure by authenticating every connection and encrypting all traffic on the network.
2. Devices on Network May Not Be Owned/Configured by the Enterprise
SOC teams should assume that some devices on the enterprise will belong to contractors or other individuals using their own devices to access enterprise resources.
3. No Device is Inherently Trusted
Every device must have its security posture evaluated before it can be granted access to an enterprise resource. No device is inherently trusted, so verification is always required.
4. Not All Resources are on Enterprise Owned Infrastructure
SOC teams should assume that enterprise resources, which includes data sources and computing services, may not be hosted on enterprise-owned infrastructure. For example, the enterprise may utilize a public cloud deployment with computing workloads and cloud databases.
5. Remote Enterprise Subjects/Assets Cannot Fully Trust Local Network Connections
Users accessing the enterprise network from remote locations should assume that local network connections are not secured and may be monitored by malicious actors.
Augment Your Zero Trust Architecture with ZeroFox
ZeroFox provides digital risk protection, threat intelligence, and adversary disruption to dismantle threats to brands, people, assets, and data across the digital external attack surface.
While organizations use software tools like SIEM to monitor security events inside the enterprise network, ZeroFox uses artificial intelligence to monitor the digital external attack surface for cyber threats against social media accounts, web domains, and other public-facing enterprise assets.
Ready to learn more?
View our free on-demand webinar Augmented Intelligence in Practice and in the Wild to discover how ZeroFox uses AI to identify and prioritize cyber threats as part of a Zero Trust approach to enterprise cybersecurity.