COVID-19 taught all businesses that it’s not going to be all wonderful & smooth and we need to adjust very quickly in any situation to survive. In 2020, the global pandemic forced nearly every organization to embrace the mobile workforce & the protection of users, devices, apps & data wherever they are located became complicated. The traditional way of security is not going to provide the required business agility, user safety & data protection. Now organizations need to adopt Zero Trust Model, that more effectively adapts to the complexity of the modern environment, supports the hybrid workplace & protects people, devices, apps, and data irrespective of location.
As per NIST- Special Publication (SP) 800-207 following is an operative definition of Zero Trust and ZTA: Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. ZTA is an enterprise’s cybersecurity plan that uses zero trust concepts and encompasses component relationships, workflow planning, and access policies. Zero Trust is nothing but an essential security strategy or framework to confront the growing intensity and sophistication of cyber-attacks. Governments and businesses worldwide now recognized the importance of adopting of this enhanced security model. Comprehensive planning and implementation of the Zero Trust approach empower people to work productively and securely when, where, and how they want.
How does zero trust work?
The concept of Zero Trust is very simple “Never trust & always verify”. Instead of assuming everything is safe, the Zero Trust model assumes breach and verifies each request as though it originates from the unsecured destination.
Now let your employees use their own devices, work remotely from any location, access corporate applications, and share data with external partners or vendors. With the Zero Trust model, every access request is strongly authenticated, authorized within policy limitations, and inspected for anomalies before granting access. Everything from the user’s identity to the application’s hosting environment is secured to prevent breaches.
As per Microsoft, Zero Trust in Microsoft 365 works on three simple guiding principles,
Verify explicitly
Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Use least privileged access
Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
Assume breach
Minimize blast radius with micro-segmentation, end-to-end encryption, continuous monitoring, and automated threat detection and response. Use analytics to get visibility and drive threat detection and improve defenses.
There are five primary distinct pillars representing in Zero Trust Maturity Model with a suggestion on how you can address its security. You may further include a few more components depending on the specific business need.
Identity – Refers to a set of attributes that uniquely describe a user or entity. Verify and secure each identity with strong authentication across your entire digital estate.
Devices– A device refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others. Gain visibility into the devices accessing your network. Ensure compliance and health status before granting access.
Application workload – This includes agency systems, computer programs, and services that execute on-premises, as well as in a cloud environment. Discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, and monitor and control user actions.
Network – A network refers to an open communications medium, including agency internal networks, wireless networks, and the internet. Ensure that devices and users aren’t trusted just because they’re on an internal network & encrypt all internal communications, limit access by policy, and employ micro-segmentation and real-time threat detection.
Data – Data should be protected on devices, applications, and networks. Inventory, categorize, and label data, protect data at rest and in transit, and deploy mechanisms for detection data exfiltration. Move from perimeter-based data protection to data-driven protection.
Infrastructure – Refers to the hosting environment. E.g., on-premises servers, cloud-based VMs, containers, micro-services, etc. Use telemetry to detect attacks and anomalies, automatically block and flag risky behavior, and employ least privilege access principles.
How to get started with Zero Trust?
Think big, start small but move fast! It’s never too late to get started.
A Zero Trust approach should extend throughout the entire digital estate with an end-to-end strategy.
- The very first step is to identify what are you trying to protect. and then from whom are you want to protect it? Based on the outcome you can identify your current business needs & focus on getting quick wins.
- Perform an assessment of your Zero Trust maturity stages to determine where your organization is now and how to move to the next stage.
- Plan the deployment aligned with the business outcome to get leadership support, budget allocation, and end-user engagement.
- Implement Zero Trust Architecture by applying Zero Trust controls in steps. This can be done without disrupting employee productivity and connectivity. You don’t have to replace technology at first. Try to embrace the existing technologies you already deployed or infra that you already hosted.
- To help guide you through your own Zero Trust journey, create a multiyear strategy with an actionable best practices framework for each of the five pillars we discussed.
- Evaluate the success of measurable improvements by identifying key milestones and performance goals for your organization, measure them, and report on success and learning to provide confidence.
Courtesy: Microsoft, CISA , NIST & Science Direct