Zero Trust architecture, as it pertains to cybersecurity, means precisely that: Trust No One and Nothing when it comes to network access. Whether the user requesting access is inside or outside a network perimeter, access should not be granted without determining: (1) who or what is requesting access and (2) is the user or application known to the network. It is not enough for organizations to restrict access from outside the network. They need to restrict access within the network as well.
What is a Zero Trust Architecture Model?
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust architecture model assumes any attempt to access the network is a potential breach and verifies the in-network requests using the same standards as though the request originated outside the network. That means, every request is authenticated and authorized before access is granted. Principles such as micro-segmenting and least-privileged access are applied to minimize movement inside the network.
What is NIST Zero Trust Architecture?
You may have also heard of the “NIST Zero Trust architecture model”. NIST is the US Department of Commerce’s National Institute of Standards and Technology, which has outlined its own guide to developing and implementing Zero Trust architecture. You can download the full NIST Zero Trust guide here, or keep reading for a quick and easy step-by-step guide.
Why Do You Need a Zero Trust Network Architecture?
Hackers are no longer lone wolves. They are part of a criminal network. It’s estimated that organized crime groups initiate 55% of attacks. Just as physical crime groups exist to make money, so do their virtual counterparts. Criminal organizations are looking for information that can be sold to the highest bidder on the dark web. Their focus is on more than a ransomware attack or a few consumer records. The following statistics highlight the reasons a ZeroTrust security architecture is needed:
- 70% of breaches are from external sources.
- 67% of data breaches are the result of stolen credentials or human error.
- 37% of attacks use stolen or weak credentials.
- 41% of people would stop using a company that suffered a security breach.
The latest estimate is that 2020 will result in over a 200% increase in cyber attempts.
How Do You Create a Zero Trust Architecture?
The U.S. Government has recommended a Zero Trust framework to protect against cyberattacks. According to the framework, there are five steps to follow when building a Zero Trust environment.
Step 1: Analyze risk. Companies should identify the risks associated with privileged access. Evaluate who has access to what information and for what purpose. It is through this gateway of privileged access that internal and external bad actors gain access.
Step 2: Deploy multi-factor authentication. A multi-factor authentication (MFA) approach can help with user identification. It is built on the concept that authentication requires more than a single identification source, such as a username and password. It involves information from at least two of these categories:
- Data known to the user such as username, password, or email address
- A device owned by the user such as a smartphone or access card
- A biometric characteristic such as a fingerprint or voice command
By distributing individual identifiers over multiple factors, organizations can increase the likelihood that users are who they say they are. Managerial approval should be required to access critical digital assets and should only use secure methods such as VPNs.
Step 3: Secure core privileges. Look at the applications that access the system, implementing restrictive control of all human and nonhuman users. If a hacker can access an endpoint using a privileged account, it will be difficult to distinguish that unauthorized user from a trusted one. Make sure employee devices are secure and apply all security updates immediately.
Step 4: Monitor privileged pathway. Do not assume that detection mechanisms will identify all malicious activity. By monitoring the privileged pathways for suspicious activity prevents bad actors from expanding an attack. Tightened controls create isolation layers between endpoints and help secure connections to critical assets.
Step 5: Implement attribute-based controls. Individuals and applications access a system for a reason. It’s crucial to a Zero Trust architecture that who can access what and why is established for all users. Placing controls around privileged users, so they can only access information required for predefined tasks minimizes the risk of unauthorized access to critical resources.
How Do You Implement a Zero Trust Architecture Model?
Implementing a Zero Trust security architecture can be done in increments, although the first step must be analyzing risk so priorities can be set to protect the most critical assets first. When looking at risk, understand the underlying assumptions when it comes to granting access. What does a guest user need access to? Are there third-party applications that interact with the system? Never grant more access than is absolutely necessary.
Yes, employees need access to the system to perform their job responsibilities. But what is the minimum access required to do their tasks? If employees require access outside their normal scope, explicit requests for access should be required. No one should be given unrestricted access to the system.
Remember, humans are creatures of habit. Whether it’s a morning routine at the office or shopping online, people tend to behave the same time and time again. Monitoring user behavior can help identify unusual activity on the network. Given that 30% of all data breaches involved authenticated users, predicting behaviors could help minimize unauthorized use.
Micro-segmenting means dividing the security perimeter into zones that require separate access permissions. Granting access to one zone does not grant access to all zones. This is especially crucial with more people working remotely.
With more remote devices accessing a network, controls must be in place to verify the device. Only after the device is identified and verified should access be granted. This process helps companies determine if the endpoint is a security risk.
Figuring out all your bases to cover pertaining to your organization’s cybersecurity is not an easy process to navigate, especially in times like these— and that’s why Electric is here to support your organization.