Zero Trust
In this article
What is Zero Trust?
Zero Trust is a security principle where users and systems never automatically trust each other. In traditional corporate networks, access is restricted to internal users and a single login check is usually sufficient. However, in open cloud environments, where everything communicates over public networks, identities must be constantly verified. This concept is the foundation of Zero Trust.
Why is Zero Trust Security the best?
To understand why Zero Trust security is currently the best approach, it’s helpful to consider how IT security has traditionally been organized. Traditional security can be likened to a castle where the focus was on the walls, the drawbridge, and the gate. However, once a breach was made or the gate was forced open, the enemy had definitive access.
Traditional IT networks are secured in a similar manner, using firewalls and VPNs to protect primary access points. But once inside, one could freely explore connected systems and data with limited or no further checks. This type of security is outdated in modern IT environments. Zero Trust, by contrast, seeks to continually verify its users.
Zero Trust Principles
The modern IT landscape of organizations is literally boundless. Some or all applications and data are cloud-based. Systems can be accessed at any time, from any location, by any device; not just by employees but also by contractors, customers, and partners. Data is also directly exchanged between applications. The only way to secure such a digital environment is by continuously verifying every individual session between users, applications, and data. In Zero Trust, nothing and no one is automatically trusted, encapsulating John Kindervag’s original ethos: ‘never trust, always verify’.
Zero Trust Framework
The Zero Trust approach has been around for over a decade and is now a key concept in information security for many businesses and governments. The Dutch National Cyber Security Centre (NCSC) emphasizes the importance of a Zero Trust Framework. Similarly, in the United States, a White House memo (Executive Order 14028) has called for government organizations to implement a Zero Trust Architecture (ZTA) to “Improve the Nation’s Cybersecurity”. The National Institute for Standards and Technology (NIST) also outlines guidelines for a Zero Trust Framework in standard NIST 800-207.
Zero Trust Architecture
In a blog, the NCSC translates the Zero Trust principles into three overarching core concepts for a Zero Trust architecture:
- Authentication and authorization: ‘Never trust, always verify’ starts with robust identity checks. Before a user or application can access data and functionality, their claimed identity must be verified. If authentication is successful, authorization follows, granting access to the necessary data and applications. Access rights are limited on a need-to-know basis to avoid unnecessary data exposure.
- Network segmentation: Safe access is facilitated by dividing networks into zones, also known as implied trust zones. A manager is responsible for each zone and can determine access permissions and applicable security requirements. The idea is to work with relatively small zones to minimize the impact of any potential security breaches.
- Monitoring: The Zero Trust model assumes constant monitoring of all devices, users, services, and their communications. This allows for the timely detection of misuse and policy violations, and the implementation of measures such as automatically blocking certain zones. All data must be encrypted, not just stored data, but also data in transit.
Implementing Zero Trust Security
Identity and Access Management (IAM) plays a crucial role in implementing Zero Trust security. IAM facilitates multiple aspects of your Zero Trust strategy:
- Issuing access rights automatically based on roles or functions ensures that a person only accesses applications and data that are strictly necessary, directly enhancing Zero Trust security.
- Access requests can also be streamlined through a modern IAM solution, including secure approval processes. Moreover, access rights can be granted temporarily, which limits their duration.
- Additionally, digital access security is strengthened with Multi-Factor Authentication (MFA). While passwords are always a vulnerability, MFA significantly reduces the risk of a security breach.
- In a professional IAM solution, access to applications and data is fully auditable. All access attempts and any changes to business rules and access rights are logged for audit purposes.
More about Zero Trust security with IAM?
Visit our website to find a use case on the role of modern IAM solutions in implementing a Zero Trust network. Our cloud-based IAM solution, HelloID, not only provides Identity-as-a-Service but also paves the way for a ‘Zero Trust as a service’ solution.
In Zero Trust, it is not only crucial to continuously verify the identities of users, but we must also ensure that these users access only the applications and data they genuinely need for their work. As an organization grows, managing this becomes feasible only by working with defined roles and clearly specifying the systems and data each role requires. Role-Based Access Control (RBAC) ensures that users automatically gain access only to the data and applications necessary for their roles.
Zero Trust operates on the principle that you should never inherently trust anyone. Consequently, you should not grant more access than is strictly necessary for their work. This is known as the Principle of Least Privilege (PoLP) and helps make your Zero Trust approach even more effective. Under this principle, people access their applications and data on a ‘need to know’ basis. A modern IAM system can assist in enforcing this Least Privilege principle.
Not really. Techniques such as perimeter-based security and VPNs often revert to the outdated ‘castle-and-moat’ security model. In many cases, this approach is no longer adequate. Virtually all modern security approaches now incorporate ideas from Zero Trust. While Zero Trust itself focuses primarily on the need to continuously verify users, other concepts like Least Privilege and Role-Based Access Control (RBAC) emphasize restricting access to only the systems and data users truly need.