80. Understanding and Implementing Zero Trust Networks
In this engaging lesson, we shall delve into a critical concept in modern cybersecurity – Zero Trust Networks or ZTN. ZTN is a security framework that stipulates, ‘never trust, always verify.’ Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request comes from or what resource it accesses, Zero Trust teaches us to ‘verify explicitly, enforce least privileged access and assume breach.’
1. The Concept and Principles of Zero Trust Networks
The Zero Trust Network or Zero Trust Architecture originates from a cybersecurity concept pitched by John Kindervag, a former Forrester analyst, in 2010. The model advocates for stringent access controls on network resources and progressive monitoring of network traffic, primarily because it operates on the assumption that threats exist both inside and outside the network. The model is hinged upon three key principles:
- Verify explicitly: Always authenticate and authorise based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection.
- Assume breach: Minimise blast radius for breaches and prevent lateral movement by segmenting access per network, user, devices, and app. Increase visibility and log network traffic for incident detection and response.
2. Implementing Zero Trust Network Architecture
Deploying a Zero Trust architecture is not an overnight transition. It requires a well-thought-out strategy commensurate with an organisation’s needs. Below are steps to consider while planning a ZTN implementation.
Step 1: Identify Sensitive Data and its Flow
You should know where your sensitive, business-critical data is stored and understand how it flows across your network. This information is essential when defining and implementing your Zero Trust policy.
Step 2: Map Transaction Flows
Develop a comprehensive understanding of your business’s transaction flows. It helps you differentiate normal traffic from suspected malicious traffic, imperative to creating robust security protocols.
Step 3: Build a Zero Trust Architecture
With insight into your data and transaction flows, you can create a model to validate users and devices at every point in data transit. It might necessitate redesigning your network into micro or nano-segments.
Step 4: Conquer Low-Hanging Fruits First
Start with implementing low-hanging fruits. Enhancing endpoint security or adding multi-factor authentication can be an excellent place to start and can make your security noticeably better.
Step 5: Reiterate and Improvise
Finally, it’s vital not to see Zero Trust as a one-off project but an ongoing process. Ensure that you congregate key learnings and make amendments to your policy and architecture accordingly.
3. Benefits and Challenges of Zero Trust Networks
The Zero Trust approach offers heightened security, as it requires validation at every point in data communication. This rigorous checking significantly reduces the chance of unauthorised data access, leakage, and breaches. However, the implementation of Zero Trust also ushers challenges, like resistance to change, the complexity of strategic planning, need for significant upskilling, and potential business interruptions during the transitioning phase.
4. Relevance of Zero Trust in the Current Digital Landscape
With businesses opting for an increasingly hybrid model of work and the proliferation of cloud technology, the traditional ‘trust but verify’ framework becomes obsolete. The Zero Trust model is gaining quick traction. It offers a security framework that organisations today need to protect their diversifying digital landscape. That said, it’s important to remember that Zero Trust is not a single solution but a holistic approach to network security.
To learn more about Zero Trust Networks, I would recommend the original white paper by John Kindervag at Forrester Research, which is available here. For a more modern take, ‘Zero Trust Networks: Building Secure Systems in Untrusted Networks’ by Evan Gilman and Doug Barth is an excellent read on the subject.
The journey towards achieving a full Zero Trust environment will be intricate and challenging, but the clear advantages make this a compelling journey, and one that most organisations will inevitably embark on as the cyber landscape continues to evolve.
