6 key elements of Zero Trust for every security professional
Zero Trust is gaining broad adoption among cybersecurity teams. The recent AT&T Cybersecurity InsightsTM Report finds that 94% of survey participants are either researching, implementing, or completed implementation of Zero Trust. Indeed, the Zero Trust journey is well underway!
The Zero Trust premise is the traditional methods of securing the "four walls" of an organization are outmoded and pose security risks. The fundamental tenet of Zero Trust is trust nothing and verify everything.
This principle is based on core values that the network is hostile and under constant threat. Based on this assumption, policies are developed to limit the level of risk.
The Zero Trust framework can be summed up as:
- The network is always assumed to be hostile
- Threats, internal and external, always exist on the network
- Network location is not sufficient for determining trust in a network
- Every device, user, and network flow is authenticated and authorized
- Policies must be dynamic and derived from as many data sources as possible
Adoption of a Zero Trust approach means security professionals need to be confident their organization views security from both a business and technical lens, and at a minimum include the following six elements:
Network segmentation – This is considered the foundation of Zero Trust. By segmenting networks into smaller networks, organizations remove the weakness of a traditional network model. Without segmentation, an adversary only needs to exploit a single network to gain access to sensitive data and the wider infrastructure.
Identity and access management (IAM) – IAM grants access to information that meets a pre-determined level of authentication and authorization. IAM uses multi-factor identification to make sure only those verified are granted access
Firewall and least privilege access – Similar to network segmentation, this technology acts as a buffer to information while only permitting access to those that have genuine business needs. For example, a systems engineer would not need access to sensitive human resources data for their job.
Data security – Data security is necessary to help mitigate data breaches and avoid leaks. Data security becomes more critical as enterprises implement IaaS, SaaS , and edge computing. With these internet connected systems, malicious actors have more access points to exploit and compromise sensitive data. Additionally, it helps organizations comply with global data privacy and security regulations
Configuration management – Security departments frequently are resource constrained. A configuration management system provides an inventory of known devices connected to the network and contains automation capabilities for implementing security policies that may be missed by humans. Reducing human error is a big part of implementing Zero Trust.
SIEM (Security Information and Event Management) – SIEMs provide the centralized visibility an organization seeks regarding its security environment centralized, allowing the security team to act and deter potential threats in real-time.
Organizations should seek advice from a trusted cybersecurity consultancy to understand how to best implement a Zero Trust framework. Remember, Zero Trust is a journey, not a destination.