The issues of online security and privacy continue to be of utmost concern for businesses. Last year, nearly half a billion personal records was stolen by hackers; that’s a 126 percent jump from 2017. And so far in 2019, hackers have stolen over $4 billion via crypto crimes.
And while security experts continue to emphasize the right mix of network monitoring, threat mitigation solutions, and employee training on security best practices, there’s now a surge of interest in zero trust security.
What is zero trust security? The castle-and-moat example
Traditional cybersecurity is based on the castle-and-moat concept: entering the castle is difficult, but inside, defense is minimal because it is assumed everyone inside can be trusted.
Zero trust is a security model based on a simple principle: trust no one. This includes your employees. Even today, many companies trust their staff to behave responsibly. But all it takes is one careless mistake from an employee, and your network security is compromised.
John Kindervag introduced the zero trust model back in 2010, when he realized that this assumption of trust is a major network vulnerability. Worse, once criminals gain access to your network, they are free to roam around inside.
Today, many Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and executives are now clamoring to implement zero trust in their businesses, as more technologies and IT solutions are now available.
The six tenets of zero trust, explained
The zero trust model is not about acquiring a specific technology solution. Rather, it is a holistic approach to cybersecurity that rethinks how networks are configured, how executives approach and value security, and how employees behave at work.
The zero trust mantra is “never trust, always verify, enforce least privilege.” Building a zero trust network requires the strictest approach to privilege access, as shown in the following six tenets. To help explain things, let’s continue using the castle-and-moat example.
#1 Verify everything
Most people are familiar with multifactor authentication (MFA): access is granted only after a user’s identity is verified through multiple credentials. With zero trust, MFA is applied everywhere within the network, not just at the entrance. Also, identities aren’t limited to people; even workloads, services, and machines have identities that need to be verified. And when an employee resigns, their network identity is immediately disabled.
For example, the lord of the castle wants to enter a room. Not only does he need two guards to verify his identity before he is let in, the head of armory must also verify that the sword he’s carrying is his. And if the lord decides to leave the castle for good, he will be barred from entering the castle again.
#2 Contextualize request
Your database administrator (DBA) should not have default access to all databases. He should only be allowed access to databases that need work on that day. Similarly, you should not entrust the keys to all castle doors with one keymaster. Instead, the keymaster should only be given keys to the rooms he has to enter for that day.
#3 Secure admin environment
No malware should be allowed to infect important servers. Workstations that are connected to the internet and email should not have access to internal servers. Access should only be granted through jump boxes. These, also known as jump servers, are proxy servers or computers that serve as a connector and buffer between a secure internal network and the external untrusted environment.
Think of the jump box as an island in the middle of the castle moat. Outsiders are only allowed up to that point. Any goods or messages they bring will be screened there, and only the ones that pass the vetting process will be handed over to castle insiders.
#4 Grant least privilege
Least privilege is actually a familiar concept in the physical space. With least privilege, access to castle areas is strictly limited. Individuals will only be allowed access to rooms and areas relevant to them.
In the digital domain, a user with limited access rights does not have the freedom to roam around your network. Furthermore, his access can be limited for a specified period. Once a user is done with a task or project, his access privileges are revoked.
#5 Audit everything
It is best to have documented records of all actions performed within your network. With audit logs, it will be easy to pinpoint responsibility to a particular person or trace a problem using forensic analysis. It’s like requiring castle visitors to log in and out; plus, there are CCTV cameras recording everything going on in every room.
#6 Adaptive control
Verification is not a one-process-for-all. The levels of verification needed are modified depending on the amount of risk present. Algorithms double-check where an access request is coming from, and they also analyze a user’s behavior. If a request comes from a potentially risky location, stronger verification is required before access is granted. And if the user’s behavior is deemed anomalous or non-normal, then it triggers a security alert.
Similarly, when potential troublemakers approach the castle, the number of guards deployed to meet them will be adjusted depending on the threat assessment.
Implementing a zero trust network requires a holistic approach to your security. And because there’s no one-size-fits-all solution, you will need a managed IT services provider like Online Computers. We have the trusted experts who can help you achieve zero trust. If your small- or mid-sized business in Hanover, Morristown, or Madison needs enterprise-grade security at pay-only-for-what-you-need prices, then you should contact us today.