Despite efforts within the cyber security industry to oversimplify the concept, Zero Trust should be thought of as a strategy and framework, as opposed to a problem addressable simply by implementing technology. Technology plays an important role in providing technical security controls such as strong authentication, least privilege, and impeded lateral movement, etc. which contributes to achieving a Zero Trust model. The combination of a strategically curated eco-system of technical controls and processes requires executive buy-in and organizational support to succeed.
Traditionally, access to resources and data is granted based on the basic principle of untrust vs. trust. Access initiated from outside or external to the network perimeter is considered untrusted and access initiated from inside or internal to the network is considered trusted. Due to that legacy train of thought, privileged users often posit that internal information resources or data may not require as much protection because they are not exposed to the internet. However, it is very common for a bad actor to gain a foothold on the internal network through email phishing, remote-code-execution, and software supply chain compromise. Once bad actors achieve persistence within the internal network, they appear as internal users and are now in a trusted zone which leaves access to resources and data wide open. Thus, distinguishing between legitimate users and bad actors has become increasingly difficult. Zero Trust has become an effective methodology to mitigate data security risk by focusing on user identity and treating all types of access as untrusted, which significantly reduces the likelihood of a data loss event.
Commonly, Zero Trust could be distilled to a few basic principles stressing that identity must be verified, context must be well understood, and visibility is key:
- Do not inherently trust external and internal networks or any endpoints, BYOD or company owned and managed.
- Authenticate, authorize, and account for as well as contextually validate all connection and access requests, especially access to critical information resources and non-public information.
- Continuously log and inspect all traffic to facilitate proactive and retrospective analysis because, while prevention is ideal, detection is a must.
To learn more about Zero Trust as a strategy, please Join Presidio as we dive deeper into these principles, discuss what Zero Trust means to different people, and outline the best strategy to implementing this model.