What Is Zero Trust Security?
Whether your organization adopts language and actions around zero trust, zero trust security framework or architecture, or perimeter-less security, the overarching premise of each term remains the same. Each refers to a security strategy and framework for IT that requires users – both in and outside of the organizational network – to continuously be authenticated, authorized, and validated to get and keep their access to applications and data. Zero trust embeds security throughout the architecture to prevent malicious entities from accessing your most critical assets.
Recent research revealed that 44% of enterprises were considering a zero trust network access or software-defined perimeter to keep the organization secure. This shift to operating with a zero trust framework comes with the growing recognition that there is no longer a traditional “edge” to the network. Rather, organizations are increasingly working with perimeter-less security needs and threats.
The Zero Trust Security Framework: A Mindset Combined with Technical Solutions
Enforcing a zero trust security mindset at an organization requires continual education and proactive reinforcement to help the model be effective. Zero trust principles aren’t about not trusting employees; rather, they are a way to help organizations securely take advantage of operating in any location – on-premises, via the cloud, or as a hybrid situation. This is a win-win for employees now working around the world and not just “at the office.”
Key Zero Trust Framework Concept
The mantra behind zero trust, “Never trust, always verify” is the primary concept behind this security model and essentially means that the many users, interconnected devices, applications, and systems in play each day shouldn’t be considered or trusted as secure by default. Adopting this premise requires both a shift in philosophy as well as the layering of security solutions around each of its users, connections, and devices every day, with every transaction.
And this mindset applies even if connected to the corporate LAN, or VPN, or if previously verified as secure. With zero trust in place, organizations can help ensure that users, along with the devices and processes they use to store, manipulate, and send data, are identified and authenticated no matter where they are, or when they were first authorized. Zero trust recognizes that breaches will likely continue to occur, but that the damage from one can be contained, and remediation following a breach can be more effective and efficient with the appropriate cybersecurity model in play.
Related Content: How and Why to Implement Zero Trust Architecture Via Layered Security
How to Apply a Zero Trust Security Framework
Putting a zero trust security framework in place as a cybersecurity strategy involves applying security measures based on context. Unlike traditional security measures such as network-based solutions and firewalls designed to prevent unauthorized users from going in and out of the network, today’s cybersecurity strategies need to also address context in hybrid and cloud environments as well.
This framework is more important than ever, with the growing employee movement to working from home, where the environment is inherently more vulnerable. Whether your organization is still wholly on-premises, your offices are emptying out in favor of a work-from-home model, or somewhere in between, control and visibility into the environment need to be enabled for a zero trust security framework. Only then can you monitor and verify any movement of data within and outside the organization.
Surprisingly to organizations first digging into zero trust architecture, the network itself is not the biggest cybersecurity risk. Today’s organizations are typically more perimeter-less, or without a network edge. Rather, the cybersecurity risk addressed by zero trust is the risk to the data itself, whether on premises, stored in a data center, or existing in a cloud or multi-cloud environment.
Access Controls Form Base of Zero Trust Security Frameworks
A key tenet of the zero trust security framework is applying least-privileged access controls to help remove the risks taken with assumed trust, through strict user authentication. When incorporating least-privileged access policies, users receive only the minimal level of access as defined by their job-specific responsibilities. This helps narrow movement and unauthorized access and delineates access by the user’s role, the data needed, location, and devices being used. Any inappropriate access to data, or movement of files or data throughout the organization, can be automatically blocked.
With zero trust, protection zones are created to provide visibility and IT mechanisms designed to secure, manage, and monitor every user, device, network, application, or data packet both at the perimeter and within a network environment.
One way to affirm zero trust is to assume everything coming into or out of your network and everything already in the perimeter is a threat by default – and set up the layers of security with that thought in mind. Ensuring that communication is blocked unless validated by established attributes or policies is key. Multi-factor authentication, identity-based attributes, one-time codes, etc., all deliver strong security that can travel alongside the data being communicated, even across varied network environments.
Extending with Adaptive Trust
Access controls are a key tenet of the zero-trust framework. However, bad actors are sophisticated enough to masquerade as authenticated users. This is where adaptive trust plays a key role. Adaptive trust is the principle where a trusted user is monitored for activity that increases risk to the organization. A baseline is created for each user and any anomalous activity triggers an action. The action may be an alert, or it may be changing to a more restrictive policy. Behavior analytics is used to create a baseline of normal activity consisting of several data points, including the time of day logged in, sites visited, and data handled. Any deviations from this activity trigger the action or set of actions.
A Stepped, Simplified Approach to Adapting a Zero Trust Security Framework
The process of moving towards a zero trust framework can be overwhelming, and an incremental approach to zero trust can help move the cybersecurity stance forward over time. John Grancarich, Executive Vice President, Fortra, outlines a management process to achieve progress towards zero trust:
1. Prepare for the journey towards a zero trust security framework
2. Classify your assets
3. Select an initial set of assets to address
4. Implement initial security controls
5. Assess the performance of your controls
6. Authorize systems
7. Monitor results and refine as needed
Principles of the Zero Trust Security Framework
By adhering to three key principles, organizations can build their zero trust model knowing they are following the rigid standards laid out in 2021 for U.S. federal agencies to adhere to NIST 800-207 as a required step for zero trust implementation. The standard went through extensive validation and input from various agencies, vendors, and commercial partners, and serves as a baseline for private organizations to follow. The three principles are:
Terminate all connections
Traditional firewall technologies inspect files as they enter the network. Often, by the time an intrusive or malicious file is detected, it is too late. With zero trust solutions applied, every connection is terminated, and all traffic, even encrypted traffic, is inspected in real time. This pre-destination inspection can help prevent ransomware, malware, and other external threats.
Apply automated, continuous context-based policies to protect data
Rather than default to a trust relationship for access, zero trust policies require access requests to be verified. Any rights granted are based on context, type of content, user identification, the device used, location, and what application use is being requested. Continual evaluation of these user access privileges helps ensure context is applied with every transaction.
Eliminate the attack surface to reduce risk
Users connect directly to the applications and data they need, not to networks, with a zero trust architecture. This direct approach to connections helps eliminate lateral movement risk and stops any compromised devices from infecting other resources should a breach occur.
Why Choose a Zero Trust Security Framework?
If you’re trying to determine if a zero trust security framework makes sense for your organization’s cybersecurity needs consider how cybercrime has ramped up, especially as more business is conducted in a cloud environment. Can you risk having your data stolen or destroyed or even held for ransom? Can you weather the PR storm of your customers’ personally identifiable information (PII) or other sensitive data such as financial or health information being stolen or exposed?
Data breaches and cybersecurity risks will continue to be a factor in the near and distant future. Adopting zero trust, however, is an effective strategy to use to help minimize those risks. By reducing the attack surface, should a breach occur, the overall impact, cost, and drain on resources can be mitigated.
Zero Trust Security Framework Use Cases
Compliance requirement support
If your organization must adhere to industry compliance standards such as the federal government’s NIST 800-207, the payment card industry’s PCI DSS, or the healthcare industry’s HIPAA and HITECH requirements, the closed connection tenant of zero trust helps prevent exposure or exploitation of sensitive or private data. With zero trust you can set up controls to segment data that is regulated from non-regulated data, providing more visibility for audit purposes, as well as mitigation of a data breach.
Related Content: Key Takeaways from Biden's Sweeping Executive Order on Cybersecurity
If your organization must adhere to industry compliance standards such as the federal government’s NIST 800-207, the payment card industry’s PCI DSS, or the healthcare industry’s HIPAA and HITECH requirements, the closed connection tenant of zero trust helps prevent exposure or exploitation of sensitive or private data. With zero trust you can set up controls to segment data that is regulated from non-regulated data, providing more visibility for audit purposes, as well as mitigation of a data breach.
Related Content: Key Takeaways from Biden's Sweeping Executive Order on Cybersecurity
Overall risk reduction
The “never trust, always verify” approach to zero trust prevents applications and services from communicating until verified by predefined trust principles such as authentication and authorization specifications. By providing insight into what is on the network and how those assets communicate, zero trust reduces risk. And this strategy can also provide continuous confirmation of the acceptability of all communicating assets to reduce the risk of overprovisioned software and services.
The “never trust, always verify” approach to zero trust prevents applications and services from communicating until verified by predefined trust principles such as authentication and authorization specifications. By providing insight into what is on the network and how those assets communicate, zero trust reduces risk. And this strategy can also provide continuous confirmation of the acceptability of all communicating assets to reduce the risk of overprovisioned software and services.
Better cloud environment access control
If you’ve moved workloads to the cloud, or are operating in a hybrid environment, the fear of losing control and visibility is not unfounded. With a zero trust security framework in place, however, you can apply security policies to validate identities of communicating workloads.
This helps to keep your security tied to the assets most in need of protection and it does not reply upon network security elements such as IP addresses, protocols, or ports. With zero trust solutions, the protection gained is attached to the workload and even if the environment is changed, the security remains.
If you’ve moved workloads to the cloud, or are operating in a hybrid environment, the fear of losing control and visibility is not unfounded. With a zero trust security framework in place, however, you can apply security policies to validate identities of communicating workloads.
This helps to keep your security tied to the assets most in need of protection and it does not reply upon network security elements such as IP addresses, protocols, or ports. With zero trust solutions, the protection gained is attached to the workload and even if the environment is changed, the security remains.
Data breach risk reduction
As cybersecurity pros express, a data breach is not a question of “if” but “when.” With zero trust’s least privilege access, that assumes all entities are hostile. Organizations can gain more peace-of-mind knowing all transactions, users, and their devices are inspected and authenticated before “trust” is granted. And this validation is under continuous assessment to account for changes in the users’ devices, locations, or data requests.
Should an attacker still breach your network or cloud environment, with zero trust principles and tactics applied, their ability to steal or access your sensitive data is stopped as the model creates segmentation, so no lateral moves are possible.
As cybersecurity pros express, a data breach is not a question of “if” but “when.” With zero trust’s least privilege access, that assumes all entities are hostile. Organizations can gain more peace-of-mind knowing all transactions, users, and their devices are inspected and authenticated before “trust” is granted. And this validation is under continuous assessment to account for changes in the users’ devices, locations, or data requests.
Should an attacker still breach your network or cloud environment, with zero trust principles and tactics applied, their ability to steal or access your sensitive data is stopped as the model creates segmentation, so no lateral moves are possible.
Fortra and the 5 Pillars of the Zero Trust Maturity Model
The United States Cybersecurity and Infrastructure Agency (CISA) released version 1.0 of the Zero Trust Maturity Model (ZTMM) in August 2021. It was originally created for government agencies to use as a roadmap towards zero trust architecture but has been widely used by organizations across every industry. It consists of five distinct pillars each with unique security requirements. The five pillars are:
Identity | Devices | Networks | Applications and Workloads | Data
The current version (2.0) was released in April 2023 and includes additional granularity across controls and continuously re-verifying trust. The ZTMM is an effective guide for implementing zero trust principles. Discover how Fortra solutions help enterprises in their ZTMM journey.
Identity
This pillar describes each unique user or entity and how they authenticate. How can Fortra help?
- Core Security Identity and Access Management
Simplify how you manage user access and secure data with identity governance and administration solutions, password management, and privileged access management. - Terranova Security Security Awareness Training
Strengthen information security and reduce the risk of data breaches, downtime, and reputational harm.
Devices
This pillar addresses the tracking and management of any device and asset connecting to the network. How can Fortra help?
- Tripwire File Integrity Monitoring
Gain real-time change intelligence and threat detection along with automated remediation to proactively harden systems and reduce attack surface. - Cobalt Strike Adversary Simulations and Red Team Operations
Replicate the tactics and techniques of an advanced adversary in a network. - Outflank Offensive Security Tooling for Red Teams
Leverage powerful tools for red teaming, adversary simulation, or advanced penetration services. - Core Impact Advanced Penetration Testing with Automation
Empower security teams to conduct advanced penetration tests with ease. With guided automation and certified exploits, safely test your environment using the same techniques as today's adversaries.
Networks
This pillar addresses connectivity, including hardware, wireless, or linking to the internet. How can Fortra help?
- Fortra Managed Web Application Firewall
Find web application and API security without the burden of managing it yourself. - Fortra Email Security and Anti-Phishing
Keep emails, brands, and data safe from sophisticated phishing attacks, insider threats, and accidental data loss. - Alert Logic Managed Detection and Response
Gain unrivaled security for any environment with our continuous, around-the-clock threat detection and security expertise. - PhishLabs Digital Risk Protection
Leverage curated threat intelligence and complete mitigation. - Digital Defense Web Application Scanning
Conduct dynamic web app testing to identify and mitigate vulnerabilities and prevent attackers from exploiting them.
Applications and Workloads
This pillar examines what is being executed on systems locally, remotely, and in the cloud along with how they are accessed. How can Fortra help?
- Beyond Security Vulnerability Management and Application Security Testing
Test your products against various attack combination with a dynamic application security testing (DAST) tool. - Digital Defense Vulnerability Management and Penetration Testing Services
Perform comprehensive security assessments and help prioritize and track the results, making remediation planning and management more efficient and effective. - Core Security Penetration Testing Software and Security Consulting Services
Discover the strength of your security controls with infrastructure protection services from trusted cybersecurity experts.
Data
This pillar addresses access, inventory, classification, and secure collaboration of data. How can Fortra help?
- Digital Guardian Data Loss Prevention
Avoid data leaks or data exfiltration and safeguard critical business data. - Digital Guardian Secure Collaboration
Securely collaborate with anyone on any document. - Fortra Data Classification
Enhance data security, deliver interactive training, and reduce business friction. - Terranova Security Security Awareness Training
Strengthen information security and reduce the risk of data breaches, downtime, and reputational harm.
Zero trust is about more than network segmentation. Fortra can help you encrypt and securely share data with authorized individuals while protecting it from viruses and malware.
Zero Trust File Transfer
A zero trust environment is one that ensures documents are secure both while in transfer and at rest. Secure file transfer (SFT) solutions such as GoAnywhere MFT can do the heavy lifting of securely moving files. When bundled with the Clearswift Secure ICAP Gateway and Digital Guardian Secure Collaboration, the protection surrounding data is taken further. With secure collaboration applied to MFT transactions, you gain both control and protection, as access controls over encrypted files travel with the files and can be revoked at any time – a key tenet of zero trust.
How Fortra Supports the Zero Trust Journey
Fortra works with customers across every industry on their zero trust journeys. Rather than solve every piece of the zero trust puzzle, we serve as an ally and partner in the process, helping first identify the problems you need to solve and then determining what controls will fit your problem set. View the datasheet for more information.