Zero Trust Security Model

What is the zero trust security framework, and where do I start?

Media
Image
Zero Trust Security
Text

What Is Zero Trust Security?

Whether your organization adopts language and actions around zero trust, zero trust security framework or architecture, or perimeter-less security, the overarching premise of each term remains the same.  Each refers to a security strategy and framework for IT that requires users – both in and outside of the organizational network – to continuously be authenticated, authorized, and validated to get and keep their access to applications and data. Zero trust embeds security throughout the architecture to prevent malicious entities from accessing your most critical assets. 

Recent research revealed that 44% of enterprises were considering a zero trust network access or software-defined perimeter to keep the organization secure. This shift to operating with a zero trust framework comes with the growing recognition that there is no longer a traditional “edge” to the network. Rather, organizations are increasingly working with perimeter-less security needs and threats.

Text

The Zero Trust Security Framework: A Mindset Combined with Technical Solutions 

Enforcing a zero trust security mindset at an organization requires continual education and proactive reinforcement to help the model be effective. Zero trust principles aren’t about not trusting employees; rather, they are a way to help organizations securely take advantage of operating in any location – on-premises, via the cloud, or as a hybrid situation. This is a win-win for employees now working around the world and not just “at the office.” 

Key Zero Trust Framework Concept

The mantra behind zero trust, “Never trust, always verify” is the primary concept behind this security model and essentially means that the many users, interconnected devices, applications, and systems in play each day shouldn’t be considered or trusted as secure by default. Adopting this premise requires both a shift in philosophy as well as the layering of security solutions around each of its users, connections, and devices every day, with every transaction. 

And this mindset applies even if connected to the corporate LAN, or VPN, or if previously verified as secure. With zero trust in place, organizations can help ensure that users, along with the devices and processes they use to store, manipulate, and send data, are identified and authenticated no matter where they are, or when they were first authorized. Zero trust recognizes that breaches will likely continue to occur, but that the damage from one can be contained, and remediation following a breach can be more effective and efficient with the appropriate cybersecurity model in play. 

Related Content: How and Why to Implement Zero Trust Architecture Via Layered Security

Read More

How to Apply a Zero Trust Security Framework

Text

Putting a zero trust security framework in place as a cybersecurity strategy involves applying security measures based on context. Unlike traditional security measures such as network-based solutions and firewalls designed to prevent unauthorized users from going in and out of the network, today’s cybersecurity strategies need to also address context in hybrid and cloud environments as well.  

This framework is more important than ever, with the growing employee movement to working from home, where the environment is inherently more vulnerable. Whether your organization is still wholly on-premises, your offices are emptying out in favor of a work-from-home model, or somewhere in between, control and visibility into the environment need to be enabled for a zero trust security framework. Only then can you monitor and verify any movement of data within and outside the organization.  

Surprisingly to organizations first digging into zero trust architecture, the network itself is not the biggest cybersecurity risk. Today’s organizations are typically more perimeter-less, or without a network edge. Rather, the cybersecurity risk addressed by zero trust is the risk to the data itself, whether on premises, stored in a data center, or existing in a cloud or multi-cloud environment.

Text

Access Controls Form Base of Zero Trust Security Frameworks

A key tenet of the zero trust security framework is applying least-privileged access controls to help remove the risks taken with assumed trust, through strict user authentication. When incorporating least-privileged access policies, users receive only the minimal level of access as defined by their job-specific responsibilities. This helps narrow movement and unauthorized access and delineates access by the user’s role, the data needed, location, and devices being used. Any inappropriate access to data, or movement of files or data throughout the organization, can be automatically blocked.  

With zero trust, protection zones are created to provide visibility and IT mechanisms designed to secure, manage, and monitor every user, device, network, application, or data packet both at the perimeter and within a network environment.  

One way to affirm zero trust is to assume everything coming into or out of your network and everything already in the perimeter is a threat by default – and set up the layers of security with that thought in mind. Ensuring that communication is blocked unless validated by established attributes or policies is key. Multi-factor authentication, identity-based attributes, one-time codes, etc., all deliver strong security that can travel alongside the data being communicated, even across varied network environments.

Text

Extending with Adaptive Trust

Access controls are a key tenet of the zero-trust framework. However, bad actors are sophisticated enough to masquerade as authenticated users. This is where adaptive trust plays a key role. Adaptive trust is the principle where a trusted user is monitored for activity that increases risk to the organization. A baseline is created for each user and any anomalous activity triggers an action. The action may be an alert, or it may be changing to a more restrictive policy. Behavior analytics is used to create a baseline of normal activity consisting of several data points, including the time of day logged in, sites visited, and data handled. Any deviations from this activity trigger the action or set of actions.

Text

A Stepped, Simplified Approach to Adapting a Zero Trust Security Framework

The process of moving towards a zero trust framework can be overwhelming, and an incremental approach to zero trust can help move the cybersecurity stance forward over time. John Grancarich, Executive Vice President, Fortra, outlines a management process to achieve progress towards zero trust:

1. Prepare for the journey towards a zero trust security framework

Learn the scope and principles of zero trust, perform organizational discovery, and assemble a small core team. Only after the organization discovery stage is complete can the vital authorization and authentication boundaries be defined.

2. Classify your assets

You’ll want to create three impact buckets that answer the question, “What would happen to our business if X was compromised?” Defining these high-, moderate- and low-impact buckets can help you better narrow your focus and resources around zero trust tactics.

3. Select an initial set of assets to address

Start with a focus on the highest value and highest risk users, assets, and applications. Consider this your “protection surface” and the start of your strategic, incremental progress toward zero trust. Have your core team identify your top 10 priorities. Then, according to Grancarich, focus on just three priorities to tightly refine your approach going forward. This is a shift from operations “as usual” but a critical one to ensure success with zero trust.

4. Implement initial security controls

Once those top priorities are identified, new processes, procedures, technological solutions, or services can be selected, tested, and evaluated.

5. Assess the performance of your controls

This, like zero trust, should be a continual process. Each security control should be assessed continually both in terms of the system as well as the processes used to manage the system.

6. Authorize systems

Here’s where the hard work of system security and privacy plans, assessment reports, plans of action and milestones all come together for approval by senior leadership. Of course, constant communication from the core team to senior leadership directing a zero trust security framework should ensure there are no surprises at this step.

7. Monitor results and refine as needed

Continuous monitoring lies at the heart of zero trust, so assessing and monitoring are naturally key to its success. How this is done depends on the technological solutions in place. There should, however, be policies in place to trigger actions based on behaviors seen in monitoring.

Principles of the Zero Trust Security Framework

Text

By adhering to three key principles, organizations can build their zero trust model knowing they are following the rigid standards laid out in 2021 for U.S. federal agencies to adhere to NIST 800-207 as a required step for zero trust implementation. The standard went through extensive validation and input from various agencies, vendors, and commercial partners, and serves as a baseline for private organizations to follow. The three principles are: 

Terminate all connections

Traditional firewall technologies inspect files as they enter the network. Often, by the time an intrusive or malicious file is detected, it is too late. With zero trust solutions applied, every connection is terminated, and all traffic, even encrypted traffic, is inspected in real time. This pre-destination inspection can help prevent ransomware, malware, and other external threats. 

Why Choose a Zero Trust Security Framework?

Text

If you’re trying to determine if a zero trust security framework makes sense for your organization’s cybersecurity needs consider how cybercrime has ramped up, especially as more business is conducted in a cloud environment. Can you risk having your data stolen or destroyed or even held for ransom? Can you weather the PR storm of your customers’ personally identifiable information (PII) or other sensitive data such as financial or health information being stolen or exposed? 

Data breaches and cybersecurity risks will continue to be a factor in the near and distant future. Adopting zero trust, however, is an effective strategy to use to help minimize those risks. By reducing the attack surface, should a breach occur, the overall impact, cost, and drain on resources can be mitigated.

Text

Zero Trust Security Framework Use Cases

Compliance requirement support

If your organization must adhere to industry compliance standards such as the federal government’s NIST 800-207, the payment card industry’s PCI DSS, or the healthcare industry’s HIPAA and HITECH requirements, the closed connection tenant of zero trust helps prevent exposure or exploitation of sensitive or private data. With zero trust you can set up controls to segment data that is regulated from non-regulated data, providing more visibility for audit purposes, as well as mitigation of a data breach.

Related Content: Key Takeaways from Biden's Sweeping Executive Order on Cybersecurity

Overall risk reduction

The “never trust, always verify” approach to zero trust prevents applications and services from communicating until verified by predefined trust principles such as authentication and authorization specifications. By providing insight into what is on the network and how those assets communicate, zero trust reduces risk. And this strategy can also provide continuous confirmation of the acceptability of all communicating assets to reduce the risk of overprovisioned software and services.

Better cloud environment access control

If you’ve moved workloads to the cloud, or are operating in a hybrid environment, the fear of losing control and visibility is not unfounded. With a zero trust security framework in place, however, you can apply security policies to validate identities of communicating workloads. 

This helps to keep your security tied to the assets most in need of protection and it does not reply upon network security elements such as IP addresses, protocols, or ports. With zero trust solutions, the protection gained is attached to the workload and even if the environment is changed, the security remains.

Data breach risk reduction

As cybersecurity pros express, a data breach is not a question of “if” but “when.” With zero trust’s least privilege access, that assumes all entities are hostile. Organizations can gain more peace-of-mind knowing all transactions, users, and their devices are inspected and authenticated before “trust” is granted. And this validation is under continuous assessment to account for changes in the users’ devices, locations, or data requests. 

Should an attacker still breach your network or cloud environment, with zero trust principles and tactics applied, their ability to steal or access your sensitive data is stopped as the model creates segmentation, so no lateral moves are possible.

Fortra and the 5 Pillars of the Zero Trust Maturity Model

The United States Cybersecurity and Infrastructure Agency (CISA) released version 1.0 of the Zero Trust Maturity Model (ZTMM) in August 2021. It was originally created for government agencies to use as a roadmap towards zero trust architecture but has been widely used by organizations across every industry. It consists of five distinct pillars each with unique security requirements. The five pillars are:

Identity  |  Devices  |  Networks  |  Applications and Workloads  |  Data

The current version (2.0) was released in April 2023 and includes additional granularity across controls and continuously re-verifying trust. The ZTMM is an effective guide for implementing zero trust principles. Discover how Fortra solutions help enterprises in their ZTMM journey.

Identity

This pillar describes each unique user or entity and how they authenticate. How can Fortra help?

  • Core Security Identity and Access Management
    Simplify how you manage user access and secure data with identity governance and administration solutions, password management, and privileged access management.
  • Terranova Security Security Awareness Training
    Strengthen information security and reduce the risk of data breaches, downtime, and reputational harm.

Zero trust is about more than network segmentation. Fortra can help you encrypt and securely share data with authorized individuals while protecting it from viruses and malware.

Zero Trust File Transfer

A zero trust environment is one that ensures documents are secure both while in transfer and at rest. Secure file transfer (SFT) solutions such as GoAnywhere MFT can do the heavy lifting of securely moving files. When bundled with the Clearswift Secure ICAP Gateway and Digital Guardian Secure Collaboration, the protection surrounding data is taken further. With secure collaboration applied to MFT transactions, you gain both control and protection, as access controls over encrypted files travel with the files and can be revoked at any time – a key tenet of zero trust. 

Learn more »

Image
SFT Rights Management

How Fortra Supports the Zero Trust Journey

Fortra works with customers across every industry on their zero trust journeys. Rather than solve every piece of the zero trust puzzle, we serve as an ally and partner in the process, helping first identify the problems you need to solve and then determining what controls will fit your problem set. View the datasheet for more information.

DOWNLOAD THE DATASHEET