In 2010, John Kindervag, Principal analyst at Forrester Research Inc, created a model of Zero Trust. Traditionally, organisations have a security approach that they focus on defending their perimeters and assume that every user inside a network is trustworthy and clear for access. However, the vulnerability associated with this approach is that once an attacker gains access to a network, they can access everything. Zero Trust is a security concept centered around the belief that organisations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything to connect to its systems before granting access. Such an approach, provides visibility and IT controls which secure, manage and monitor every device, users, app and network being used within an organisation to access business data. According to Infosecurity Magazine, 2019 saw strong growth in terms of both awareness and implementation of the model, with 15% of organisations having already enacted a Zero Trust policy and 59% planning to do so in 2020. It has become one of the most influential cybersecurity frameworks in the industry.
In general, it is impossible to foresee all possible types of cyber threats. However, the Zero Trust model provides an effective approach to improve security and be better prepared to mitigate risks. According to John Kindervag, “Zero Trust is based on the principle that ‘trust’ is a vulnerability that is its own exploit.” Traditional security approaches followed a ‘castle and moat approach’ that everyone inside the network is trusted by default and once an attacker gains access they have free reign over everything. The concept of the model is to provide a layered security approach and focus heavily on users getting securely authenticated into a trust zone, however, once the user is inside most restrictions are lifted off. Zero Trust maintains the belief that no one is trusted by default inside or outside of the network, so verification is required from everyone trying to gain access. In the physical world, trust is commonly based on who you are and not where you are. Zero Trust security is based on the principle ‘always check, never trust’– they therefore take into account 4 trust dimensions:
1. User trust
The most common type of trust we see is user trust and comes in 2 parts: Identity establishment and user authorisation. Traditionally, a company trusts its employees, trust which is established through a login mechanism (a shared secret). However, to prevent identity theft companies have begun to adopt the likes of multi-factor authentication to ensure trust is maintained.
2. Location trust
Determining the risk of providing access, based on the location from which a user is accessing a resource, whether that location is within company premise or from a public place. Location can also imply a time zone.
3. Device trust
With users demanding access to a variety of devices (laptops, tablets, smartphones, computers etc) the threat of perception of each device can vary based on factors like: the type of operating system, security solutions installed on the device and whether it has the latest security patches.
4. Time trust
Time trust deals with identifying risk based on when the resource access is being made. The time information accessed can be used as a trust factor. In many cases, time information needs to be correlated to other factors, such as location.
Zero trust is not about making a system trusted but rather about eliminating trust, therefore a number of control technologies which are critical for achieving this need to be considered such as:
1. Micro-segmentation
Microsegmentation is the preferred method for achieving a Zero Trust network, as it provides secure user access and prevent loss of data. Microsegmentation is the practice of dividing perimeters into small, isolated areas (zones) so that certain parts of your network have seperate access, so if any data breaches occur, microsegmentation will limit further exploitation of these networks by malicious actors. With micro-segmentation, files in a network can be placed in separate, secure zones. Each segment has security controls to implement optimal protection for each unique perimeter. Microsegmentation reduces the risk of cyber attacks on organisations, reducing the total attack surface of a network security incident and limiting the ability to land and expand from a compromised device. It also allows organisations to limit the size of their network’s attack surface by breaking it into small pieces. If one segment gets compromised, the other segments are “walled off” and protected. It is important that when identifying access policies, organisations have a system that allows session-based information which can be used to modify your access policy decisions.
2. Multi Factor Authentication (MFA)
The ages of passwords are a thing of the past, older security systems previously relied on a strong “root” password that would provide you with unlimited access to specific resources, this could be easily stolen. Multi factor authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials, such as: a code from the user’s smartphone, the answer to security questions, a fingerprint or facial recognition. MFA is a critical component of identity and access management (IAM), it is therefore considered to be a core value of Zero trust. For Zero Trust, each user must be correctly identified by a MFA. MFA creates multiple layers of security to increase the confidence that the user requesting access is actually who they claim to be, to ensure no data or critical information is compromised.
3. Principle of Least Privilege (PoLP)
This is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under PLoP, users are granted only as much access as they need to complete a particular purpose or role- the least amount of privilege necessary. PLoP is a key part in zero trust identity and access management, as it reduces the risk to a segmental level in order to contain or shrink the perimeter of each individual device. Zero trust depends on PoLP to grant access based on who is requesting access, the context of the request and the risk of the access environment. PoLP offers better security of data, minimises the attack surface, limits malware propagation and overall offers better stability, therefore supporting the zero trust concept of “always check, never trust.”
Building Zero Trust into the foundation of an organisation has the potential to strengthen the organisations IT and security, against the possible risks of cyber attacks. It is arguably the best way to secure data and user access across networks. It inspects and logs all traffic, monitors network patterns and adds authentication methods. By adding these barriers to entry, zero trust has the ability to protect critical customer and organisation data or communications from being accessed by foreign, malicious actors. Through microsegmentation, zero trust has the ability to reduce the risk of not only outsider threats, but also insider threats. While gaining visibility into enterprise traffic (who is accessing the network, from where, when and why), by adopting a zero trust approach it is possible to reduce the time of breach detection. Zero trust has the ability to be very successful if woven effectively throughout an organisation’s architectures, technology selections, operational processes and also the mindset of the employees, as well as building on existing security investments in the organisation.
While there are many advantages for organisations to implement zero trust, in an effort to improve cyber security, there are a number of disadvantages also. In relation to cybersecurity specifically, zero trust has created a slight confusion in that the model is not a specific technology as such, but rather a security strategy. The zero trust model should therefore be used as an initial step in the process of securing data, it should not be the final step. The complexity and then length of time it takes to implement Zero trust is important, it took Google six years to implement their Zero Trust approach – BeyondCorp, they had to wean employees off VPN, several device inventories had to be replaced with one central system. And so, the time it takes to implement zero trust can take many, many years.
With digital transformation being driven by Cloud, DevOps and IoT, these technologies inherently do not support the zero trust model. If organisations wish to pursue implementing the model, the redesigning, recording and redeployment will not only be time consuming, but costly and disruptive, but could potentially weaken cyber security in the transitioning organisation. In an age where BYOD (Bring your own device) has continued to rise, organisations must allow for a great variation of devices used for work. Each device has their own properties, requirements and communication protocols – all of which will need to be individually tracked and secured under Zero Trust policies. The same goes for applications (apps) being used across the organisation, the versatility of these can be a complicating factor when trying to implement zero trust.
While there may be limitations to the model, it is still a prevalent concept in the digital world today. It is possible to combine IT security solutions with Zero Trust model in order to protect networks, data and communications. Salt Communications has the ability to work alongside Zero Trust models due to their ability to offer peace of mind to organisations to implement complete control and secure communications. The Salt Communications solution offers many features which allow for an environment of Zero trust. Salt Communications are fully equipped for customers to have the ability to control who accesses the systems or networks, who users communicate with, how their metadata is stored and where the system is actually hosted, while also offering white labelled versions of the solution.
For more information on this article, or to talk to a member of the Salt Communications’ team, please contact info@saltcommunications.com.
About Salt Communications
Salt Communications, ranked in the top half in the Cybersecurity 500, provides a fully enterprise-managed software solution that enables absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. The Salt Communications Desktop and Mobile apps are intuitive and easy to install and use. Salt Communications’ Communication Manager provides a console for tight management of users and can be configured for the management of regulatory compliance. Salt Communications is headquartered in Belfast, Ireland, for more information visit saltcommunications.com..com.
