Organisations today have infrastructure that is becoming increasingly complex and diverse. A blend of internal network(s), data centres, cloud solutions, cloud infrastructure and a rise in remote work, has made the traditional notion of the network perimeter difficult to define. Where perimeter-based security is focused on keeping attackers out, Zero Trust operates on the assumption that the attackers are already present in your environment and works to secure access to data, applications, users and devices from lateral movement and unauthorized access.
The term Zero Trust has become something of a marketing tool with most vendors positioning their solution as the key to implementing Zero Trust architecture. The reality is that there are no single Zero Trust products or solutions; only solutions that help you to create a Zero Trust environment. Zero Trust is a set of principles and guidance that can be followed to implement a Zero Trust approach to security. To reduce this guidance to a single message: regardless of its source or destination, traffic should never be trusted and should always be verified. This can be achieved through many different combinations of operational policies, processes and solutions and does not necessarily require large-scale replacement of existing solutions all at once.
Know Your Assets
As you move towards Zero Trust, the focus on protecting the perimeter shifts to protecting your individual assets. Access decisions that allowed users on to a network will become more granular. Decisions in Zero Trust environments are about giving access to specific applications, micro-segments, data, etc. with each request. The first step then in any Zero Trust architecture plan is to know and understand your users and devices and the applications, services and data they are accessing in order to create the required policies.
NIST has defined a vendor-neutral set of component requirements to a Zero Trust deployment in their August 2020 Special Publication on Zero Trust architecture (NIST 800-207). They define the core components required in any theoretical Zero Trust model as a Policy Enforcement Point, Policy Engine and Policy Administrator. In simple terms, Zero Trust is built on access policies which are implemented through a policy decision point (to decide if access should be granted or not) and a policy enforcement point (to carry out the policy decision). What form these policy points take in your environment will depend on the solutions implemented.
Policies should be influenced by additional information and context, both real-time and historical. In addition to determining a user’s identity for example, that user’s location, device posture and typical behaviour may all be factors in making a data access decision. The policy engine component of your Zero Trust environment, therefore, needs to be fed with that contextual information. Threat intelligence feeds, user behaviour analysis, device compliance checks, data classification, etc. are all valuable components that allow access policy decisions to be as granular and relevant as possible. Access decisions should equally consider the data or resource that is being accessed, ensuring a least privilege policy that gives users and services access only to what is needed and no more.
Identity and Access Management – Where IP’s and networks were often the basis for policy decisions in a perimeter model, Zero Trust policy decisions hinge on accurately identifying users and services through a strong authentication process, of which MFA should always be a part. Having strong MFA and a definitive user directory that is compatible with your applications and services is essential to Zero Trust.
Endpoint Security and Device Management – Hand in hand with identity authentication is device security posture. Device compliance and health should be factors in determining user and service identities’ access to resources. Device compliance against your defined security policies should be continuously monitored and verified.
Micro-Segmentation – Isolating sensitive workloads, VMs, applications, data or other resources is one of the core elements of Zero Trust. By only allowing verified traffic that is necessary for the function of an application or service, you reduce the risk of attack but also limit the damage done in the event of a breach. This can be done by creating additional security boundaries through network devices, Software-Defined perimeter solutions or through application segmentation solutions.
SIEM / Log Analysis – Once Zero Trust is implemented in some way, continuous analysis of security events and access logs will help to refine your policies and ensure effective implementation of those policies. By understanding normal user and service data access patterns you can detect and prevent security incidents and unauthorized access.
How Kontex can help you?
If you are interested in beginning or continuing on a journey towards a Zero Trust Environment, Kontex can help.
We partner with industry leading vendors in a number of areas that are key to achieving Zero Trust goals including Identity and Access Management, Endpoint Security, Device Management, SIEM and Application Micro-segmentation.
Aside from any new solutions however, our experienced security consultancy and engineering teams can work with you to maximise what is achievable with your existing solutions and technologies and help to plan a way forward to achieving Zero Trust.
Contact [email protected] today!