Creating and managing a zero-trust security framework
IEEE senior member Kevin Curran outlines how enterprises should introduce a zero-trust security framework and discusses implementation challenges they are likely to face.
Whereas traditional security mechanisms assume identities and devices inside a network can be trusted, the zero-trust security model operates on the basis that no internal or external user or device can ever be trusted by default.
The zero-trust concept was first introduced by Forrester Research in 2010. After Google and Cisco implemented it, the authentication and authorization method has grown in popularity.
Zero trust is a key concept in identity and access management (IAM) and is structured to limit a hacker's access to an enterprise network.
"The need for a zero-trust security model has arisen in part because enterprises no longer tend to host data in-house but rather through a variety of platforms and services which reside both on and off premises with a host of employees and partners accessing applications via a range of devices in diverse geographical locations," said Kevin Curran, Institute of Electrical and Electronics Engineers (IEEE) senior member and professor of cybersecurity at Ulster University in Ireland.
Simply put, "the traditional security model is no longer fit for purpose," Curran said.
Here, Curran explains how enterprises can get started on the path to zero trust and offers insights into the challenges associated with zero-trust security frameworks.
Editor's note: This interview has been edited for length and clarity.
How should an enterprise create and update a zero-trust security framework?
Kevin Curran: For zero-trust security to be effective, it requires new approaches, such as using network segmentation or microsegmentation based on users and locations. It requires enforcement of identity and access management, next-gen firewalls, orchestration, multifactor authentication (MFA) and file system permissions.
A zero-trust security framework can be introduced into an enterprise by:
- Updating network security policies. Security policies need to be reviewed and audited for vulnerabilities and be tested regularly.
- Validating each device logging in to the network. This is enforced through strong authentication mechanisms. It is also important to adopt the principle of least privilege for each user.
- Implementing network segmentation. A variety of network, perimeter and microsegmentation will help secure the network.
- Requiring MFA. Each user must proceed through this additional step in authentication.
- Periodically reviewing user access. This prevents against slippage in the authenticated user base.
What are the challenges associated with zero-trust security models?
Curran: The zero-trust security framework is reliant on strong governance processes to secure an enterprise IT environment -- therein lies the challenge as, in many cases, it forces enterprises to enforce new processes across the organization. This is never easy.
Another challenge is that employees may not take kindly to the added burdens of accessing machines and the reduced access levels enforced by the principle of least privilege.
There is a battle to change mindsets, especially among experienced staff. An institutional change with regards to security is needed. There is also effort involved in the technical realm, such as rolling out microsegmentation, which requires the reconfiguration of IP data to ensure there will be no interruption in the day-to-day environment. This is why it is important to have the CISO, CIO and senior management on board from the start to ensure success.
About the author
Kevin Curran is an IEEE senior member and professor of cybersecurity, executive co-director of the Legal Innovation Centre and group leader of the Ambient Intelligence & Virtual Worlds Research Group at Ulster University. His achievements include winning and managing U.K. and European Framework projects and Technology Transfer Schemes.
Curran has made significant contributions to advancing the knowledge and understanding of computer networks and security, evidenced by over 800 published works. His expertise has been acknowledged by invitations to present his work at international conferences, overseas universities and research laboratories. He is a regular contributor to print, online, radio and TV news on computing and security issues.