Perimeter security is no longer the best option for enterprise IT departments. A far more flexible architecture is needed that focuses on users, devices and services. The concept of zero trust was developed to take on current and future IT security threats by operating under the assumption that no person, device or service -- inside or outside the corporate network -- should be inherently trusted.
Implementing the five principles of zero trust listed below enables organizations to take full advantage of this security model, but an IT security team can't simply implement zero trust and then walk away. A continuous process model must be followed that cycles though each principle, and then it starts over again. The zero-trust model must also continually evolve to accommodate how business processes, goals, technologies and threats change.
Here are the five principles of zero trust that ensure the concept is successfully adopted into the long-term IT strategy.
1. Know your protect surface
An organization's IT protect surface consists of all users, devices, applications, data and services. The protect surface must also include the means of transport -- the network -- that sensitive company data traverses. One of the main reasons why zero-trust models have become so popular is because the protect surface for most businesses now extends far beyond the protections of a corporate LAN. Traditional perimeter or edge security tools no longer have the same reach because many data flows no longer cross into the corporate network.
The change in data flows forces cybersecurity tools to be pushed out beyond the network edge to get as close to apps, data and devices as possible. Manual inventory processes should be supplemented with automated asset and service inventory tools. Combining these technologies helps teams identify what apps, data and devices are a security priority.
These tools are also used to understand where critical resources are located and who should have access to them. This process effectively builds a map for security architects to help them understand where security tools would be best implemented.
2. Understand the cybersecurity controls already in place
Once the protect surface is mapped, the next principle of zero trust is evaluating what cybersecurity controls are already in place. Many of the IT department's existing security tools will likely be useful when implementing a zero-trust strategy. However, they may be deployed in the wrong location or use an outdated perimeter architecture model. These evaluation exercises are useful when combined with the protect surface map because that enables IT security architects to see where existing tools can be redeployed or repurposed to reach the expanded areas where cloud, edge compute and other internet-based resources now reside.
3. Incorporate new tools and modern architecture
In most cases, existing cybersecurity tools do not satisfy a complete, end-to-end zero-trust model. Additional tools must be added to provide extra layers of protection where security gaps have been identified during zero-trust implementation. The good news is modern security tools have been designed to pick up the slack where traditional tools fall short.
Examples of tools that enterprise IT shops commonly implement to meet zero-trust framework requirements include network microsegmentation, secure access control to all applications and data using single sign-on, and multifactor authentication. Additionally, advanced threat protection tools can be used to identify emerging threats and push security policies to resources precisely where they are needed across the protect surface.
4. Apply detailed policy
Once all the necessary technologies are in place to build a zero-trust framework, security administrators are tasked with putting those tools to use. This is accomplished by creating and implementing a zero-trust policy that can then be applied to the various security tools using automated services.
Zero-trust policies are rules based on the principle of least privilege that permit access to various resources based on a strict set of standards to only allow access when absolutely necessary. Policies should outline exactly which users, devices and applications should have access to which data and services and when. Once high-level policies are built, administrators can then configure security devices to adhere to the allowlist of permit rules, while denying everything else.
5. Monitor and alert
The last zero-trust principle is conducting necessary monitoring and using alerting tools. These tools give security staff the appropriate level of visibility into whether the implemented security policies are working and whether cracks in the framework have been exploited.
It's important to remember that nothing is completely secure, even with a zero-trust framework in place. Tools must still be used to capture when malicious activities occur so they can be quickly stamped out. Organizations should also perform root cause analysis to identify and fix any flaws in the existing security posture.
A distributed security architecture, such as zero trust, can be enormously challenging to properly monitor by security operations center admins. Fortunately, modern cybersecurity monitoring tools exist that incorporate automation and AI capabilities to ease that burden. Modern security monitoring tools, such as network detection and response and security orchestration, automation and response, can help cut down on the human resources required to identify security incidents, while also identifying root causes and remediation steps.