The 5 principles of zero-trust security

Zero trust is a journey, not a destination. Ensure your corporate network is safe from internal and external threats by implementing these five principles of zero-trust security.

Perimeter security is no longer the best option for enterprise IT departments. A far more flexible architecture is needed that focuses on users, devices and services. The concept of zero trust was developed to take on current and future IT security threats by operating under the assumption that no person, device or service, inside or outside the corporate network, should be trusted.

Implementing the five principles of zero trust listed below will enable organizations to take full advantage of this security model, but an IT security team can't simply implement zero trust and then walk away. A continuous process model must be followed that cycles though each principle -- then it starts over again. The zero-trust model also must continually evolve to accommodate how business processes, goals, technologies and threats change.

Here are the five principles of zero trust that ensure the concept is successfully adopted into the long-term IT strategy.

1. Know your protect surface

An organization's IT protect surface consists of all users, devices, data and services. The protect surface must also include the means of transport -- the network-- that sensitive company data traverses. One of the main reasons why zero-trust architectures have become so popular is because the protect surface for most businesses now extends far beyond the protections of a corporate LAN. Traditional perimeter or edge security tools no longer have the same reach because many data flows no longer cross into the corporate network.

The change in data flows forces cybersecurity tools to be pushed out beyond the network edge to get as close to apps, data and devices as possible. Manual inventory processes should be supplemented with automated asset and service inventory tools. Combining these technologies helps teams identify what apps, data and devices are a security priority.

These tools are also used to understand where these critical resources are located and who should have access to them. This process effectively builds a map for security architects to help them understand where security tools would be best implemented.

In most cases, existing cybersecurity tools will not satisfy a complete, end-to-end zero-trust architecture model.

2. Understand the cybersecurity controls already in place

Once the protect surface is mapped, the next principle of zero trust is evaluating what cybersecurity controls are already in place. Many of the IT department's existing security tools will likely be useful when implementing a zero-trust strategy. However, they may be deployed in the wrong location or use an outdated perimeter architecture model. These evaluation exercises are useful when combined with the protect surface map because that enables IT security architects to see where existing tools can be redeployed or repurposed to reach the expanded areas where cloud and other internet-based resources now reside.

3. Incorporate new tools and modern architecture

In most cases, existing cybersecurity tools will not satisfy a complete, end-to-end zero-trust architecture model. Additional tools must be added to provide extra layers of protection where security gaps have been identified during zero-trust implementation. The good news is modern security tools have been designed to pick up the slack where traditional tools fall short.

Examples of tools that enterprise IT shops commonly implement to meet zero-trust framework requirements include network microsegmentation, secure access control to all applications and data using single sign-on, and multifactor authentication. Additionally, advanced threat protection tools can be utilized to identify emerging threats and push security policy to resources precisely where they are needed across the protect surface.

Graphic displaying four steps to build a zero-trust network and which tools can help
Build a zero-trust network by incorporating these security tools and processes.

4. Apply detailed policy

Once all the necessary technologies are in place to build a zero-trust framework, security administrators are tasked with putting those tools to use. This is accomplished by creating and implementing a zero-trust policy that can then be applied to the various security tools.

Zero-trust policies are rules that permit access to various resources based on a strict set of standards to only allow access when absolutely necessary. Policies should outline exactly which users, devices and applications should have access to which data and services and when. Once the high-level policies are built, administrators can then configure the security devices to adhere to the allowlist of permit rules, while denying everything else.

5. Monitor and alert

The last principle of zero trust is conducting necessary monitoring and using alerting tools. These tools give security staff the appropriate level of visibility into whether the implemented security policies are working and whether cracks in the framework have been exploited.

It's important to remember that nothing is completely secure, even with a zero-trust framework in place. Tools must still be used to capture when malicious activities occur so they can be quickly stamped out. Organizations should also perform root cause analysis to identify and fix any flaws in the existing security posture.

A distributed security architecture such as zero trust can be enormously challenging to properly monitor by security operations center admins. Fortunately, modern cybersecurity monitoring tools exist that incorporate automation and AI capabilities to help ease that burden. Modern security monitoring tools, such as network detection and response and security orchestration, automation and response, help to cut down on the human resources required to identify security incidents, while also identifying root causes and remediation steps.

This was last published in October 2020

Dig Deeper on Threat detection and response