Cybersecurity professionals are tasked with the difficult job of protecting their organization's data from malicious actors. To achieve this goal, zero trust security has become an essential tool for organizations. But what exactly is zero trust? In this post, we’re going to separate signal and noise by disambiguating the term zero trust. We’ll talk about what it is, why it matters, and key takeaways you should have regarding the state of cybersecurity in 2023.
What is zero trust?
Zero trust (ZT) refers to an approach to security that assumes all networks, systems, and users are “untrustworthy” by default. That is to say, for example, just because a user has access to an application or network doesn’t mean you should assume they won’t engage in malicious behavior. Instead of relying on traditional security models—which assume the existence of a “perimeter” that can be trusted and must be defended—zero trust models assume that identity, permissions, endpoints, networks, and users should be validated before allowing any access to resources. This means authentication measures must be in place to dynamically verify the appropriateness of any specific request to access sensitive resources or connect to systems containing such resources.
Why Is zero trust Important?
Zero trust is important for a few reasons. First, it reduces the attack surface by limiting access only to users and devices with the correct permissions, which helps prevent unauthorized individuals from gaining access to sensitive data or systems. Additionally, since zero trust requires continuous monitoring and validation of all users and devices attempting to gain access, attackers will have a more difficult time accessing systems undetected. Finally, with zero trust in place you can be sure that if attackers do gain entry they won’t be able to move laterally throughout the network without being spotted immediately – which greatly limits their ability to cause damage.
Is zero trust just a buzzword?
Usage of zero trust has exploded over the last decade, as it was codified into NIST and cloud security has changed the paradigm of how organizations have to approach security.
With this increase in popularity, there’s been little reflection about how and why to use the term, with security vendors and pundits touting zero trust as a cureall. It’s no exaggeration to say that at this point, zero trust is seen as a bit of a meme by the security community with the term garnering a substantial amount of eye rolling and fatigue from security professionals.
This derison is partly earned with vendors using zero trust to describe everything from traditional firewalls and VPNs as “zero trust.” It is impossible to talk about zero trust in 2023 without first acknowledging and understanding this very frustrating state of affairs.
This is unfortunate, though, because the zero trust framework still has value as a guiding principle for organizations and security teams. This is because the zero trust model encourages approaching security as a set of recurring processes that validate your security posture in real time, as opposed to point-in-time analysis that involves more traditional approaches to security involved.
That said, zero trust should not be seen as or marketed as a cureall. This is because zero trust is enabled through processes, not through controls alone. Zero trust is best thought of as the end state of implementing your security architecture in a trustless way. As a security practitioner, you’re responsible for coming up with the vision and processes that enable zero trust; the controls you deploy are merely tools that help achieve the specific outcome you have in mind. With a solid understanding of zero trust principles this can be a straightforward process.
What are zero trust principles?
Zero trust initiatives, whether they involve implementing a zero trust architecture across your entire corporate architecture or are more narrow in scope, require you to first create, understand, and build on critical first principles that will help center your program. While you are ultimately responsible for coming up with these first principles, NIST 800-207 serves as a pretty good starting point for thinking about the types of problems trustless architecture is intended to address.
Page 4 of the pdf for NIST 800-207 specifies that "Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (e.g., read, write, delete) needed to perform the mission.”
NIST 800-207 further outlines seven “tenets” of zero trust. These are:
1. All data sources and computing services are considered resources.
This means that zero trust centers around controlling access to resources that access data as well as access to data itself. The goal of zero trust being to make access controls to these assets continuous and as granular a possible.
2. All communication is secured regardless of location.
Zero trust requires a uniformity in how processes are implemented and controls are deployed. There is no assumed safe perimeter, there are no devices which should have continuous unrestricted access to resources. You need to put processes and controls in place that regularly evaluate the identity, credentials, permissions, etc. of users, devices, and entities accessing resources.
3. Access to individual enterprise resources is granted on a per-session basis.
Continuous, unrestricted access to resources should not be permitted. For example, an employee can lose a device, so it should not be assumed that “they” are the ones resuming a current session on an application running on that device
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
NIST 800-207 says: An organization protects resources by defining what resources it has, who its members are (or ability to authenticate users from a federated community), and what access to resources those members need. For zero trust, client identity can include the user account (or service identity) and any associated attributes assigned by the enterprise to that account or artifacts to authenticate automated tasks. It further breaks down these attributes:
1. Asset state can include device characteristics such as:
- Software versions installed.
- Network locations.
- Time/date of request.
- Previously observed behavior.
- Installed credentials.
2. Behavioral attributes include, but not limited to:
- Automated subject analytics.
- Device analytics, and measured deviations from observed usage patterns.
3. Environmental attributes may include such factors as:
- Network location.
- Time.
- Reported active attacks.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
Just like users, the status of assets (like their security posture) is evaluated dynamically. For example, devices that are not up-to-date in terms of security/vulnerability patches may be denied from accessing sensitive resources.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
This is self-explanatory. Zero trust centers processes that evaluate security posture in real time. This is partly enabled through controls that are:
- Uniform or easy to standardize. These are controls that enforce the same policies and requirements, regardless of where or how they’re deployed.
- Capable of taking automated and continuous actions. Zero trust requires regular, periodic actions in order to validate or verify that resources are being accessed by authorized parties in an appropriate manner.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
NIST 800-207 says: An enterprise should collect data about asset security posture, network traffic and access requests, process that data, and use any insight gained to improve policy creation and enforcement. This data can also be used to provide context for access requests from subjects.
How can you enable zero trust security?
Once understanding the core principles of zero trust, you’ll need to evaluate the types of zero trust processes that most make sense for your organization. Effectively, zero trust can be segmented based on the specific objectives you have in mind. Some common examples include:
- Zero trust network access (ZTNA). Zero Trust Network Access centers around controls and processes that validate users accessing a network with sensitive resources. Like, for example, employees who must access a corporate intranet from home. ZTNA allows for organizations to manage who access a network and what behaviors they can engage on over that network.
- Zero trust identity management. Zero trust identity management is more narrowly focused with managing user credentials, access, and permissions, generally within cloud applications. These typically make it harder for passwords to be compromised and misused, and leverage concepts like the principle of least privilege to ensure that no one account has access to all of your critical systems.
- Zero trust data security. Zero trust data security is a newer category, focused on managing where data is stored in the cloud. This is to ensure that sensitive data, like API keys, passwords, or customer social security numbers, isn’t shared in easily accessible locations like Slack channels or email by people with no need-to-know basis for the information.
How can Nightfall help with zero trust?
Nightfall belongs to the category of controls that help enable zero trust data security in SaaS applications. Our application allows for users to continuously scan cloud environments for inappropriate disclosures of PII, PHI, PCI, credentials, secrets, and more. For example, healthcare organizations using Slack cannot have PHI disclosures occur in channels with members that have no need-to-know basis for the information. This could be in organization-wide channels such as #general. Nightfall users can create policies that scan for sensitive information in real time to automatically alert, redact, delete, or quarantine this content in files and messages that are in specific locations.
Beyond compliance, many of our users have a critical need to understand whether their employees are sharing passwords or other types of secrets within applications like GitHub, Jira, and Slack. The presence of this data in these environments could lead to privilege escalation in the event a malicious actor gains access to these applications. Effectively Nightfall addresses the consequences of employees engaging in practices that may violate data security policies in over to improve organization’s cloud security posture.
To learn more you can watch our on-demand webinar Build Continuous Security & Compliance into Your SaaS Environments.