Table of content:
What is a Zero Trust Model?
Zero Trust is a security framework that requires all users, whether inside or outside the company network, to be authenticated, authorized, and continuously validated when accessing company resources. In traditional networking, companies would typically implement perimeter security. This means there would be a trusted inside boundary (usually the internal network) and an untrusted outside network (anything outside the company). In a Zero Trust model, all aspects of the company network are considered untrusted, and users must be continuously authenticated to gain access to network resources.
Common Challenges for Implementing Zero Trust
When implementing a Zero Trust architecture, there are multiple issues that you can encounter. We're going to discuss some of the common challenges around implementing Zero Trust architecture:
1. Knowing your entire IT infrastructure
When implementing a Zero Trust model, the first big issue for businesses is to understand their IT infrastructure. Most companies still need a fully updated document that outlines all of their IT assets, making it very difficult to implement a Zero Trust architecture that encompasses all business assets.
2. All-in-one Zero Trust products don't exist
Implementing Zero Trust is different than implementing a firewall, IDS/IPS, or antivirus. Generally, implementing a Zero Trust architecture means implementing multiple security controls and integrating them to ensure that you have complete coverage. There are many approaches or techniques that will work for each business. It requires a unique combination of policies, technologies, and people to ensure proper implementation.
3. Legacy Systems May Not Adapt To Zero Trust
Another common issue is getting legacy systems and applications built with perimeter security in mind to confirm with a Zero Trust model. This is only sometimes possible. In many situations, legacy systems will need to remain in place, making implementing a complete Zero Trust model impossible. In many cases, you will be required to find a workaround to ensure that these systems are adequately protected.
4. Zero Trust Requires Ongoing Administration
Another common issue for implementing a Zero Trust infrastructure is the heavy demand for ongoing administration and maintenance. Zero Trust models can only be enforced through strictly defined permissions and security policies. As companies continue to change rapidly, adding new people, and technologies, changing locations, and laying off employees, access controls must be updated continuously to account for these actions. This means that administration requirements will be intensive.
5. Third-Party Service Providers
If your company uses third-party providers like AWS, Azure, Google Cloud, etc, then there may be restrictions on how your company can implement access controls. Most companies rely on the built-in tools provided by these cloud providers, which means that you may be restricted in implementing a Zero Trust model.
Zero Trust and Productivity
You should implement a Zero Trust model carefully, as otherwise it can have a negative effect on productivity in it's early stages. The core philosophy of a Zero Trust model is strict access control around company resources. The more strict your security - the more likely someone will not be able to access a resource when needed. In the early stages of a Zero Trust model, some mistakes will likely be made, and there can be delays in giving people the necessary access. In order to avoid it - the whole team must be accordingly prepared, and familiar with the ways of Zero Trust functioning and requirements.
The Five Pillars of a Zero Trust Model
According to the Cybersecurity and Infrastructure Security Agency (CISA) there are five pillars of a Zero Trust model. Thinking of a zero trust model in this way can help organizations better implement Zero Trust in their environment.
Identity: Identity refers to an attribute or set of attributes that uniquely describe an agency user or entity. This is important for ensuring that each user of the system can be uniquely identified for authentication.
Device: Device in this context refers to any hardware asset that can connect to the network. This includes but is not limited to mobile phones, laptops, and servers. It's important that companies inventory all devices, secure them, and prevent unauthorized devices from accessing protected resources.
Network/Environment: This refers to any open communications medium, such as your internal networks, wireless networks, the internet, etc. It's your company's responsibility to segment your network and control data flows appropriately. You should make considerations for Visibility and Analytics, Automation and Orchestration, and Governance.
Application Workload: This refers to all systems, computer programs, and services that execute in the company's on-premise or cloud environment. Companies should secure and manage the application layer of their environment to provide secure application delivery. It should also include security features that prevent users from manipulating applications to circumvent access controls.
Data: Data should be protected on devices, applications, and networks. Companies should inventory, categorize and label data, protect data at rest and in transit, and deploy controls for detecting data leakage and exfiltration.
These five pillars give you a high-level overview of the five areas that must be considered when implementing a zero-trust model in your environment. In addition to simply striving to achieve a secure state, companies must keep in mind the different security-related compliance requirements for their specific industry. For example, HIPAA or HITRUST for healthcare, GDPR if your customers are in the EU, etc. Depending on your company's exact situation, you will be required to implement specific processes.
Conclusion
The Zero Trust model is a security framework where all internal or external users are required to authenticate and be continuously validated to access company resources. This is an improvement on the traditional security philosophy that used security perimeters to separate a "Trusted" area from an "untrusted" area. All areas of the network and all users are treated with suspicion. The implementation of Zero Trust can be complicated for several reasons, but overall it is an important aspect of organizational security.