Saved By Zero: Trust, That Is

In some sense, zero can be understood as nothing or nada. But just as the introduction of zero to counting and math revolutionized thinking and theory, the introduction of zero to cybersecurity is fomenting similar churn and rethinking. I’m talking about the concept known as “Zero Trust,” usually abbreviated as ZT.

‍

As somebody who still makes a good chunk of his living writing custom corporate content, much of it cloud- and security-related, I can tell you from recent, repeat personal experience that Zero Trust is emerging as “the next Big Thing” in security circles.

‍

Defining Zero Trust

‍

Among a collection of fundamental ZT principles (more to come on that below) the cornerstones of ZT are best expressed as:

‍

1) Never trust, always verify, sometimes echoing The X-Files in the form, “Trust no one.”

2) Assume your systems and data have already been breached, and behave accordingly.

‍

The Zero Trust security model, believe it or not, emerges from work undertaken under the auspices of — get ready for it — the United States government. You can read about such work in the Department of Defense Zero Trust Reference Architecture, in the NIST Publication Zero Trust Architecture, and through the National Cybersecurity Center of Excellence (NCCOE) description of Implementing a Zero Trust Architecture.

‍

Lots of good stuff in each and every one of these references, in fact.

‍

Implementing Zero Trust

‍

That last reference lays out principles and best practices for what it calls ZTNA (Zero Trust Network Architecture) as follows:

‍

1) Identities, privileges and security are always verified, through continuous monitoring and validation. Users, devices, processes, and so forth (also known as “security identities”) must log in and authenticate with each and every access.

2. Put PLP (“the principle of least privilege”) to work everywhere, so that security identities obtain only necessary privileges and all such grants of privilege are examined carefully, monitored and audited.

3. Use serious access control to limit how many devices can log onto the network at any given time; to continuously check to determine that all active devices are authorized; and to examine security state of devices to make sure they are not now nor have previously been compromised.

4. Employ micro-segmentation to assign separate security containers for each and every security identity. Also security perimeters are divided into multiple, separate areas each requiring access controls, validation and verification. This prevent any security identity from attempting a “whole network” takeover.

5. Block lateral movement, to stop attackers from moving from one part of the network to another, once they gain access to a single area. Micro-segmentation, with its requirement for access control, validation and verification to access any (and all) segments enforces such capability.

6. Use MFA (multi-factor authentication), whereby users must supply two or more proofs of identity to authenticate successfully. The best MFA schemes involve user biometrics, security tokens, and/or assigned communications devices (e.g. smartphones) to provide strong proofs of identity.

‍

Why IT Pros Should Care About ZT

‍

If you hold one or more cyber security certs, you’ll certainly be learning more about ZT as you prepare to keep them up-to-date. But even those whose job responsibilities don’t explicitly include security should still posses basic knowledge of fundamental security principles and best practices.

‍

In my opinion, ZT is part of that mix. If you’d like to come up to higher speed on this topic, then the aforelinked NIST publication (“Zero Trust Architecture”) is a great place to start. Cheers!

‍