What is Zero Trust Security?

It is not exactly a secret that cybersecurity has grown more challenging as cyber threats have become increasingly serious and numerous in recent years. In response, cybersecurity teams are rethinking the fundamentals of their security strategies. In place of the traditional security perimeter, with its implicit trust of users and devices, the Zero Trust (ZT) model is emerging as the de facto foundation of cybersecurity policies and countermeasures. This article examines Zero Trust, offering definitions and insights into its applicability to the modern enterprise.

The Zero Trust security model

Zero Trust security refers to cybersecurity policies and countermeasures based on the ZT security model. One essential fact to grasp is that ZT is not a solution. It’s an idea. Zero Trust security comprises a set of principles such as those defined in the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model that establish the basis for security controls and practices. Zero Trust is realized in the form of a Zero Trust Architecture (ZTA)

ZT has arisen as a predominant security model because security professionals realized that traditional countermeasures, such as firewalls and VPNs, along with usernames and passwords, were not effective at keeping malicious actors away from sensitive data and systems. These outdated approaches extend trust to users based on simple, easily compromised credentials. With the right credentials, a firewall or VPN can authenticate a user. From there, most traditional security solutions would then grant broad authorization to that user. They could access a wide range of data and applications on the network, once admitted.

This kind of “trust by default” policy was leading to disaster. ZT rectifies its deficiencies with the opposite approach, which is “never trust, always verify.” No user or device is trusted at the outset. All must be verified before being granted access.

What does Zero Trust mean?

Before answering the question “What does Zero Trust mean?” it’s worth taking a second to define the concept of trust, in general. Trust is one of those concepts that all human beings understand implicitly but may have difficulty articulating. In his book, Trust in Computer Systems and the Cloud, author Mike Bursell draws on sociology and philosophy to offer a basic definition of trust, which is “the assurance that one entity holds that another will perform particular actions according to a specific expectation.”

The definition matters because ZT is about one entity granting access to a user only when it is certain that user will perform particular actions according to a specific expectation. That is, if a ZT-based system grants access to a user or device, it has an expectation that the user or device will behave in accordance with security policies. Even then, that is not enough. Zero Trust security also requires granting the minimum possible degree of trust. Access is limited to the smallest increment of data or application functionality—and is then rechecked repeatedly throughout the user session.

What are the principles of Zero Trust security?

Zero Trust security principles extend beyond the basic “never trust, always verify” rule. ZT also means reducing trust zones and getting rid of the notion that trust can be assumed based on location. For example, if a user’s device shows itself to be on the corporate campus, that does not mean that it is in the possession of the authorized user.

Other principles of Zero Trust security include:

• Always identifying users, devices, and workloads to ensure that all are authenticated and authorized to access specific resources.
• Continuously monitoring the environment with the goal of detecting both advanced attacks and changes in context for users and devices, e.g., if a device is not where it is supposed to be, or if the user is acting in anomalous ways like repeatedly trying to access a resource he is not authorized to see.
• Treating access as contextual, e.g., using Artificial Intelligence (AI) to conduct a security audit in real time that tracks data points like GPS location, MAC address, keystroke profile, and other unique identifiers.
• Always restricting access, e.g., only granting access to applications and data sets to users whose profiles indicate that they need access to do their jobs. Everyone else gets blocked.
• Always examining access, e.g., authenticating and inspecting every bit of network traffic with the goal of stopping inappropriate access requests before they reach their destinations.
• Segmenting access, with micro-segmentation walling off access to areas of the network, servers, and applications that are not needed by the user. This policy has the effect of reducing the “blast radius” of malware or other attacks.

What is not a principle of Zero Trust security?

With ZT becoming so popular, it can be hard to parse what is and what is not a principle of Zero Trust. One policy that gets mistaken for ZT is that of “the principle of least privilege.” The two ideas are related, but different. The principle of least privilege holds that a user should only be granted the least possible privilege in any situation. Zero Trust is arguably “least privilege” at its extreme. However, the principle of least privilege does not deal at all with authentication, verification of users, rechecking user identities, and the like.

Another area of confusion around Zero Trust comes from the Secure Access Service Edge (SASE) paradigm. This approach to securing end users and devices in distributed environments is growing in popularity. It includes Zero Trust as part of its design, in the form of Zero Trust Network Architecture (ZTNA). SASE is not Zero Trust, though. Implementing SASE does not mean that one is implementing Zero Trust throughout the enterprise.

What is Zero Trust Network Access?

Zero Trust Network Access (ZTNA) is a subset of the Zero Trust model that is applied to networks. A ZTNA solution secures remote access to apps, data, and network segments using Zero Trust rules. It connects those remote users via a secure, encrypted tunnel. This way, the user is unable to see the IP addresses of apps or services that are outside his or her privileges. ZTNA is comparable to the concept of the software-defined perimeter (SDP).

How can I implement Zero Trust?

Implementing Zero Trust can be challenging, but there is some good news. For one thing, some of the underlying systems required to make Zero Trust a reality may already be in place in an enterprise. These include solutions for Identity and Access Management (IAM) and identity governance, as well as capabilities for network segmentation and device verification. They may not yet be configured for Zero Trust, but they do not have to be acquired and set up.

The other good news is that it is possible to start on a small scale with Zero Trust and expand the model over time. For example, it may be best to start by instantiating Zero Trust policies for a cloud storage volume that contains sensitive data. As that project comes to fruition, the security team can move on to other areas of the business and apply lessons learned.

One thing to keep in mind is that the Zero Trust model can apply to virtually any resource. It’s not just for network access, a common fallacy. ZT can be the security model for any element in the technology stack, such as data, applications, and operating systems.

While there is no single Zero Trust solution, a growing number of products and platforms now support the model. There is ZTNA, of course, but many security operations tools and data protection solutions, to name just two examples, now come with features and configurations that operationalize the Zero Trust model. The hard work involves figuring out where these tools will be needed, how the Zero Trust model will actually work, and then executing the implementation plan.

What Zero Trust enterprises should look for in a cloud storage service

A Zero Trust enterprise needs to pay attention to its storage. In the cloud, especially, data can be vulnerable to malicious actors if the storage solution does not embody Zero Trust principles. For example, an optimal cloud storage platform for Zero Trust should support end-to-end encryption and two-factor authentication. On a related front, a cloud storage platform supporting Zero Trust should support immutable buckets or Object Lock, and micro-segmentation, with the goal of protecting data from malicious changes, deletion, or encryption, e.g., with ransomware.

The platform also needs to support IAM policies so it can manage user identities and enforce authorization policies. The rapid deprecation or replacement of key pairs is another essential element of cloud storage for Zero Trust. Versioning and bucket logging further help security managers monitor the enforcement of Zero Trust policies. Integration with security operations tools, along with AI-based event monitoring are also helpful.

To learn more about Zero Trust security and how to secure your enterprise data in the cloud, download our new eguide: Cloud Storage in a Zero Trust Enterprise.