Maybe you’ve heard the term “zero trust networking” and wondered what it is. This term has become a little bit more mainstream over time and it’s been gaining momentum. Recently zero trust networking has come to more businesses’ attention because it was referenced in the president’s Executive Order on Improving the Nation’s Cybersecurity, to have government agencies, and those that work with government agencies, work towards a “zero trust security model”.
Let’s take some time to talk about what that is, what it means, and how that applies to us. Because whether you’re a government agency or not (or work with one), zero trust is a really important framework and concept to understand for anybody who wants to secure their network.
There are three main parts to zero trust networking:
- Verify user identity explicitly.
- Implement least privilege access.
- Consider everything on your network to be potentially hostile.
These principles may seem kind of extreme. Or rather, this concept has seemed extreme in the past, but it’s no longer considered overkill because of how cybersecurity threats have evolved.
Why is Zero Trust Important now?
Historically speaking, in the security realm we’ve had a mentality of “zero trust” to the internet for a long time. The point of firewalls, spam filters, and so on, has been to protect “the good guys” behind the firewall and keep the bad guys out, so what’s “inside” stays safe. This is often referred to as the “fortress mentality”. And it’s not cutting it today. The mindset that what it is “inside” is good and that what is “outside” is potentially hostile just can’t be assumed to be true anymore.
You still need your firewalls and spam filters; they certainly help to reduce risk. We need to have those external protections and those barriers as best we can. But the reality is that if somebody wants to get in, there’s probably a way in. This means we need to rethink the way that we approach our networks and the way that we secure things.
The Three Principles of Zero Trust Networking
A “zero trust” mindset changes how we deal with things inside the network or inside our own systems, whether that’s Office 365 in the cloud, or a more traditional network with your server and workstations in an office.
So, let’s breakdown the three principles of zero trust to see what’s changed.
Verify User Identity Explicitly
In the past, it was common for a new employee to get a username and password to a company’s system, as well as access to all the company’s resources – even files and systems from other departments. The idea was to enable productivity and efficiency and reduce barriers to people getting their jobs done. So make systems accessible and give everyone rights and permissions… Even if the specific person didn’t need all that access, or all those privileges. Because we trust our employees, right?
But now trusting your employee isn’t enough – you also have to verify. Identities can be stolen; user accounts can be compromised. You can’t always know for sure that the person behind the username and password is who they say they are. You don’t know which user might click on a phishing link or visit a malicious website by accident, and compromise their account credentials.
The zero-trust answer is to verify explicitly. Know who is logging in, not just with a username and password, but with additional tools like geolocation information and multi-factor authentication. If an employee is based in the U.S., but a login request to their account comes from Japan or Australia – you should probably block that.
User verification requires tying together a lot of intelligence and asking, do we think this user is who they say they are?
Least Privilege Access
The second principle of zero trust is least privilege access. Let’s go back to what I said previously about how employees used to get access to all the files and all the systems. With zero trust, we don’t do that anymore. It actually needs to be the opposite. Begin with users being denied everything, no access to anything. And then add in permissions to what they specifically need to perform their job, and nothing more.
Why? This creates isolation and shuts down unnecessary access that could be leveraged by attackers if they compromise a user account. If a person in the sales department only has access to sales files, and they get hit with ransomware – you’ll be glad you have used least privilege access, because the ransomware won’t get everything through that one user, it’ll just hit the sales department.
The point of least privilege access isn’t to keep people from doing their jobs. The purpose of this principle is to not give people access to things that they will never need.
Everything Is Potentially Hostile
And lastly, you need to consider everything in your network as potentially hostile. Because this is reality. Here you need to proactively think about how a new system, a new device, or new software could be attacked and leveraged against you. And how can these elements in your network be segmented and isolated to prevent this?
Some good examples are IP phone systems and IP security cameras. You could put these systems on your corporate network along with your server and everything else. But if a PC gets hit with an attack, you don’t want that attack to spread to your phone and surveillance systems. Segmenting various components on your network can help you protect your devices from your other devices!
How do you work towards this mindset?
So how do you “implement” zero trust? First and foremost, zero trust isn’t a product, it’s a process. No one can sell you a cookie cutter “zero trust networking package”. But experts like OXEN’s Shared CIOs can help you see where you can make changes and improvements as you work towards the zero-trust model.