Identify Technologies Behind Zero Trust
Learning Objectives
After completing this unit, you’ll be able to:
- Identify how to leverage existing technologies to implement the ZT security model.
- Explain the importance of identifying critical assets in implementing the ZT security model.
- Describe how to implement microsegmentation, identity and access management (IAM), the principle of least privilege, device access control, and more in the ZT security model.
Using Existing Technologies to Implement Zero Trust Security
Zero Trust (ZT) may seem new, but in actuality, organizations have been using many of the technologies behind the ZT security model for some time. To get started, consider what current set of controls you can immediately use. Let’s take a look at some common technologies used in ZT.
Prioritize ZT Implementation
ZT architecture requires visibility and control over your organization's users and traffic, including encrypted traffic. To best prioritize the ZT delivery you may want to start with identification of the critical data and services where increased security would minimize the attack surface. First, you need to identify your organization’s most critical data, assets, applications, and services. This allows you to better understand the attack surface (the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data). And it enables you to prioritize where to start implementing controls and create ZT security policies.
Implement Zero Trust Security
Microsegmentation
A crucial tool in your ZT toolbox is microsegmentation. Microsegmentation goes a step beyond traditional network segmentation, by adding a layer of protection for traffic from server-to-server, application-to-service, user-to-application, and more. In the castle and moat analogy, the external network boundary is the thick walls and wide moats of the castle. And internal networks are rooms with guards standing at their doors.
Microsegmentation is a security technique that breaks up an enterprise network into a set of segments each with their own access control policies and gateways.
With microsegmentation, your security architects divide your organization’s data center into distinct workload segments, and then define security controls for each workload. ZT microsegmentation prevents attackers from using unapproved connections to move laterally from a compromised application or system regardless of environment. Any intrusion or damage is contained to the smallest possible surface area, and attackers are prevented from using one compromised asset to access another.
Identity and Access Management
You’ve segmented your workloads, and now it’s time to control access to those workloads. ZT shifts access controls from the perimeter to individual devices and users. Because identity is a cornerstone of ZT, every user and device needs to be identified along with the role they play within an organization.
Identity and access management (IAM) solutions offer the core technology that organizations can start with on their ZT journeys. IAM systems verify identities and control privileges. You use IAM to assign privileges based on factors like who a user is, what device they’re using as they attempt to gain access, and what they’re allowed to do.
To implement IAM, you start by creating a secure, common federated identity management system or using an identity provider (IdP). An IdP can help you centralize and simplify your organization’s identity management, and integrate it with microsegmentation technologies. An IdP also enables you to streamline access by enabling Security Assertion Markup Language (SAML), which is a standard that allows users to access multiple web applications using one set of login credentials. To learn more about IAM, check out The Center for Internet Security Critical Security Controls module.
Multi-factor Authentication
Once you’ve identified your users and assets, and implemented an IAM system to manage their access, you next need to verify that access is authenticated in a secure manner. Implementing multi-factor authentication (MFA) methods beyond passwords, such as biometrics or one-time codes, is key to achieving ZT.
Every time a user or device requests access to protected data, it’s a best practice to have MFA in place to confirm their identity. Traditional approaches to network security focused on authenticating and authorizing access upon initial network login. ZT goes beyond the concept of protecting a network boundary, focusing on authenticating and authorizing access continuously through an adaptive, risk-based assessment to identify potential threats.
Every access request needs to be fully authenticated, authorized, and encrypted before granting access. This repeated authentication prevents breaches and access to sensitive information, and also blocks lateral movement (in case of a breach) to mitigate damage.
Granular Resource Access Control
Now that you have a system in place for managing user and device access and authentication, the next step in a ZT security model is implementing nontechnical and technical policies to grant appropriate access. These policies are based on the identity of users, the device attempting to gain access (including Internet of Things [IoT] devices), plus other contextual data such as time and date, geolocation, historical usage patterns, and device posture. Nontechnical policies describe to your personnel in writing how your organization will protect its assets. And they are key to ensuring all users understand their roles and responsibilities in implementing a ZT security model.
Technical policies are typically permissioning and enforcement mechanisms implemented through security controls to define the context of what can and cannot be done within your network. Organizations can apply granular resource access control policies technically enforced by role-based access control (RBAC) or attribute-based access control (ABAC) to secure sensitive systems and data.
Least Privilege
Technical policies can also include limiting access by implementing the principle of least privilege. Least privilege means providing only as much access as necessary to perform a function. For example, if a user’s account is compromised, least privilege minimizes their exposure to sensitive parts of the network and ensures the account doesn’t have broad privileges to access a wide swath of the organization’s data.
When you implement least privilege, you also enable continuous verification–a key component of the ZT security model. Continuous verification requires a user to reverify themselves after a set time after they’re initially granted access.
Device Access Control
In addition to controls on user access, ZT also requires strict controls on device access. Device access control means monitoring how many different devices within and outside of your organization are trying to access resources, ensuring every device is authorized, and assessing all devices to make sure they haven’t been compromised. You do so using various asset management technologies.
Automated network discovery tools help you to automatically discover, monitor, map, and produce detailed inventories of your network devices (and applications and users). They use a specific set of protocols to scan the IP addresses, device identification, and vendor information of connected devices on your network. You can integrate these tools with your configuration management and vulnerability management tools to verify that all assets on your network are known, authenticated, configured, and patched appropriately. Using this technology, your security team can discover previously unknown (and possibly rogue) assets and apply the same ZT access policies to them on a continuous basis.
Mobile device management (MDM) tools enable your organization’s information technology (IT) administrators to control, secure, and enforce policies on mobile devices. This is useful regardless of whether your organization operates a bring your own device (BYOD), organization-issued, or hybrid mobile device environment. Administrators use MDM to provide your users mobile productivity tools and approved applications while securing access to your organization’s data. You can also use MDM to deploy microsegmentation onto endpoints.
Continuous Monitoring and Validation
You’re managing identities and access and authenticating users and devices repeatedly. But ZT doesn’t stop there. It focuses on monitoring post-authentication, too.
ZT architecture also requires organizations to continuously monitor and validate that users and devices have the right privileges and attributes. To do so, your organization uses rich intelligence and analytics to detect and respond to anomalies in real time. Implementing the granular access control policies described earlier in a risk-based and adaptive manner requires pulling data from many sources within the IT or operational technology (OT) environment, including monitoring data that covers users, devices, and critical processes.
To help manage this monitoring data, you can make use of a security incident and event manager (SIEM), which is a tool to centralize and correlate log data from users, devices, and services, to enable you to monitor for suspicious activity.
Sum It Up
In this module, you’ve been introduced to the ZT security model. You’ve learned more about the history of ZT, and its key principles. You’ve also discovered the technologies that form the foundation of the ZT security model.
In the next module, Zero Trust Security in the Cloud, you learn how to implement the ZT security model in the cloud. And you learn about the ongoing work required to maintain ZT. Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Learning Hub on Trailhead.
Resources
- Trailhead: Cybersecurity Threats and Threat Actors
- External Site: Fortinet: What Is Network Segmentation?
- Trailhead: Get Started with Cybersecurity Architecture
- Trailhead: The Center for Internet Security Critical Security Controls
- External Site: National Institute of Standards and Technology (NIST): RBAC