Zero trust is a philosophy and practice all about securing data across your entire network. Zero trust means trust no one — authenticate everyone. Adopting this philosophy means your organization assumes that every single user, device and service that attempts to connect to its network is hostile until proven otherwise.
The fundamental principle of zero trust is to secure an organization’s data — anywhere it lives — allowing only legitimate users and entities access to relevant resources and assets.
In this article, let’s go deep into the zero trust principle, including pillars of zero trust architecture, why zero trust is important in the enterprise and how you can shift to zero trust in your organization.
What is zero trust?
Zero trust is not a specific architecture, product or software solution. Instead, it’s a methodology for secure access. And a critical part of enterprise security.
The key to a successful zero trust network is understanding who is making access requests and from which device — then mapping that request to access policies per application or asset. It requires CISOs, CTOs and CIOs to consider and possibly update the security strategy and network architecture.
Let’s compare this mindset to how we did security for decades.
Origin story: Traditional network security`
Before Forrester Research defined zero trust security networks (ZTX) in 2010, security practitioners followed a network-based segmentation model, built on traditional network security solutions.
In this model, a hardened network perimeter surrounded your organization’s network, which housed all your resources and data. Then, you’d layer security tools — IDS, IPS, firewalls and more — like moats and walls around your castle.
But if a hacker or threat actor were to breach the perimeter and penetrate the network, they would have unchecked access to the network. Now, they can move laterally into connected systems to compromise assets or people.
Modern work, distributed systems
Eventually, security teams abandoned this network-centric approach, mostly because they had to.
Today’s new ecosystem — cloud apps, remote workforces and mobile devices — cannot conform to traditional security strategies. Instead, this distributed way of working greatly expands the attack surface. Data and workloads can live, operate and offer access from almost anywhere.
Renewed focus comes in 2020
In 2020, attackers exploited SolarWinds software. This let attackers access hundreds of the company’s customers. Later that year, and likely in response, the U.S. National Institute of Standards and Technology (NIST) established a definition of zero trust approach in Special Publication 800-207, as part of a rejuvenated effort to mitigate malware, ransomware and other types of global cybersecurity threats defining:
[Zero trust as a] “term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
To address these complexities and the urgent increase in attacks, zero trust assumes that all networks are compromised until proven otherwise. To flip this, we can say that any device, user or system — whether internal or external — should never be trusted. Instead, you need to explicitly authenticate and authorize access to all resources.
This doesn’t mean getting rid of perimeter security and traditional security policies, however. Rather, it’s an organizational shift in approach when it comes to protecting core assets.
How zero trust works
Any organization today, any size, any stripe, stores data in a variety of locations and apps, both on-premises and in cloud environments. This allows wide access to a variety of folks: employees, vendors, contractors, partners and other authorized users (…and all their personal devices).
For example, Tina is authorized to use their company’s case management system from their personal laptop. Tina makes a request from that device and is granted access. Eventually, they download software from an unauthorized source. This could be something as simple as a printer driver or a photo.
In a zero-trust environment, the device is continuously monitored, so this unauthorized download is flagged.
This newly added component has altered the configuration — and therefore the trust score — of the device in question. When the employee attempts to connect to the system, their access might be denied, or downgraded, depending on their new trust score and associated policy.
In this way, looking at the trust across multiple factors (the user, their device and the downloaded resource) helps security teams understand dynamic risks in the enterprise. Layering this information together provides more context.
Principles of the zero trust model
To be successful, a zero-trust framework entails several core underlying principles, including:
- Assume the network is always hostile. The traditional assumption that your network is relatively secure has disappeared. With zero trust, you assume it is not.
- Accept that external and internal threats are always on the network. Assuming there are always threats changes your cybersecurity approach to proactive.
- Do not trust a network simply because of the location of a corporate network or cloud provider. Traditional security rules, based on IP address, are no longer reliable.
- Authenticate and authorize every device, user and network flow: A zero trust model authorizes and authenticates user access by least-privilege access on a per-session basis.
- Implement dynamic, data-driven policies with multiple data sources. Establish end-to-end data analytics, providing monitoring and threat detection across the entire architecture.
For decades, individually authenticating every object requesting access to a network was basically impossible. Today, multiple technologies revolve around access control — that is, a set of rules to determine who should be granted access to a restricted location and/or critical information. A zero trust architecture can stitch these systems together, reducing the complexity of managing multiple controls independently.
Zero trust network architecture
Zero trust architecture (ZTA), or zero trust network architecture (ZTNA), is a cybersecurity architecture based on the principles of zero trust. The American Council for Technology and Industry Advisory Council (ACT-IAC) lays out the six pillars of a zero trust security model, each of which are built upon a foundation of data. These pillars are:
- Users. Continuously authenticating trusted users and user identity, continuously monitoring and validating user trustworthiness to govern their access and privileges.
- Devices. Measuring the real-time cybersecurity posture and trustworthiness of devices.
- Network. Isolating and controlling the network, including software-defined networks, software-defined wide area networks and internet-based technologies.
- Applications: Securing and properly managing the application layer, as well as cloud services, containers and virtual machines.
- Automation: Automating tasks across products and workflows, such as you can with security automation, orchestration and response (SOAR) solutions.
- Analytics: Observing what’s happening to appropriately orient your defenses. Visibility and analytics tools like security information and event management (SIEM), advanced security analytics, and user and entity behavior analytics (UEBA) are significant here.
Features & maturity
The following maturity model breaks down an organization’s security journey into distinct stages. With the goal that each stage covers specific objectives, and allows for incremental, iterative improvements before moving on to the next phase of growth. Although this journey is focused on security outcomes, it does align with IT monitoring capabilities through the reuse and rehashing of data.
A zero trust implementation includes:
- Advanced detection. Apply sophisticated detection mechanisms, including machine learning, at a granular level.
- Automation and orchestration. Establish a consistent and repeatable security operation capability.
- Enrichment. Augmenting security data with intelligence sources to better understand the context and impact of an event.
- Expansion. Collecting additional data sources like endpoint activity and network metadata to drive advanced attack detection.
- Normalization. Applying a standard security taxonomy and add asset and identity data.
- Collection: Collecting basic security logs and other machine data from your environment.
Getting started with zero trust
Implementing a zero trust architecture depends on many variables based on your current network setup. A comprehensive guide to getting started is beyond the scope of this document. But here are some key steps you can take to help you prepare.
Stage 1: Prioritize & collect relevant data
First, identify your organization’s most critical assets — specifically what you need to protect and monitor in order of priority. Now you’ll know where to allocate resources, and from what sources to ingest data.
Stage 2: Understand your data
Data is nothing without proper context. To understand your data, use a standard taxonomy across all data sources — otherwise you’re left with a whole lot of noise.
For example: your firewall solutions likely use different log formats and data structures than other security tools like IDS or IPS. To support centralized monitoring, this log data needs to be structured in a way that normalizes field names and values, putting them into a consistent format.
Stage 3: Expand your data sources
The continuous monitoring of security controls will fail to detect advanced security threats. This is why security monitoring should regularly look at:
- How target systems function.
- What authorized use looks like.
Establish a holistic view of systems, data and users. A zero trust can contain a security incident, but only from unauthorized means. A user who is allowed in could still be a threat: fraud, insider threats and even social engineering. By considering zero trust policies in context of how an authorized user should behave, we can better detect malicious access.
Stage 4: Enrich & augment your data
Embrace threat intelligence to identify indicators of compromise (IoCs) across zero trust controls and protected systems. Examples of this include:
- IP addresses, URLs or file hashes associated with phishing activity.
- Information relating to an SSL certificate known to be used for malicious purposes.
Secondly, understanding the posture of protected assets — as well as the systems used to access these resources — helps with risk scoring and security incident prioritization, as well as access authorization. For example:
- User systems with missing or insufficient system patches can have their access to critical systems limited.
- Security incidents connected to known vulnerabilities can be prioritized.
Zero Trust is an essential culture shift
Technology challenges aside (which mostly relate to reducing your tech stack), implementing zero trust solutions does not have to be daunting. Though the mindset shifts, it does not require a “rip and replace” upgrade of any systems. In fact, you can accomplish zero trust incrementally, with small, ongoing changes to policies and access controls.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.