Zero Trust Security Model – Rethinking IT Asset Security
A network is only as secure as the weakest link in the network. CVP achieves effective protection of an organization’s assets using the Zero Trust Security Model. Read below to learn about the Zero Trust Security Model.
Historically in Enterprise Architecture (EA), security architecture was not considered a separate domain the way Business, Data, Application, and Technology architectures are in some of the industry-leading EA frameworks—even though securing IT assets has always been an important consideration.
With the rate of digital transformation (adopting cloud technologies and hosting sensitive data assets in geographically dispersed locations), adequately securing these data or IT assets is a more urgent need than ever. In recent years, there has been an increase in data breaches and hacking incidents, with no indication that these occurrences will slow down anytime soon. Check out this chart by “Information is Beautiful” to see the world’s biggest data breaches and hacking incidents.
The 2020 Annual Cybercrime Report from Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This information raises concerns for the Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) of any organization, as cybersecurity implementation transforms from being a retrofitting/after-the-fact consideration to becoming a strategic/architecture engagement leading to the birth of what is now known as the “Zero Trust” Security Model.
CVP’s Cybersecurity and Technology Modernization practices help organizations develop a robust Zero Trust Security Model to ensure digital assets are efficiently secured.
What is the Zero Trust Security Model? –
In 2010, Forrester, a leading technology research organization, originally developed the concept of the Zero Trust model and the concept was later leveraged by Google as part of their “Beyond Corp” initiative.
The core foundations of Zero Trust Security Models are as follows:
(a) There is no trust for anything on or off the network;
(b) Compartmentalize and protect valuable IT assets;
(c) Full implementation of security controls.
The Zero Trust Security Model shifts the single, large perimeter or network-level security and moves it to every endpoint and user within the organization. Prior to the Zero Trust model, the “Castle-and-Moat” mentality of locking down the network perimeter (and assuming everything within the network possesses no threat) was the predominant security approach. However, companies have learned that the “Castle-and-Moat” approach doesn’t work because recent breaches have demonstrated that attack vectors exist at the endpoints and provide direct access to the data.
“The strategy around Zero Trust boils down to “don’t trust anyone.” We’re talking about, ‘Let’s cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc., until we know who that user is and whether they’re authorized,’” says Charlie Gero, Chief Technology Officer (CTO) of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Massachusetts.
A simple analogy makes the point: picture a home with five rooms with valuables stored in each of the rooms. There are no locks on any of the doors to the rooms, but the main house door is secured. So, if the main door is compromised, there is unrestricted access to the valuables in the five rooms. This is the issue with most networks today that depend mostly on perimeter network security using firewalls, etc.
Principles behind Zero Trust Security Models:
- Least-Privilege Access: Access to information should be on a need-to-know basis – granting user and application access to what is required to complete the job, thereby reducing exposure and risk across the network.
- Micro-Segmentation: This practice is not new in the industry; it splits or breaks security perimeters into small zones to have fine-grain network access. Having access to assets in one zone does not automatically translate to having access to assets in other secure zones in the network. A required authorization would be needed.
- Multi-Factor Authentication (MFA): The requirement of more than one piece of evidence to authenticate a user or even a system. The implementation of the practice of MFA has gained momentum with both users and organizations expecting a higher level of security to access their data without it being overwhelming. Having a valid password alone is not sufficient in both user and system-to-system interactions. A good example of the application of MFA is by accessing bank accounts with something you have (i.e., bank card) and something you know (i.e., PIN). Facebook, Google, and other online platforms now leverage MFA on their platforms.
- Audit and Controls: In terms of being proactive, Zero Trust systems need to audit and monitor how many different devices/applications/services are trying to access the network or resources and ensure that they are authorized. Hardened configurations and continuous monitoring of the control implementations ensure that a continuous risk picture of systems and networks is always available.
With organizations moving to a hybrid infrastructure of both on-premises and cloud, a new way of thinking is certainly needed because these days, “castle” no longer exists in isolation. This old model exposes IT assets to users or systems from multiple locations and multiple devices from around the world.
For greenfield projects, a new project that does not build on anything existing, a Zero Trust Security Model may not be that difficult to set up, but for brownfield efforts that involve changes or maintenance to an existing project, this may not be a minor task. It may require the dismantling of part of an existing legacy infrastructure or of processes that have been in existence for a long time. It also requires commitment from the CIO, CISO, and senior executive leadership, right up to the CEO or the Secretary of an Agency.
Additionally, certain products work well in a Zero Trust environment, but there are some that may not. Ideally, Zero Trust should be built upon an existing IT environment or network and it does not require removal and replacement of existing technology. A great example of how long the implementation can take for a large but nimble company is Google, who took six years to fully build and implement their model.
Going back to the earlier analogy of the home with five rooms: even though an intruder was able to compromise the main house door, access to each of the five rooms would not be a smooth ride. With Zero Trust, all the rooms would be locked, with validation and authentication required before anyone could enter the rooms. A network is only as secure as its weakest link. Effective protection of an organization’s assets is achievable using a comprehensive Zero Trust architecture strategy.
CVP’s Cybersecurity and Technology Modernization Practices bring a wealth of knowledge and experience in helping clients navigate change in an ever-evolving cybersecurity world. In the coming days, we will be posting a blog on how CVP applies the Zero Trust Security Model to secure business applications, such as APIs, microservices, and web applications in a distributed environment.
Interested in getting insights and updates?
Subscribe to the CVP Blog
Subscribe to the CVP Blog