3-Step Roadmap to Zero Trust Security
The term “Zero Trust” was coined by Forrester Research Inc. in 2010, when the concept model was first presented by analyst and thought-leader John Kindervag. In its essence Zero Trust security builds on such familiar concepts as Single Sign-on (SSO), Multifactor Authentication (MFA), Identity Access Management (IAM), analytics, encryption, scoring and file system permissions.
The traditional security approach automatically trusted users and endpoints within the organization’s perimeter, putting the organization at risk from malicious internal actors and legitimate credentials taken over by malicious actors, allowing unauthorized and compromised accounts wide-reaching access once inside.
This model became obsolete with the cloud migration of business transformation initiatives and the acceleration of a distributed working environments that have arisen following the global pandemic. In essence, Zero Trust security is a significant departure from the traditional “trust but verify” network security method.
What is Zero Trust Security?
Zero Trust is a cybersecurity strategy designed around the concept that users, applications and data should never be trusted, and their actions should always be verified in an environment.
As a security framework, it assumes that there is no traditional network edge to your organisation’s IT estate and infrastructure. The approach requires all users, whether in or outside of your organisation, to be authenticated, authorised and continuously validates for security configuration and posture before being granted or retaining access to your applications and data.
Zero Trust is as much about your security mindset as it is about specific tools and implementation strategies. Instead of thinking about security as a protective perimeter around resources, you need to assume that your resources are always vulnerable to attack. Threats to applications and data will come from external malicious sources, internal or 3rd party applications, and even authorized users.
The concept is straightforward: Zero Trust assumes that anyone or anything attempting to connect to your cloud services is suspect. A human user may be a potential wrongdoer. An automated process attempting to use your data may be a malware program – trust no one, assume that every entity is untrustworthy until its identity has been verified!
For today’s new normal, the framework uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats.
The basis of Zero Trust requires organisations to continuously monitor and validate that users, and devices, have the required right level of privileges and attributes. As an architecture it requires, at a minimum:
Enforcement of policy that incorporates risk of users and devices, along with compliance or other requirements to consider prior to permitting the transaction.
The organisation know all of their service and privileged accounts, and can establish controls about what and where they connect.
As a result, organizations must ensure that all access requests are continuously vetted prior to allowing access to any of your IT estate. But migrating to a Zero Trust architecture, isn’t just a case of flicking a switch, and whilst Zero Trust is embedded into the Microsoft Enterprise Mobility and Security (EMS) Suite as standard which can dramatically improve your security stance, few organisations achieve a perfect implementation. So here’s our 3-step roadmap to Zero Trust Security, so you can understand where you’re organisation is currently and what you should be doing next.
Single Sign-on (SSO)
SSO is a great starting point for tackling Zero Trust identity management and is traditionally a stepping off point from a traditional trusted network model. SSO solutions create an authentication token with a single login and password that users can apply a range of enterprise cloud applications. That is, a user can open one application and easily move to another without having to re-verify his or her identity. SSO provides strong security, while enhancing the end-user experience by streamlining provisioning and access to data and applications.
Many organizations use Microsoft’s Active Directory, an SSO solution that provides access to connected resources without requiring additional authentication of users. Active Directory also provides useful management tools, such as user access logs.
However, SSO does not address every risk. When an employee leaves the enterprise, the IT team will likely need to offboard the person’s credentials one application at a time. And, if an employee’s credentials are compromised, a wrongdoer could potentially gain access to a wide range of applications and databases.
Identity and Access Management (IAM)
At this step you should have centralised and verified application identity management, based on multifactor authentication and role-based security. Centralised IAM provides ease of access to users, while increasing security control with role-based permissions and real-time alerts.
Centralised management of user credentials streamlines the critical task of creating credentials for new workers and disabling the credentials of those who leave. When organisations lack simple, consistent procedures for adding and removing users, they may inadvertently allow departed employees to retain access to sensitive corporate information.
Formalised IAM helps ensure that access policies are applied consistently across the organisation, issuing alerts and alarms when policies are violated through a single pain of glass.
Zero Trust Identity Management
In the final step organisations break free of using assumptions to govern access. No longer are internal users assumed to be authorised with all users and access requests being assumed to be a threat until validated as safe.
For example, a user request made with valid credentials, but coming from a previously unknown location or device, should trigger a subsequent request for a multi-factor authentication request. A complete Zero Trust environment should leverage machine learning to analyse user behaviour as a component of the authentication process. Deviations from historical behaviour patterns should trigger additional validation and provide alerting to security teams.
At the most mature end of the Zero Trust curve, your organisation should be moving to a completely password-free experience. Using a combination of validation methods such as one-time use access codes, authorised devices, and user behaviour data. At the heart of every Zero Trust implementation is a driving need for continuous verification of user identity, contextual evaluation of user access requests, real-time assignment of least-privilege access rights and a complete audit record of user activity.
Talk with an expert
Having a certified Microsoft Gold Partner by your side who has “been there, done that” many times before can help ensure you don’t fall into any security pitfalls.
If you need to understand your organisations’ cyber-security exposure, book our free IT Security & Governance workshop. It will help you understand your cyber-security challenges and presents the solutions and options available, to keep you secure.
Book your free exploratory cyber security workshop today:
IT Security & Compliance
Enterprise Mobility + Security
Security Operations Center
Managed Security Service