Why should I care about zero trust?
The traditional network-centric model is failing as the Perimeter Problem continues to play out. Many companies are currently either on the Traditional or Initial tier of the Cybersecurity and Infrastructure Security Agency (CISA)’s Zero Trust Maturity Model, making them vulnerable to basic attack vectors such as the ongoing Snowflake breach affecting over 165 companies at time of writing.
What is zero trust?
You want to identify and stop bad actions before they are allowed to happen. Anything less is insecure.
Zero trust does not mean “don’t trust anything.” In broad strokes:
Trust does not flow based on where the requesting user is located
Every action is continuously verified against identity, posture, and context
Zero trust is a security model that assumes no one — whether inside or outside the network — can be trusted by default. This approach has become necessary because of compromised credentials, malicious insiders, and negligent contractors.
Here’s how the National Institute of Standards and Technology (NIST) puts it in Special Publication (SP) 800-207:
"Zero Trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero Trust Architecture (ZTA) is an enterprise’s cybersecurity plan that uses zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a ZTA plan."
Instead of assuming that users or devices are inherently trustworthy once they are inside the network perimeter, zero trust explicitly verifies every request as though it originates from an open network such as the world wide internet. Trust is incrementally established as individual factors are verified, then access is granted for a single access request. This verification process is repeated on the next action because circumstances may have changed, making zero trust a continuous cycle of verification before allowing an action to execute.
Adopting this principle and mindset completely changes the approach an organization would use for their internal access.
What makes something zero trust?
Most solutions claim to be zero trust, but fail to be zero trust upon examination of the inner workings of their solutions. Organizations often ask their own practitioners to determine whether a solution fits the key principles of a zero trust cybersecurity solution, which can be summarized as:
Constant, explicit verification — Always authenticate and authorize based on all available data points, including user identity and contextual data such as location, device posture and state, service or workload, data classification, and any other anomalies.
Assume Breach — Companies should proceed as though a breach has already happened. This is done by implementing efforts to minimize blast radius and prevent lateral movement, with the fundamental assumption being that an account logging in may be compromised.
Zero trust architecture answers the following questions:
Who is trying to acccess, and how do we know? — ****How does the target resource confirm the user’s identity using multiple factors? Is it just a user entering the right credentials, or are other factors verified?
Should we allow them access? — How does the resource confirm a verified user has the necessary privileges? Are there security policies in place to grant fine-grained access to strictly authorized users?
Are there other contextual factors we should consider? — Identity is immutable, but contextual factors often change on a case-by-case basis. For example, if a user is normally authorized but currently on probation, is it still safe to grant them access? If an account normally logs in from USA but is logging in from another country, is it safe to grant the same degree of access?
Has anything changed between then and now? — Every action should be treated as brand new, continuously verifying the above is true. Even the same user in the same session can be compromised if the session was hijacked or the session token stolen.
