Before early 2020, people had a somewhat different view of cybersecurity than they do today. Sure, there were plenty of sources of threats and lots of risks, such as ransomware, data breaches, and other cyber events. But it was nothing like the challenges security leaders and teams are now facing.
Back then, much of the cybersecurity discussion might have been around strengthening passwords, updating anti-virus software, and maybe deploying the latest firewalls to protect the enterprise perimeter. Today, security requirements have shifted dramatically, with many companies deploying a hybrid or remote work model because of the pandemic—and a broad and ongoing shift to cloud and ecommerce.
The enterprise perimeter has been obliterated. Attempted access to the company network can come from remote workers using unsecured devices, other mobile devices in the field, Internet of Things (IoT) environments, and other uncertain sources. At the same time, the number and sophistication of threats such as ransomware have increased, meaning the risk level has gone up.
In short, no one or thing that's trying to get into your network should be trusted. This is the essence of the Zero Trust security architecture, which is gaining popularity in virtually all sectors.
The term "Zero Trust" has become a buzz phrase in the industry. But the definition offered by the U.S. National Institute of Standards and Technology (NIST) is broadly accepted: "Zero trust is the term for an evolving set of cyber security paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location."
With the Zero Trust model, authentication and authorization are discrete functions that cybersecurity teams perform before allowing access to networks and system.
The model has three main tenets: risk awareness, least privileged access, and continuous access verification.
Risk awareness
Risk is a combination of vulnerabilities plus threats, so having good visibility into the identities within the organization and what they have access to is essential for the Zero Trust model. Today, those identities can include everything from desktops, laptops, other mobile devices, servers, and cloud-based workloads—among other components.
Security teams need visibility into the risks that confront users on a day-to-day basis. These can be static risks, or they can be dynamic risks. And the risks are not just to the users' devices and data; there is a risk to virtually all the assets within the organization.
The increased sophistication of threats, growing reliance on software to support the business, and rise of the remote/hybrid workplace mean risk awareness is more important than ever. Some organizations have virtually their entire workforce working remotely, with perhaps hundreds or thousands of home routers now interacting as part of the corporate network.
Adding to the need for risk awareness and visibility is the growing use of IoT to connect all products and devices. These connected objects also become components of the corporate network, which greatly expands the attack surface.
Least privileged access
Privileged access is rarely needed on a continuous basis. For the most part, it's needed for a limited time and for a specific reason. So, it follows that security teams should only allow such access when it's needed and for just as much access is required to complete a particular task. Just in time and just as needed is how privileged access is sometimes defined.
This concept is also referred to as least privileged access, and it is another key component of Zero Trust. It's actually an unfortunate phrase, because it sounds as if users are being locked out of something that they might need to do their jobs. A better term might be more secure access.
One of the problems many organizations are having with security is that privileged access has become so pervasive. If they have standing, static privileged access accounts can be compromised and used by bad actors. In any case, the idea is to be prudent in providing access so that users can only access what they need to do their jobs—no more and no less.
That's exactly what happened with the Colonial Pipeline attack. Accounts with privileged access were left standing, and bad actors exploited them. Companies can eliminate this risk with a least privilege access model built on just in time and just enough access.
Continuous access verification
The third tenet of Zero Trust is continuous access verification. Security teams at organizations should not just check credentials at the network's perimeter and ignore the user after that.
Instead, it's better to monitor user activities on systems on a continuous basis and be attuned to possible anomalous activity, so that step-up authentication can be imposed before granting access. This might even entail the use of user and device behavioral analytics to assist in those verification decisions.
It's not sufficient from a security standpoint to allow users to enter their login and passwords at the beginning of a workday and then for the rest of the day have access to all areas. That is the perfect opportunity for a man-in-the-middle attack and a compromise of those credentials.