Zero trust requires all users and devices to prove their identities and credentials before accessing systems. This helps limit the impact of a broad-scale cyber attack.
Implementing a zero-trust strategy requires thoroughly evaluating current infrastructure and security protocols. It also requires stakeholder buy-in. Starting small and socializing key use cases can help speed up the adoption process.
Table of Contents
Microsegmentation
A zero trust network access is an approach to network security that requires users and devices to prove their identity and trustworthiness before being granted access to sensitive data or systems. Its implementation requires that you have complete visibility into your network environment and granular controls to ensure policies are enforced correctly. Microsegmentation is the foundational technology to achieve this.
Microsegmentation divides your network into logical groups or zones and applies security policies to each group based on its use. This provides a layer of protection in front of your firewalls and reduces the overall size of your attack surface. To achieve a strong micro-segmentation strategy, you should first map your network traffic flows and interdependencies to determine how each protected surface is accessed. This will help you to discover communication patterns and uncover any blind spots. Then, you can apply secure policies that isolate each network segment and limit lateral movement to reduce the blast radius of any breach. This helps to meet compliance mandates and prevent regulatory fines. It can also help to speed up incident response times and improve breach containment.
Multi-Factor Authentication (MFA)
MFA adds another layer of security beyond credentials to verify users’ identities. It uses means of verification that unauthorized users wouldn’t have, such as one-time passwords (OTP) sent to a mobile phone or hardware tokens, or by using inherent qualities such as facial recognition.
These are called “knowledge factors” because users must provide something they know. Hackers have proven that they can crack knowledge factors, such as passwords, PINs, and answers to security questions, to gain unauthorized access. Therefore, using a combination of knowledge and possession factors in MFA is important.
Adaptive MFA, or risk-based authentication, automatically adjusts the required verification factors based on the security context. It considers user location, device used, time of day, history, and behavior. This makes it harder for hackers to gain unauthorized access even if they’ve stolen the initial password or login information. It is also a key component to zero trust.
Network Access Control (NAC)
NAC tools identify users, devices, and applications attempting to access an organization’s network, preventing cybercriminals from bypassing authentication requirements and gaining full network access. These tools enforce network policies based on user or device identity, and they also help create highly granular and secure subsets of an enterprise’s network (known as micro-segmentation) that limit application, file, and service access to only those needed by the user or device.
NAC solutions can inspect devices and enforce security policies before or after granting access to the network. Pre-admission NAC is a defense-in-depth approach that helps prevent threats from connecting to the network in the first place, while post-admission NAC identifies non-compliant devices and blocks or quarantines them.
NAC tools also provide guest networking solutions that enable organizations to grant remote or mobile users limited network access, preventing them from leveraging internal data for malicious purposes. These features are important for addressing BYOD and other workplace mobility concerns. In addition, these tools are often configured to monitor and respond to alerts.
Access Control Lists (ACL)
A well-crafted Access Control List (ACL) can enhance security, boost performance and improve compliance. It also helps maintain the proper flow of network traffic.
ACLs dictate rules for what users and processes can or cannot do in a file system, granting privileges such as read, write, modify, or delete. They are commonly used to grant a single user access to a directory of files and subdirectories.
When a network device tries to access a resource, the ACL examines each data packet to determine whether it meets one or more rules. If it does, the packet is allowed to proceed. Otherwise, the packet is denied.
Using ACLs, IT teams can limit what network traffic enters and exits the business by defining rules to filter traffic. For example, you can create a rule that filters incoming and outgoing data based on source IP address, destination IP address, port number, frame header information (Type of Service, Differentiated Services Code Point, or layer two protocol type), or even user-defined character strings.
Reporting
Implementing zero trust can be costly and time-consuming. It requires understanding and managing risk, baking in layers of security, and integrating with existing infrastructure and software systems. It also takes a guilty-until-proven-innocent approach and ensures that each user is thoroughly vetted before accessing company resources.
When implementing zero trust, it is important to start small and work up to bigger projects. For example, evaluate your infrastructure and software systems with a professional IT or cybersecurity team to understand potential risks. This will help you determine your network model and define your protected surface. Using the results of your audit and threat modeling, you can create security protocols that verify users and their devices, enforce multi-factor authentication, and apply conditional least privilege access to minimize the impact of a cyber-attack. It is also critical to communicate access restrictions or blocks to end users so they know why these extra measures are necessary. This helps to build acceptance and support for the change.
