By Jagadish Paranthaman , CISSP, Global Cybersecurity Solutions Architect at Avanade

Zero Trust is a cybersecurity model centered around an end-to-end approach for resource and data protection with a principle not to trust completely but conduct continual verification. Zero Trust assumes the non-existence of a perimeter. It is not a product but a collection of architectural premises and security patterns encompassing identity, endpoints, networks and hosting infrastructure, applications, and data.   

Zero Trust Architecture is achieved through solutions that sit between requesting subject (identity) and a fulfilling resource (service or application). Solutions can be a combination of agent-based, cloud-based or enterprise deployment which varies based on the location of a business process/service (Cloud: North to South or Organisation Perimeter: East to West). There is no single technology provider to achieve a full Zero Trust solution hence assessing and developing a secure approach and identifying correct solutions form the basis for success. Adopting Zero trust architecture helps to uncover “Shadow IT” functions within an organization.

Core Components of Zero Trust Architecture

Identity:  Authenticate both users and devices before allowing access. One of the key principles of Zero Trust access is least privilege which should be verified using policy constraints for every access request.

• Enhance identity authentication using Multi-factor Authentication (MFA).
• Limit privilege access for “Just-in-time” – a specific resource for a specific timeframe.
• Use a security policy engine (example: conditional access policies) to make contextual access decisions to business processes.
• Centrally collect and assess access patterns to implement dynamic access restriction policies.

Device:

• Enterprise devices must be verified using “device metadata” (ex: patch date).
• Device and application management technical controls shall be implemented for BYOD (Bring Your Own Device) to increase confidence in security.
• Status of device compliance policy enforcement points/agents play a key role in access decisions (ex: DLP agents).
• Authenticate and encrypt device-to-device communication.

Network and Hosting Infrastructure:

• Implement micro segmentation restricts lateral movement.
• Encrypt all network communication both internal and external.
• Control (management) plane and Data (business service) plane must be separated at the network level.
• Application and network access are verified separately.
• Assume breach and ensure periodical backup of systems/data.
• Configuration management policies are enforced automatically when a new system or workload gets deployed.

Applications:

• Implement continuous monitoring of applications at runtime and block suspicious traffic.
• Security issues in application development shall be addressed before deploying in production.
• Proper segregation of roles within the application to prevent accidental access to sensitive data.

Data:

• Encrypt data at rest and in-flight across the cloud or sites.
• Know your data and implement data protection policies (classify and Label).
• Inspect content and implement data leakage controls (DLP policy) based on sensitivity labels.

Knowing your current state of operations is the first step towards Zero Trust Architecture in a perimeter-based architected network. Begin with small business process identifying assets/identities/resources relevant to the process and implement policies controlling access to the business process.

• Assets: Enterprise owned and nonenterprise-owned
• Identities: Enterprise Subjects (user account and service accounts)
• Risk Profiling: Identify and rank business processes, and data flows
• Dependent systems: Identify upstream and downstream resources within the workflow
• Trust Criteria: Determine criteria or threshold for each resource in the business process
• Fine Tuning: Adjust criteria score or threshold to ensure policies are effective

Another important step in Zero Trust Architecture is to have right security monitoring strategy and technology such as Security Information and Event Management (SIEM) in place to collect and correlate events in support of advanced detection and real-time automated threat response.

The global pandemic had pushed organizations to allow remote access to their legacy systems and crown jewels and increased their adoption of cloud-based service in areas of communication and collaboration making firewall and network protection controls obsolete. This situation made enterprises develop strategies and approaches to adopt Zero Trust approach and, in most cases, they do not need to start from scratch.