In the cybersecurity world, Zero Trust has been the talk of the town in recent years.
Most organizations now understand that the traditional ‘perimeter defense’ approach to cybersecurity is no longer sufficient and policing activity inside their networks is an important next step.
However, there are very few good definitions of what the ‘trust’ in Zero Trust actually refers to. Many people understandably assume it refers purely to user access and authorization—and while that is certainly an important component of trust, it’s far from the full story.
What Exactly is Trust?
Trust in IT is the assumption that a user, device, application, or service (A.K.A. a “subject”) is:
- Who or what it claims to be
- Allowed access to the resource it is requesting
- Configured and behaving in an expected way
- Free from compromise
- Allowed to take the actions it is currently taking
This is a significant list of assumptions. In a traditional network architecture, a subject is required to authenticate once—and then the above assumptions are held until the session is logged out. This is extremely dangerous, as it allows malicious actors to reside inside corporate networks for weeks or months while they gradually move laterally and expand their privileges.
Some of the dangers of assumed trust include:
- Even if a user is legitimate, their device may be compromised. This is particularly likely if the user is outside the corporate perimeter, is using their personal device (BYOD), or is a partner or customer that is not subject to the same security requirements as an internal user.
- A device may initially be secure but become compromised while connected to the network. If trust is assumed following a single authentication, there’s no easy way to detect this.
- Perimeter defenses are beatable. Malicious actors can easily defeat a single authentication requirement—often using legitimate credentials. In traditional architectures, it’s common for malicious actors to ‘dwell’ within networks for weeks or months before acting on their objectives.
- Today, many users connect from potentially hostile networks, including infected home networks and public WiFi. As a result, even legitimate users can pose a significant risk to the network.
Zero Trust reduces these risks by forcing subjects to prove their trustworthiness every time they attempt to access a resource. Under a Zero Trust Architecture, three types of proof are demanded every time a resource is requested:
- User identity—”Who is this user, service, or application, and should it have access to this resource?”
- Device identity—”Is the device or infrastructure this request originates from known and expected?”
- Device health—”Is this device in the expected state and free from compromise?”
As described earlier, policies for establishing the legitimacy of these three proofs are dynamic and constantly updated. The result is an access and authorization architecture that looks like this:
Note that the policy engine is continuously fed with data from many sources, enabling it to assess user identity, device identity, and device health in real-time with a high degree of confidence.
Once proofs are accepted, the subject is allowed precisely the access needed to perform its function, for the minimum necessary period. If the subject needs access to further resources, the process repeats.
The term Zero Trust implies a total removal of trust from the environment. However, in practice, there is still a degree of trust—it’s just not assumed automatically. A legitimate user who behaves normally and can prove their identity and device state is temporarily trusted to access a resource. If the user is compromised—either by an undetectable threat or a real-world situation—this could still backfire.
However, by substantially reducing the level of trust within an IT environment, organizations can similarly reduce the risk of malicious presence and behaviors.
The Missing Components of Zero Trust
Our new report, ‘The Missing Components of Zero Trust,’ explains what Zero Trust really is, examines some significant gaps in existing guidance, and details the most important concepts and capabilities required for an effective Zero Trust Architecture.
Download the report to learn:
- The Core Principles and 7 Tenets of Zero Trust.
- How the Zero Trust strategy and architecture eliminate implicit trust.
- How to elevate your security posture and avoid making the most common Zero Trust mistakes.
- The answer to the question, "Does Zero Trust actually work?"
July 20, 2022