Article
Never trust, always verify. But how?
What it takes to implement a zero trust security model
July 14, 2023 · Authored by Brian Nichols
We’re all familiar with the standard plot of a summer blockbuster spy thriller. You can likely imagine the pivotal scene where the protagonist must infiltrate the highly guarded and technologically advanced headquarters of some nefarious agency. They accomplish this task, of course, but find themselves faced with a myriad of additional security layers — retina scanners, fingerprint devices and impenetrable security doors that only open in response to an impossible-to-obtain access key card — all designed to continuously verify that those in the building should, in fact, be in the building.
Such security layers illustrate an incredibly simplified (though entertaining!) form of a zero trust security model. Never trust. Always verify. Even if someone is already within your parameters.
Even though the zero trust approach is not a new concept, many organizations have only recently begun implementing its principles. Those looking to successfully implement a zero trust security model must begin with an understanding that doing so requires simultaneously coordinating multiple levels of implementation across various layers of the organization’s security framework.
Think of it as the installation, verification and collaboration of those retina scanners, fingerprint devices, security doors, key card readers, and beyond.
So, where do you start?
The blueprint of zero trust security:
In a zero trust security model, user identity must be validated continuously, not only upon granting initial access to the system. Conditional access policies — based on real-time user analytics — should be implemented to continuously validate user identity based on the resources being accessed.
From a zero trust perspective, device evaluation must constantly be enforced to ensure compliance and posture. This includes controls such as confirming software is up-to-date and systematically enforcing compliance with security configurations.
While network segmentation is common throughout most organizations, zero trust principles take it one step further through the use of micro-segmentation. Micro-segmentation reduces the attack surface through applying security policies that limit traffic based on least privilege/zero trust principles. Additionally, security controls such as advanced threat protection and encryption need to be applied.
Security principles do not stop with the user, device or network. They also encompass the application itself. Zero trust principles require that access to applications be determined by real-time analytics. Additionally, threat protection should be integrated into the application lifecycle through the use of secure coding practices including dynamic code scanning.
One may argue that the aforementioned areas all have one goal in mind — protecting the organization’s data. Appropriately, the use of zero trust principles must apply to the data itself, including robust data inventorying through data tagging, tracking and just-in-time access. Further, encryption should be enforced at the most granular level. Additionally, data logs should be collected, aggregated and analyzed wherever possible.
