Cloud Hosting

The term zero trust is rapidly gaining attention as agencies move away from the more traditional castle and moat models of cybersecurity.

Zero trust refers to a cybersecurity strategy or set of principles based in the understanding that just because an account or device is associated with the organization or has seemed trustworthy in the past doesnt mean they should be assumed to be trustworthy in the future. The mindset assumes an attacker could be in the network already and emphasizes limiting a bad actors ability to access data and other resources.

Organizations adopting zero-trust principles require users and devices to continually prove they are who they claim to be, whenever they want to access data or services. This stands in contrast to older thinking in which users may have only had to authenticate themselves once to enter the organizations network, such as by logging in, and then were granted access to a wide swathe of internal resources.

Core zero-trust principles also involve restricting users access privileges to the minimum amount they need to do their jobs, something known as the principle of least privilege (POLP).

But many of todays organizations rely on workforces that are no longer on premise and on assets stored in the cloud meaning theres no longer a castle to wrap the moat around. Remote employees connect to the network from a variety of locations, through personal Internet networks and, sometimes, on personal devices outside of an organizations control. Cloud-based data also remains outside of the defense of the organizations perimeter firewalls.

Malicious actors can attempt to pass themselves off as employees using new devices or may seize control of employees accounts or devices that are already familiar to the organization, then move within the network.

Organizations need to avoid locking out legitimate employees, but enabling the wrong device or allowing the wrong level of access privileges creates significant cyber risks.

To thread the needle, organizations that adopt the zero-trust approach require devices and users to verify themselves repeatedly and monitor continually. Reducing each accounts privileges to only what is essential also minimizes the damage that a bad actor or malicious insider would be able to achieve.

The federal government has thrown its support behind the idea, with Bidens executive order asking federal agencies to transition to zero trust.

The National Institute of Standards and Technology (NIST) outlines seven tenets in a 2021 draft white paper and 2020 publication:

1. Network identity governance: Organizations need policies and tools to ensure that only authorized users who have gone through a sufficient level of authentication are granted access to enterprise data and services, and that they are only able to perform authorized actions.

2. Secure end devices: Zero-trust plans need to address end devices such as mobile devices, remote sensors and compute resources.

3. Monitor, defend and defend against owned and associated assets: Organizations should attend closely to their data and services defenses including understanding how they are configured and maintained as well as continually monitor for signs of compromise and respond quickly to events like new patches or indicators of vulnerabilities. They may also need to block connections or restrict access to those devices over which they have less control.

4. Secure all communication: Organizations must safeguard the integrity and privacy of all data in transit even for communications within the network. Otherwise, an attacker hiding on the network could view or tamper with the communications.

5. Users should only be given access to individual enterprise resources on a per-session basis: Organizations should try to tightly control access to data, services and devices. To the extent possible, organizations should require users to clear authentication and authorization checks each time they seek to perform unique operation[s]. Users also should only be given the minimum access privileges required to complete their objectives. Adopting logging, backups and versioning tools can also help recovery if unauthorized activity does occur.

6. Thoroughly and dynamically vet access requests: Limit access to enterprise resources only to members of an allow-list who also both prove their identities and their genuine need to access the particular asset in question. Identities should be verified in robust ways. Organizations may continually monitor accounts and devices for suspicious behaviors and characteristics as well as require MFA to access some systems or data and require reauthentication at various points.

7. Gather information to understand and improve security posture: Organizations should collect and analyze as much data as they can about the status of their assets, network infrastructure and communications to help them identify ways to improve policies.

More here:
What Is Zero Trust? A Guide to the Cybersecurity Approach - Government Technology