May 27, 2021
4 Steps to Creating a Zero Trust Security Model
Since the dawn of the internet, organizations have struggled to provide users with global access to their system and network resources in a way that is secure, streamlined, and convenient. And the recent increases in cloud migration, remote work, and sophisticated cyberattacks have only served to heighten these challenges.
The concept of “Zero Trust” has recently emerged as an important weapon in the fight to provide secure access to organizational resources in today’s cloud-based environments. In this blog, we’ll describe some of the key principles of Zero Trust and outline four steps to creating a Zero Trust security model in your organization.
What is Zero Trust?
As organizations are increasingly migrating applications to servers that reside outside of their trusted corporate networks, traditional security approaches that focus on defending the network perimeter are becoming obsolete.
With Zero Trust, the focus shifts to authenticating and authorizing users. Identity becomes the new perimeter. No user is implicitly trusted, even if they are accessing resources from within a company’s internal network. All users, devices, or systems requesting access to organizational resources are authenticated and authorized. The best Zero Trust solutions will perform this authentication and authorization in a way that is seamless and robust.
Zero Trust solutions employ a Risk-Based Authentication (RBA) approach, which considers factors such as user behaviors and endpoint system postures to determine whether to approve a user’s request for access to resources or require the user to perform additional authentication steps.
Another important principle of Zero Trust is to limit a user’s access to only those networks and applications required for performing their job functions. This granular access approach can be an effective technique for limiting the blast radius when external attackers obtain access to a legitimate user’s credentials. It also helps to limit the impacts of insider threats.
Four Steps to a Zero Trust Security Model
For many organizations, moving to a Zero Trust environment can seem like an incredibly challenging—if not impossible—goal. The good news is that Tevora has helped many companies make the move to Zero Trust, and as with many complex efforts, we find it’s best to break it down into manageable steps.
We have defined four discrete steps for implementing a Zero Trust security model, which can be implemented in any order. We suggest starting with the steps that provide the most bang-for-the-buck based on your current security posture and risk profile.
Step 1 – Risk-Based Authentication
Many organizations have already attempted to implement an RBA strategy and have been successful to at least some degree. Zero Trust calls for RBA to be implemented at a higher level than most organizations have achieved.
The first key to achieving this higher level of RBA is to use behavioral analytics. This allows an organization to quickly and dynamically evaluate the risk associated with a user session.
Another important component of a Zero Trust RBA approach is the ability to responsively terminate sessions. For instance, if a user session is determined to be beyond current risk thresholds, legacy systems would simply prevent subsequent sessions from being established. With Zero Trust, the system should also stop or pause existing sessions until authentication can be revalidated.
Step 2 – Integrated Authentication
Integrated Authentication ensures that all systems are properly integrated into a centralized authentication and authorization system. While most authentication functions are handled by RBA, RBA systems should be integrated into the overarching centralized authority system. Any systems that cannot be integrated into the centralized authority should be augmented with additional tunnel and gateway interfaces to ensure they are properly secured.
Step 3 – Device Posture Monitoring
Comprehensive and effective evaluation of endpoint security is a critical component of Zero Trust. Organizations must ensure that any endpoint device or system involved in a transaction is trusted and has been authorized for use by the user initiating the transaction. Many criteria should be evaluated and used as inputs to RBA decisioning. Simply knowing that a system is trusted is not enough; systems should also be continually evaluated for indicators of compromise and behavioral anomalies.
Step 4 – Access Control
Zero Trust calls for robust access control that applies automated authorization capabilities across all functions within the environment. Access controls should be based on business requirements and reviewed and updated frequently to stay current with changes in the business environment. For example, access should be immediately deactivated when employees leave a company.
Ideally, access control functions will be highly automated and AI-driven, with human oversight to ensure proper execution.
Without robust access controls, all Zero Trust does is establish a new perimeter, which can present less risk than the legacy trusted-network perimeter approach.
Develop an Action Plan
Many organizations have already begun their journey towards a Zero Trust security model. Others may be starting from scratch. Regardless of where you are in the process, we recommend developing a multi-phased action plan to plot your course to full Zero Trust implementation.
Tevora’s has helped many companies move to a Zero Trust security model, and we would welcome the chance to help you make this important transition. Our approach begins with an assessment of your current environment and progress toward Zero Trust. This involves conducting an inventory of enterprise applications, access methods, and other crucial infrastructure components. We will work with you to document your current state for each of the four steps covered above (RBA, Integrated Authorization, Device Posture Monitoring, and Access Control).
After completing the current environment assessment, we’ll work with you to develop a multi-phased action plan that outlines a path forward in each of the four areas. We’ll prioritize the roadmap to focus on efforts that provide the greatest benefits first.
Let Tevora Be Your Trusted Partner
Our goal is to create a strong and lasting cybersecurity partnership with clients, which extends well beyond simply delivering reports and recommendations. We love to roll up our sleeves and collaborate with client teams to implement significant and lasting changes.
If you have questions about Zero Trust or would like help implementing a Zero Trust security model in your organization, just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.
About the Author
Ben Dimick is the Director of Security Consulting Services at Tevora.