Zero trust (ZT) is a paradigm shift in network security, a new set of design principles that conceptually changes how modern networks are secured. Traditional network security relies upon implicit trust for resource access (that is, internal users are considered trustworthy) and focus on protecting the defined network perimeter. The zero trust architecture (ZTA) model was proposed based on the belief that the implicit trust model is flawed because it can benefit attackers by enabling uncontested lateral movement within the network post-compromise.
The ZT design principles shift focus away from the network perimeter, taking a resource-centric approach to security. All data and systems are considered resources, with none implicitly trusted, regardless of privilege. All data traffic is considered hostile, and compromise is assumed unless there is explicit authorization.
Maturing a zero trust architecture is a journey that must be led from the top of an enterprise. ZT is neither a single product that can be installed nor a new technology. Zero trust deployment requires commitment, time, strong leadership, and a robust strategy. A ZTA may require a change in an enterprise’s cybersecurity culture to reach maturity, so senior leadership must fully support and provide resources to a ZT strategy to ensure success.
This article discusses some best practices to assist an enterprise in maturing a ZTA program. The focus will be on the Zero Trust Maturity model created by the Cybersecurity and Infrastructure Security Agency (CISA). The article suggests enterprise best practices to mature the seven pillars of ZT tenets using the NIST SP 800-207 tenets and assumptions.
Zero Trust Maturity Summary
A zero trust architecture is best visualized as seven pillars that are matured and integrated across an enterprise. The seven pillars discussed in this article are illustrated below.
Optimal ZT maturity is achieved by evolving and integrating pillars through fourth maturity levels. Success is reliant upon the creation of a robust, long-term strategy fully supported by senior management at all stages.
- Traditional Maturity Level: Traditional network architectures have large perimeters and are macro-segmented with little or no automation. An enterprise with this level of maturity has not started its zero trust journey.
- Initial Maturity Level: This stage is marked by the initiation of automation necessary for assigning attributes and managing lifecycles, aiding in policy decision-making and enforcement. Includes introduction of cross-pillar solutions, laying the groundwork for more complex, interconnected systems in the future. Aggregated visibility for internal systems, offering an encompassing view of the security landscape, setting the stage for further development and fine-tuning.
- Advanced Maturity Level: An advanced maturity level will see more cross-pillar integration, micro-segmentation, basic analytics, and automation successfully implemented. An enterprise will have achieved an elevated level of security but still lack the refinement of a fully mature ZT architecture.
- Optimal Maturity Level: Optimal ZT maturity is the ultimate aim of an enterprise implementing a ZT solution. At this level of maturity, enhanced policy enforcement, centralized management, risk mitigation, and incident response will be in operation. An enterprise at this level of maturity will have fully achieved ZT.
The table below summarizes the pillars and related technologies as they advance from traditional networks through the four maturity levels to the optimal implementation.
Zero Trust Tenets and Assumptions
NIST SP 800-207 discusses seven tenets and six assumptions that regulate ZT resource access and data management. When an enterprise takes action to progress pillars, it must consider the tenets and assumptions. These tenets are idealistic and aspirational targets to be considered on the path to maturity. It is acknowledged that enterprise technologies, policies, and strategies will restrict and impact the extent to which tenets are applied. The tenets and assumptions are displayed below.
- All enterprise network utilities are considered resources
- All communication is secured
- Resources are accessed on a per-session basis
- Resource access is determined by dynamic policies
- Data integrity must be maintained at all times
- Resources are rigorously authenticated and authorized continually
- Enterprise data is collected to improve security
- The enterprise network is not an implicit zone
- Devices on the network may not be owned or configurable by the enterprise
- No device is inherently trusted
- Enterprise resources may reside on on-enterprise infrastructure
- Remote enterprise resources will not fully trust their local network
- Security will be maintained between enterprise and non-enterprise infrastructures
Zero Trust Tenets
- All enterprise network entities are considered resources: All data, users, devices, and systems with access to the enterprise network are considered untrusted resources.
- All communication is secured: Trust should never be implied regardless of resource privilege or location. All resources with access to the enterprise must be rigorously authenticated and authorized equally.
- Resources are accessed on a per-session basis: The enterprise must enforce a policy of least privilege and grant resources with the minimum access needed to complete a task. Automatic access to additional resources is never granted unless explicitly authorized.
- Dynamic policies determine resource access: Adaptive access policies based on context, including a user’s role, location, device, and requested data or service, are used to govern resource access.
- System and data integrity must be maintained at all times: No asset is inherently trusted. The enterprise must monitor the integrity of all assets, including patch status and vulnerabilities.
- Resources are rigorously and continuously authenticated and authorized: Trust must be verified and validated continuously. MFA must be used for most, if not all, resource access from users.
- Enterprise data is collected to improve security: Data should be collected from multiple enterprise sources to give insight and context to improve security posture.
Zero Trust Assumptions
- The enterprise network is not an implicit trust zone: All connections must be authenticated and traffic encrypted. Network compromise is to be always assumed.
- Devices on the network might not be owned or configurable by the enterprise: Non-enterprise devices may be present on the enterprise network. Enterprises may employ bring-your-own-device (BYOD) policies, which may include device management software or the installation of anti-malware software.
- No device is inherently trusted: Enterprises must evaluate all assets continually. Resource credentials alone are insufficient for authentication and authorization.
- Enterprise resources may reside on non-enterprise infrastructure: Enterprise resources may need to access local networks for connectivity and network and cloud services.
- Remote enterprise resources will only partially trust their local network connections: All non-enterprise networks are to be considered hostile. All access requests are continually authenticated and authorized.
- Security will be maintained between enterprise and non-enterprise infrastructures: Resources and workloads will maintain a consistent security policy and posture when transiting to non-enterprise infrastructures.
Maturing the Zero Trust Pillars
Identity is the new perimeter in a ZTA, with the Identity pillar critical to progressing maturity. A traditional network using single-factor authentication (SFA) only verifies that a subject is using authenticatable and authorized credentials. ZT applies context and enhances the authentication and authorization process, confirming that the correct subject has the precise attributes, authorization, and circumstances to access a resource by employing multi-factor authentication (MFA), one-time-passwords (OTP), or passkeys. Least privilege controls, including role-based access control (RBAC) mechanisms, are deployed to restrict a subject’s visibility and accessibility. The deployment of identity providers, including federated management, ensures that user identities will be managed consistently throughout the environment and enables the use of single sign-on (SSO) services to alleviate users from having to keep track of multiple credentials and to allow authentication to be centrally managed.
Identity risks and insider threats are challenging to address in a traditional network. If a user does not report a credential compromise, the enterprise continues to implicitly trust that individual. Identity risks are addressed and insider threats are mitigated using user behavior analytics. User and entity behavior analytics (UEBA) evaluates a user’s typical behavior pattern. This method uses machine learning to analyze and identify deviations from established practices and alert security staff. UEBA monitors all resources in the enterprise for behavior changes, including servers, devices, and applications.
The table below details some Identity pillar security best practices and summarizes their progress through the four levels of ZT maturity.
Traditional network security approaches do not consider the device when authorizing access to data because the primary consideration for data access is identity. As enterprises mature the Device pillar and employ policies such as BYOD, they will encounter challenges with device data access, compliance, and management.
Securing devices and endpoints in a perimeterless environment is foundational to ZT. Devices hosted in a ZTA will be subject to continual validation and activity monitoring, even if other resources trust the device on the network. Endpoint security will mature as it moves from signature-based malware detection to advanced multi-layer endpoint protection that incorporates signed software, real-time threat intelligence, device management, and behavioral analysis.
The table below details some Device pillar security best practices and summarizes their progress through the four levels of ZT maturity.
Cloud-hosted applications, remote workers, and the possibility of rogue devices or malware on devices within the corporate network have dissolved the traditional network perimeter. ZT principles are designed to meet the security requirements of these modern perimeterless networks. Cross-pillar integration between the ZT Network and Identity pillars is vital to ensure secure access to network resources, with encryption deployed by default in the protection of data confidentiality and integrity.
As an enterprise evolves its architecture toward micro-segmentation, it reduces its network attack surface. Furthermore, by limiting the lateral movement of an attack, an enterprise can better assure its regulatory compliance.
Software-defined networking (SDN) is a new networking paradigm that separates a network’s control plane from its data plane. It is a logical, dynamic, and programmable software approach to networking that enables administrators to take complete control and get a holistic view of an enterprise architecture. SDN programmability enables it to achieve true micro-segmentation by setting granular security policies that define perimeters and dictate resource communication. Unauthorized communication would be blocked and an alert triggered for investigation.
However, micro-segmentation is limited to the LAN and still gives attackers free rein within a segment, so the optimal form of secure networking is the zero trust network access (ZTNA) model. Under this model, a zero trust controller authenticates users through multi-factor authentication (MFA). The controller then checks the attributes of the user and the device requesting access, such as a certificate, as well as attributes like the device location. Finally, the controller matches the user with a list of applications based on access control policies and grants access. With ZTNA, compromised devices can be instantly blocked, and policies can be dynamically updated and applied device by device.
The table below details some Network pillar security best practices and summarizes their progress through the four levels of ZT maturity.
Traditional remote access to applications uses an encrypted virtual private network (VPN). ZTNA changes how applications are accessed from inside and outside the office by removing the need for a VPN. Gartner predicts that by 2025, 70% of remote access will be served by ZTNA as opposed to VPNs.
Application and network access is traditionally controlled by firewalls based on the message protocol, port, state, and source and destination addresses. Web application firewalls (WAFs) additionally protect applications from cross-site forgery, cross-site scripting (XSS), injection, and other Layer 7 attacks. A WAF acts as a reverse proxy that protects a server from exposure to clients attempting to access its resources. Policies govern a WAF’s operation and can be modified quickly and easily. A WAF’s response to a denial-of-service attack can be instantaneous by automatically applying a policy of rate-limiting and blocking an IP source that is sending an abusive number of packet requests.
ZTNA application access is determined by user identity, location, device security posture, and other attributes that contribute to the authorization for application access. First, a user connects and is redirected to authenticate using MFA through the organization’s identity provider and single sign-on (SSO) service. The ZT policy engine applies the security policy, and real-time user and device attributes are verified before access to an application is granted.
The table below details some Application pillar security best practices and summarizes their progress through the four levels of ZT maturity.
Integration of the data pillar is essential to achieve optimal ZT maturity. All data at rest, regardless of where it resides, is encrypted under optimal ZT maturity. Labeling, categorization, and inventory of data is critical to its security. Traditional environments conduct data categorization and inventorying manually, which leads to inconsistency that impedes automation. Machine learning ensures that the same categorization and inventorying standard is attained across the enterprise.
The least privilege principle across a ZTA enforces data access by only assigning the privileges necessary to perform specific duties and no more. Least privilege access is supplemented by just-in-time, just-enough principles that provide deeper granular access to resources.
The table below details some Data pillar security best practices and summarizes their progress through the four levels of ZT maturity.
ZT Observability measures enterprise systems’ internal states by analyzing data outputs. Log analysis and resource data are collected and analyzed to produce a baseline of an enterprise network. Deviation from baseline will alert an organization’s security or I.T. staff to investigate.
The table below details some Observability pillar security best practices and summarizes their progress through the four levels of ZT maturity.
The weakest link in security is the human. As a ZTA implementation matures, more automation will be introduced, reducing human error. Automation will benefit data discovery because when high-value data is identified and categorized, it can better conform with enterprise data life cycles.
The table below details some Automation pillar security best practices and summarizes their progress through the four levels of ZT maturity.
Maturing zero trust is a journey and a challenge that requires a robust strategy for success. The seven pillars of ZT can evolve at different rates, but to attain optimal ZT, they must integrate. The seven tenets that regulate the pillars must be consulted before maturity decisions are made to conform. As an enterprise matures the pillars, it will reduce its attack surface, obtain better visibility of its network, and become more automated.