Zero Trust - Building a stronger security posture
As organisations shift towards cloud and remote work, traditional security models are no longer sufficient. Zero Trust is emerging as a promising security model that focuses on verifying every user and device on the network. Is Zero Trust a trend or the new fundamental way to build network security?
In this article we will dive into what Zero Trust is, its key principles and drawbacks, and how it can help protect against a wide range of cyber threats.
What is the Zero Trust security model?
The key principle of Zero Trust is “never trust and always verify”. In this approach, all users and devices are considered as untrusted and must be verified before being granted access to resources. This new model contrasts with the traditional network security models: in these models the network was divided in two mains zones. The inside of the company perimeter was considered safe and trusted, while the outside was not. The perimeter was protected by VPNs, firewalls and additional security devices to keep intruders out.
These traditional models faced some limitations: threats to assets can also come from users or devices that are inside the perimeter. The lack of additional authentication and controls once inside the perimeter facilitated moving laterally in cyberattacks.
To counter these limitations, Zero Trust introduces the concept of perimeter-less security. There is no more distinction between a trusted internal network and the outside untrusted network. Every device or user must prove they can be trusted before accessing the network or an asset. This provides a more granular approach to security by enforcing additional access controls based on the user’s identity, device or location.
Key principles of Zero Trust
Zero Trust relies on different main principles that form the core of the concept:
- Zero Trust must rely on solid Identity and Access Management to ensure only authenticated and authorised users can have access to the right resources. The identity of each device and user now defines a new personal perimeter around every user. They need to be trusted before accessing an asset out of their small trust zone.
- The accesses must be given on the basis of the least privilege principle. This means that all users must have access to only what they need to access and when they need to.
- It is a key point for entities to implement Micro-segmentation, meaning dividing the network in smaller parts by applying access controls to the individual workload level. It helps to protect against lateral movement within the network. The main difference with classic segmentation is that micro-segmentation is more specific to users while classic segmentation relies on the business needs.
- Assume Breach is fundamental mindset for Zero Trust. In this approach, the company must act as if its systems are already under attack. It largely limits the trust placed in actors or devices on the network as they are considered compromised already.
- Following the assume breach mindset, there is a need to continuously monitor the network to ensure the security of the system and track malicious or suspicious events.
- The users need to authenticate themselves not only once, but are asked to prove consistently their identity. This is called continuous authentication. Enabling Multi Factor Authentication provides additional layers of security, as it requires the user to provide two or more pieces of evidence to authenticate.
An approach driven by cloud adoption and new work practices
The need to implement Zero Trust was drastically accelerated by the pandemic of COVID-19. With many organisations switching to remote work, many users started accessing the network with devices from outside of the perimeter. At the same time, the trend of BYOD (Bring Your Own Device) also introduced new security risks to the network and assets, as personal devices often don’t have the same security level as company-owned devices. Remote work and BYOD both highlighted that traditional perimeter-based security models were outdated and the need to reinforce security around devices and user’s identities.
The rise of cloud computing has also changed the security landscape. The more data and applications are stored in the clouds, the larger the attack surface becomes. Using the cloud often leads organisations to lose some vision on the activities of their users. Implementing Zero Trust helps them improve their cloud security posture by establishing better visibility on cloud activities and protecting data from unauthorized access.
Zero Trust protects against ransomwares and data breaches
Zero Trust provides relevant least-privilege and secure access to enterprise resources, limiting the attack surface and reducing the risk of ransomware attacks. In fact, since employees are an easy entry point for attackers when exploiting an organisation, the Zero Trust approach begins with employee access in mind. By implementing least-privilege, IT managers ensure that each users will only have access to specific resources according to their job. This decreases the severity of ransomware attacks. Hackers will only gain access to the resources of the compromised user, rather than having access to the entire enterprise network.
Moreover, data breaches can be reduced by screening each request received and making sure users and devices are authenticated before trust is granted. This trust is then continually re-evaluated based on changes in context, such as the user’s location or the data being accessed. This way, an attacker who manages to gain access to your network or cloud instance will not be able to access your data. Furthermore, since the Zero Trust model ensures security by device, hackers won’t be able to move laterally in the network.
Drawbacks of Zero Trust
The Zero Trust security mindset has gained popularity in recent years due to its ability to provide greater security for networks and applications. However, there are also some drawbacks to consider:
- Complexity: Implementing a Zero Trust architecture can be complex and requires significant resources, such as time, expertise, and budget, to properly design and implement. For example, Zero Trust requires continuous monitoring and verification of user identities, device posture, and network traffic. This can result in higher operational overhead and increased management complexity, which can be challenging for organisations with limited resources or expertise.
- User experience: Zero Trust often involves more authentication and access control mechanisms, which can increase the number of prompts and steps required for users to access resources, potentially leading to frustration and reduced productivity. This problematic could be mitigated by the usage of SSO technologies (SAML…).
- False positives: With more granular access controls, there is a risk of false positives where legitimate users are denied access to resources they need, potentially leading to increased support requests and decreased productivity.
- Cost: Implementing and maintaining a Zero Trust architecture can be expensive, especially for larger organisations that need to manage multiple applications and networks.
- Legacy systems: Some legacy systems may not be compatible with Zero Trust security, requiring additional work to upgrade or replace them.
- Adoption: Implementing a Zero Trust security model requires a significant shift in organisational culture and may be challenging to adopt, particularly in organisations where employees are accustomed to a more open, trust-based approach to security. It requires a new way of thinking and can take time to implement successfully.
What’s next for Zero Trust?
The future of Zero Trust networks is promising. They are expected to become more widespread due to evolving security threats and the need for greater control over network access. This adoption may result in a convergence of technologies, such as IAM, network security, and endpoint security solutions. The use of automation and AI-based solutions can streamline the Zero Trust implementation process, improve threat detection and response, while Zero Trust solutions for cloud environments may become more important. Additionally, there may be a push towards standardisation, including the development of common frameworks and protocols for interoperability and ease of implementation.
Conclusion
Zero Trust is a model that has been gaining attention lately, as it is an effective way to protect against cyber threats in remote work and cloud-driven environments. Zero Trust provides a granular approach to cybersecurity that helps organisations stay protected against an ever changing cyber threat landscape. It is clear that adopting the mindset of Zero Trust is now a must have for organisations that want to safeguard their critical assets.
Authors:
Gabrielle Bourguignon
Josette Aoga
Benjamin Cochez
Clement Brun
Sources:
- https://www.zdnet.fr/actualites/l-architecture-zero-trust-bouclier-de-la-securite-des-entreprises-39948952.htm
- https://www.journaldunet.com/solutions/dsi/1520675-le-chief-zero-trust-officer-un-nouveau-role-pour-une-nouvelle-ere-de-la-cybersecurite/
- https://www.okta.com/fr/resources/whitepaper-the-state-of-zero-trust-security-2022/
- https://www.forbes.com/sites/forbestechcouncil/2023/03/31/the-next-wave-in-zero-trust/?sh=65b5c8b57394
- https://www.einnews.com/pr_news/624817508/cra-study-zero-trust-two-steps-forward-one-step-back
- https://www.itbriefcase.net/zero-trust-vs-perimeter-based-security
- https://www.netsurion.com/articles/the-assume-breach-paradigm
- https://www.cloudflare.com/fr-fr/learning/access-management/principle-of-least-privilege/