Zero Trust: Beyond access controls
As the Zero Trust approach to cybersecurity gains traction in the enterprise world, many people have come to recognize the term without fully understanding its meaning.
One common misconception: Zero Trust is all about access controls and additional authentication, such as multi-factor authentication.
While these two things help organizations get to a level of Zero Trust, there is more to it: a Zero Trust approach is really an organization-wide architecture. Things aren’t always as they seem, and access controls by themselves are meaningless without a comprehensive, centrally managed infrastructure to back them up.
Let’s consider this – if an employee of an organization has their laptop stolen and their account becomes compromised, the only protective measure the organization can take is controlling access to the device. Whoever is impersonating the employee can now access the infrastructure and anything the identity tied to that account had access to.
Zero Trust: A centralized approach to cybersecurity
Organizations can avoid problems like this by managing and enforcing policies for all identities, devices, and applications centrally and setting automated rules to require additional authentication as needed. With Zero Trust, every activity related to the enterprise must be authenticated and authorized, whether it’s undertaken by a person, a device, or a line of code that drives an internal process.
If a laptop is registered, the company can still require a software token or a fingerprint scan when someone uses it to access sensitive financial information. If the user wants to change or add data, it may be a good idea to add another authentication factor, or to monitor this activity in real time – especially if making changes is not something the person ordinarily does.
The same is true when someone who routinely uses just subsets of customer information tries to download the entire customer database, or if anyone tries to copy product development specifications.
Visibility and control
In today’s world, where devices and applications are expanding rapidly and people often change roles, eliminating every potential security gap is a quixotic ideal. The Zero Trust principle acknowledges that vulnerabilities will always exist, and posits that the best way of dealing with them is to provide visibility into activity across the enterprise ecosystem.
If an event seems out-of-place, an automated alarm is triggered. That may mean alerting a manager or shutting off someone’s access while the security team investigates. By understanding context and having the ability to intervene immediately, organizations can close inevitable gaps as they arise, preventing them from evolving into security breaches.
Perhaps you’re thinking additional authorization measures will frustrate your employees, or event logs a mile long will drive your security team crazy. But when Zero Trust is managed properly, the system recognizes normal employee activity and becomes less intrusive, allowing you to offer workers convenient features like single sign-on and provides them a range of choices for authorization.
Zero Trust’s contextual awareness also helps organize event logs, prioritizing real threats instead of forcing security teams to slog through endless lists of trivialities and false alarms.
The key aspect of Zero Trust is the breadth of its scope. It covers the entire organization, including:
- People: Everyone who interacts with the organization—including vendors, contractors, and IT service accounts—is given an identity and conditional access rights. Conditional, because as we have seen, legitimate access may be used for nefarious purposes, so context and activity must always be considered. If an action seems out of line, additional authorization or monitoring is activated.
- Devices: All endpoints are included, with changes and updates made as they occur to avoid accumulating security gaps.
- Applications: Today’s enterprises operate in a multi-cloud environment, using a host of internal and external apps, many of which interconnect or connect to other outside apps. Zero Trust provides visibility into the dependencies within and among all applications and databases and uses automation to spot irregularities no human could ever keep up with. Enterprise security rules are enforced at all times, even if the apps themselves lack adequate protection. In this way, Zero Trust removes the burden of compliance from employees, devices, and applications and places it on the central automated system.
- Data: With Zero Trust, almost all enterprise data is encrypted. If it ever ends up in the wrong hands, the unauthorized party will not be able to decipher it, even if the user’s access credentials are compromised.
Though we have barely scratched the surface of Zero Trust here, it should be clear that it is a robust, comprehensive, and responsive security architecture extending well beyond access controls. It can be viewed as the evolution of the least privilege model. Zero Trust is strong enough to keep bad actors out, it is also flexible enough to accommodate user preferences and incorporate new people, devices, applications, and data as they flow into and out of the enterprise.