Introduction - What is Zero Trust?

As organizations increasingly rely on distributed users, data, and cloud-based systems as part of their digital transformation journeys, securing this expanded attack surface has become critical. Zero Trust is a security model, also known as Zero Trust Architecture (ZTA), that describes an approach to designing and implementing IT systems centered around reliably knowing who is trying to access or use data and whether they have explicit permission to do so. A well-implemented Zero Trust architecture protects your business by making your network, systems, and user interactions inherently more secure. In fact, implementing a Zero Trust approach is vital to safeguarding your business. It provides a fresh perspective on securing digital interactions by removing implicit trust in systems and users.

The Zero Trust (ZT) model assumes that an organization's digital assets are always at risk and need user and system identity verification to remain secure. The ZT model applies the concept of “least privilege” to everyone, granting people (and even other systems) only the privileges needed to perform their tasks and job functions. Zero Trust requires all users to be authenticated, authorized and continuously validated, regardless of location, before accessing data and applications.

In the traditional security approach, a company's digital assets are treated as a castle, with a focus on perimeter protection. The ZT approach has one basic assumption: nothing, including users, systems, networks, or applications, should be trusted implicitly. Instead of "Trust but Verify," ZT insists on "Verify Every Time." This approach more closely aligns with today's business environment, which requires securing remote workers and hybrid cloud environments and guarding against numerous cybersecurity threats.

NIST Framework For Zero Trust

The National Institute of Standards and Technology (NIST) issued a Special Publication (NIST SP 800-207) in August 2020 explaining the concepts and associated architecture and providing a roadmap for migrating and deploying Zero Trust. In May 2021, the Biden administration issued an executive order mandating that US Federal Agencies use the NIST guidelines as they move toward ZT adoption. As a result, the publication has received input from many civil organizations and government agencies, making it the current defacto standard for Zero Trust business deployment.

Core Principles of Zero Trust

The principles below are a distillation of “basic tenants” or core principles from the NIST 800-207 publication. These principles are goals that organizations should work toward on their journey to make digital transformations more secure:

1. All data sources and computing services are resources: whether the organization and its resources are large or small, and despite how those resources are classified internally, everything touching a network is a resource.

2. All communication should be secured: access or communication requests, regardless of where or by whom they are initiated, should be treated as if they originated from the open internet, and trust should never be automatically granted. All communication should be authenticated and conducted in the most secure way possible, protecting integrity, and confidentiality.

3. Access to individual resources is granted on a per-session basis: trust in the requester is evaluated before access is granted, and only with the least privilege required to run the workload or support the communication.

4. Access to resources is determined by dynamic policy: access is evaluated in real-time, based on who is making the request, which resource(s) are involved, and behavioral attributes and characteristics (i.e., subject and device analytics, measured deviations from normal behavioral patterns, etc.).

5. The integrity and security posture of all resources/devices should be monitored: no asset is inherently trusted, and continuous diagnostics and mitigation (CDM) should monitor systems and devices.

6. All resource authentication and authorization are dynamic and strictly enforced: including maintaining an IAM (Identity and Access Management) system, enforcing Multifactor Authentication (MFA), and reviewing anomalous behavior.

7. Continual data collection: the enterprise continually collects information about the current state of assets, infrastructure, and communication to improve security posture.

We could further distill these NIST core principles into three basic ideas:

• Verify access requests explicitly by authenticating and authorizing based on all available data points.

• Use least privilege and limit user access with real-time and just-enough adaptive policies based on risk analysis.

• Assume networks and systems have been breached and minimize the potential effects accordingly.

These NIST core principles provide the basis for charting a course to start your organization’s unique journey. ZT is a security strategy, not a specific product or service. Of course, you should consider your goals holistically and how these ideas apply to the specific needs of your business.

How To Get Started

Moving towards a Zero Trust Architecture means thinking about your enterprise in terms of the core principles and choosing a path that aligns with your goals and priorities. Since getting started and creating momentum can be challenging with this level of organizational change, consider Microsoft’s Rapid Modernization Plan (RaMP) approach - an alternative to a very prescriptive and detailed plan. Following RaMP guidance, you can map out and organize a project with tasks and owners using a checklist of key objectives to track progress.

For example, RaMP provides a checklist for explicitly validating trust for identities, endpoints, applications, and network access requests. At each step in the process, you can see which part of the ZT architecture you are improving and get a sense of how you can continue to map your journey.

Zero Trust is not a destination. There are no silver bullets or magic formulas, and implementing ZT will require organizational change. However, given today’s business environment requiring the ability to secure remote workers, hybrid cloud environments, and many cybersecurity threats, ZT is a necessary step.

Summary

Zero Trust is a concept that has one basic assumption: nothing, including users, systems, networks, or applications, should be trusted implicitly. Instead of “Trust but Verify,” ZT insists on “Verify Every Time.”

Zero Trust principles can serve as a comprehensive framework to secure the digital assets of modern organizations. This approach effectively tackles many of the challenges posed by remote workforces, hybrid cloud environments, and cybersecurity threats. NIST's Special Publication 800-207 provides a clear overview of ZT and its associated architecture. ZT is an evolving set of cybersecurity paradigms that shift focus away from static, network-based perimeters and towards users, assets, and resources.

Implementing Zero Trust is an enterprise journey and, like any other, starts with a first step. Take some time to review the NIST SP 800-207 document, and start your journey towards a more secure organizational posture today.