What is Zero-Trust Architecture and why is it Relevant Today?
Breaking Down Zero Trust Architecture:
Zero Trust architecture is an option to be considered by organizations who want a more reliable way of preventing leaks of confidential data and lowering the risk of modern cyber-attacks against their network. Zero Trust was initially developed by the analytics firm, Forrester Research and it is marketed as an alternative to traditional security architectures.
The majority of businesses use traditional security architecture, which functions using the now incorrect theory that anything which is contained within their own network can be considered trustworthy. In the modern day, security threats can arise internally and with even more intelligence than ever before.
New security methods need to be reviewed in order to stop threats from emerging within organizations. As previously mentioned, standard security methods only prevent threats from attacking from outside the organization. Anything that has already penetrated the network is left unchecked, undetected and allowed to run rampant, this allows them to have access to incredibly sensitive information.
This has led to Zero Trust architecture increasing in prominence. Zero Trust architecture itself works on the basis of “never trusting and always verifying”. The design of a system like this is built to prevent threats from moving laterally through a network. This is achieved by utilizing micro-segmenting and the reinforcement of perimeter cyber-security, this will be based on the user ID, location and other data permissions. Lateral movement with regard to cyber-security threats is the term used to describe the way in which attackers will make their way through a network to reach the assets and the data they wish to take.
More traditional cyber-security architectures allow businesses to create a “sub-perimeter” in their network security which will be created using an established set of rules based around who is using the system, the applications they are using and the file directories that they are trying to get to. These sub-perimeters are created to help notify businesses that an attack has taken place and to prevent the attacker from being unchallenged whilst moving laterally through the network.
It is worth noting that when a cyber-security attack takes place, the point at which the attackers have entered the victim’s network is not usually where their target files or information are located. This is the reason why preventing lateral movement and access across the network is so important, it can stop an attacker from being able to reach their target. Alternatively, if someone’s credentials have been stolen and used to access sensitive data, those credentials will have to be logged by the network if the attacker uses them to reach their target. This can help to identify whether or not a user ID needs to be temporarily suspended. It is becoming more and more common for attacks and leaks to come from within an organization.
The level of approved access and lateral movement that you would permit to a user would be based on who the user is and the level of access that they have to certain privileged files. For example, in a large organization, the finance team and their devices would have access to files relating to the business’ financial situation whilst the marketing team and their devices would not be allowed access to these files. This is why, when an attack is suspected, it is pivotal that you recognize which user is responsible, what part of the organization’s network they are attempting to access and whether they have the required permissions to access those files.
If these systems are implemented into your cyber-security procedures, you will be able to track the movement of the attacker and will have an opportunity to prevent the attack from continuing.
Zero Trust architecture allows businesses to rapidly identify both external and internal security threats, meaning that there is a larger chance of them being quickly corrected.
How is Zero Trust Architecture Being Implemented Across Organisations:
Kayak is the industry leader in travel search engines with over 40 different national websites, they are also responsible for the processing of over 1.5 billion different travel-based searches every single year. To help make sure that their staff maintain efficiency and stay productive, Kayak allows its staff to work away from the office, using their own personal devices.
Naturally, this has lead to an increased risk of cyber-attacks and a headache for Kayak’s security team. They needed to build limited visibility into their employee’s devices and also needed to be mindful of juggling user experience with security when their systems are being used remotely.
Kayak was not satisfied with standard Bring-Your-Own-Device (BYOD) management tech and couldn’t find a security platform that could differentiate between Kayak’s own devices and the devices of their employees.
Kayak also wanted to be able to check the state of these devices by being able to detect operating systems that are out of date. They attempted a variety of fixes for these issues which included mobile device management (MDM), network access controls and client certificate solutions.
The previously mentioned systems were too cumbersome and complicated to manage and didn’t provide good enough security when transitioning to cloud-based computing.
As a result of this, Kayak eventually decided to use Duo Beyond, a Zero Trust security method provided by Duo Securities. This system allowed their security to differentiate between Kayak-owned devices and devices that are owned by their employees. They are also able to get updates about the state of each device using their systems and, they are able to provide a secure method to allow their employees to work remotely.
As well as this, Kayak was also able to implement a policy that meant high-level third-party admin accounts could only be accessed through a Kayak device, limiting the security risks involved. As long as the employee’s personal devices were up to date with the latest version of their browser, they would be able to access their regular accounts.
Furthermore, so that Kayak did not need to rely on a VPN, they provided their employees with the ability to use Duo’s Network Gateway. Which is a more convenient and secure way to remotely access their applications.
Kayak went on to select a number of their most commonly used critical applications and made it so they would be accessible by using the Duo Trusted Access architecture. This allows Kayak to check the health-diagnostics of a user’s device and their own ID before allowing them access to their applications.
Siemens is the largest industrial manufacturer in Europe, and they too have decided that the best option for their security architecture is to use a Zero Trust model. The Siemens Digitalization Network, which oversees innovation in Siemens digital applications. They defined three key goals for their digital applications.
- Offering the best security for their internet facing applications.
- Making sure that they can drive down the costs of their digital applications.
- Creating a high-performance experience for their user's digital identity.
Due to this, Siemens decided to use Zscaler’s cloud security architecture for their own cloud-based network. Due to the scale of Siemens as a business, one of the key things that they needed to consider when selecting a security solution is whether or not that solution is scalable for their business’ needs. Zero Trust architecture can be scaled to any business size, whether that be a startup or a global conglomerate.
The way that Zero Trust architecture fits in with their three core principles is that the Zero Trust architecture model is very cost-effective for their functionality when compared to traditional network security models. Furthermore, having a Software Defined Perimeter system is one of the most effective ways to keep your cloud applications secure, due to the fact that they will keep your application invisible from the internet, reducing the risk of external attacks. Coupled with the internal security provided by an SDP, you can easily see how using a Zero Trust model is one of the best ways to protect your cloud-based applications.
There are a number of large organizations that are realizing the potential and the benefit of using a Zero Trust architecture for their security systems. For example, one of the biggest companies in the world, Google have been exploring Zero Trust security for years.
With 85,050 employees working within Google, there are a large number of devices that are being used, which have real potential for becoming compromised. This risk was further increased by their growing reliance on their cloud technology. Because of this, traditional perimeter-based network security is no longer a viable option for keeping Google’s network infrastructure secure.
This is why six years ago, Google began implementing Zero Trust security architecture into their business, using BeyondCorp, which implements a Software Defined Perimeter system. This was one of the first instances of business replacing traditional security methods with this new architecture.
One of the key points of BeyondCorp’s model is internal traffic within a company’s systems is not more trustworthy than traffic occurring externally. This security method removes the need for more commonplace VPNs and security credentials when trying to establish the ID of the user and whether their device can be trusted.
Google themselves use a system based around tiered access, which means the zero-trust system will analyze the user’s own permissions as well as their group permissions, what information the user will need as defined by their role within the organization and they will also identify key information about the device being used.
Using their tiered system, there are four tiers of access within Google. You have “untrusted”, “basic access”, “privileged access” and “highly-privileged access”. If a device is untrusted, it will not be allowed access to Google applications. Basic access will allow the user access to a very limited amount of confidential data, privileged access increases the amount of accessible information on a more confidential level. Highly-privileged access provides access to every part of their corporate services.