What is a Zero-Trust Architecture?
There is a growing need for Zero-trust security as assets such as mobile phones connect uncontrollably to the network and business applications connect to the internet.
Zero-Trust is a term that moves defense away from static network-based environments and focuses instead on users, assets, and resources. In a zero-trust network, the threat model no longer considers that actors, systems, or services work within a security area, ensuring that anyone who tries to connect to their systems has access and can be trusted. Using Zero-trust, assets (laptops, cellular devices, etc.) and user accounts receive implicit trust due to their physical network location and ownership.
The zero-trust architecture focuses on the requirements and operations of an organization's business. It implements a network-centric data security strategy that provides distinctive access to those who need it. It uses a positive model of security enforcement with specific rulesets to access particular resources. It is practical and facilitates the principle of least privilege as users are given access to services and applications they need.
In an attack scenario, it limits lateral movement within networks and minimizes attack area and surface. Protection is environment agnostic, so applications and services can be supported while communicating with the network environment without requiring architectural modifications. A broken trust model assumes that the identity of a user cannot be compromised unless a user operates in a manner of trust.
According to Microsoft Zero Trust Architecture components:
Identities: It is essential to verify and secure the identification of each user with reliable & robust authentication methods across an organization.
Endpoints: Securing all of an organization's endpoints is crucial. It provides visibility into devices accessing the internal/external network, thus ensuring compliance and health status before granting access.
Applications: Shadow IT can be used to ensure that IT systems, devices, assets, devices, software, applications, and services can be used without explicit approval from the IT team or help desk. This ensures that appropriate permissions are set, gate access based on real-time analytics is performed & monitored, and user actions are visible and controlled.
Data: Data is one of, if not the, most crucial asset security teams need to focus on. Data should be kept safe when it leaves the devices, apps, infrastructure & networks of an organization. Intelligence can be used for the classification and labeling of data. Organizations should implement encryption and restrict access based on organizational policies to safeguard data.
Infrastructure: Infrastructure in the form of on-prem servers, VM(cloud-based), containers, micro-services, etc., represent a critical attack vector for adversaries. Security teams can use telemetry to detect attacks and anomalies, block and flag risky behavior, and employ least privilege access principles/models. Large volumes of telemetry can be enriched and used to generate high-quality risk assessments for further investigation and triaging.
Network: Devices and users mustn't be trusted because they're on an internal network. Zero trust should be accompanied by verification. Networking controls can provide enhanced visibility Encryption of all internal communications, limiting access by policy optimization & enforcement, and employment of micro-segmentation and real-time threat detection.