Zero Trust: security from total distrust
The Zero Trust security approach is based on the principle that no device, user, workload, or system shall be trusted by default. What are its principles? What are the benefits offered against other models?
Workload migration to the Cloud, hybrid and remote work generalization, or the BYOD policies have shown the flaws in the traditional cyber-security systems of several companies. “The company becomes more mobile, and the perimeter doesn’t make that much sense anymore,” says Pedro García-Villacanañas, head of Presales Iberia from Kaspersky.
Upon this change in the scenario, the Zero Trust security model comes up with force. “Its key principle proposes that we must assume that our organization is gonna be attached, and one of those attacks is successfully gonna make it through all the security measures,” declares José de la Cruz, technical director of Trend Micro Iberia.
This implies adopting an attitude of total untrustworthiness. "A Zero Trust approach to cybersecurity means that no device, user, workload, or system should be trusted by default, regardless of the location from which it operates, either inside or outside the security perimeter," says Eusebio Nieva, technical director of Check Point Software for Spain and Portugal.
That means the device access request must be verified to check if it does not pose a threat and is trustworthy. "Any device wanting to access any corporate data, wherever it is, has to prove that it is valid, authorized, and complies with the security standards defined by the company," remarks José Luis Laguna, director of Systems Engineering Fortinet Spain and Portugal.
Pedro Martinez, Aruba's South Europe Business Development Director, explains that the Zero Trust approach "is based on an architecture that is made up of four basic pillars: user verification, device verification, access limitation through the configuration of credentials, and the analytical capacity to learn and adapt." Therefore, "users do not have unlimited privileges and can only access the necessary information for the performance of their tasks," he explains.
This is one of its keys. "He proposes establishing a policy of user privileges where users must have the minimum and essential privileges to carry out their activity. This principle applies from the services to which the user can connect - corporate applications, file servers, Internet browsing, etc. - to the privileges available within applications, services, etc.," explains De la Cruz.
Guillermo Fernández, manager sales engineering Iberia at WatchGuard, specifies that " these limits can be established by ensuring that the person accessing our network is who they say they are, to avoid identity theft, with multi-factor authentication (MFA) playing an important role; and correctly managing privileges, i.e., ensuring that the user can only access what they really need."
This involves the evolution of the old perimeter security model towards a system of 'microperimeters,' constantly checking the user, devices, and networks. "Each device is protected by a microperimeter with controls around and between them," says Alberto R. Rodas, Iberia Region sales engineer at Sophos.
Similarly, García-Villacañas talks about micro-segmentation. "It involves breaking down corporate infrastructure and other resources into small nodes, which can be as specific as a single device or application. The result is multiple microscopic perimeters, each with its own security policies and access permissions, which facilitates flexibility in managing access and allows companies to block the spread of a threat within the network," he specifies.
On the other hand, Nieva emphasizes that "any Zero Trust security model must necessarily monitor, record, relate, and continuously analyze every activity on its network, to ensure that at no time is a vulnerability or system failure neglected." In addition, he notes that "when a company wants to implement a Zero Trust architecture, it must necessarily and automatically integrate it with the broader IT environment of the organization."
Going beyond 'traditional' models
Check Point's technical director justifies the need to evolve to a Zero Trust model by saying, "You have to keep in mind that, in an ever-evolving IT environment and cyber threat landscape, legacy protection infrastructures have become ineffective as they are based on the outdated assumption that anything inside the perimeter can be trusted. But the security perimeter is no longer limited to the walls of an office building. Valuable corporate data is continuously transferred between SaaS applications, IaaS, data centers, remotely-accessed users, IoT devices, etc. This means that there are more attack surfaces and more entry points than ever before."
Martinez explains that "traditional practices consisting of statically segmenting the network and applying policies depending on the segment where the user connects are no longer effective". "Zero Trust is based on dynamically applying roles to users in a way that allows security policies to move with the user and not depend on the specific switch or WiFi access point to which they connect. The most important benefit for companies is that security policies will no longer depend on how the network is configured, which gives enormous flexibility and agility when modifying or adapting them, enabling user mobility and greater alignment of IT with the business," he adds.
Nieva also indicates that "this type of security protects systems in a much more meticulous way since it completely limits the accessibility of the different users to what they need to carry out their work, preventing them from reaching other parts of the company's network". He states that " the segmentation and scalability of this system improves and protects the corporate network much more than the previous ones."
Following a similar line, Rodas emphasizes that Zero Trust "allows more granular control over who can access certain applications and data, minimizing lateral movement and eliminating implicit trust", unlike VPNs where "it's all or nothing". Additionally, he insists on its greater security, since this approach takes into account the state of the device and access policies, something that does not happen with VPNs, "which can put application data at risk for a compromised or unsupported device."
The Check Point manager also notes that "Zero Trust security uses different tools that increase the cybersecurity level, thanks to multi-factor authentication, identity and access management (IAM) tools, encryption, file system scoring and permissions, and security orchestration."
On the other hand, the Kaspersky representative points out that Zero Trust allows companies to adapt themselves easier to change. "For example, by removing access privileges from departing employees or adjusting the privileges of those whose responsibilities have changed," he notes.
Besides, the Sophos representative points out that, with the Zero Trust model, "it is much easier to implement and makes it easier to include new users" than with traditional VPN networks. He also stresses that Zero Trust offers "frictionless connection management."
According to the Trend Micro manager, Zero Trust "reduces incident response times, which is critical in the context of a ransomware attack; improves the visibility of the organization's internal processes, both legitimate and illegitimate; and helps regulatory compliance, preventing information leaks and controlling information flows."
For all types of companies?
Despite the advantages offered by a Zero Trust model, only a few companies are adopting this approach. However, the number of organizations starting to move in this direction is increasing.
“Most medium and large companies are aiming to implement a Zero Trust strategy in the short or medium term. Furthermore, in recent years, this model has gained relevance with the spread of teleworking and the use of BYOD, where the network access layer is diluted. In this context, the control not only of what is connected to the network but also of what makes use of corporate resources becomes more important. However, we could say that where there is greater interest or urgency in this access model are the organizations where the digital transformation is in an advanced process. Or in those where access to sensitive information or data can be carried out from a large part of the users, which, in turn, can cause a risk of information leakage or non-compliance with regulations, such as in healthcare or public administration environments," says the Fortinet manager.
The WatchGuard representative also states that some sectors such as industry, finance, and technology stand out in the adoption of this approach, as well as in "companies in which teleworking has become relevant."
In addition, although Zero Trust can be implemented by any organization, Nieva believes it is especially useful in larger companies. "The more employees you have, the more devices and the more access points to the network through which a cybercriminal can attack. If a large company has Zero Trust technology, it will have many more barriers protecting it," he declares.
Barriers to implementation
However, adopting this model is not always easy. The Aruba manager acknowledges that "if network visibility, access control, and process automation are not properly implemented, they can be a brake on its implementation."
García-Villacañas explains that "implementing a Zero Trust security model takes time, as it is necessary to register in the inventory all the equipment that employees use for work, both personal and corporate; as well as establishing corporate policies on the devices needed for work and blocking access to corporate resources from other devices."
Similarly, Laguna points out that "the main challenge is knowing what is connected to the network and the interaction of the latter with the connected devices or users," which requires "a maturing process in the fleet device management and the use they make of the network and the purpose of these devices." In this way, he recommends having flexible tools that make it possible to integrate the multiple actors interacting with these devices, access networks, device security, mobile device management, vulnerability analysis, and network security elements. "This integration capability allows for a complete view of the devices, to provide the correct treatment for their purpose and a response proportionate to how critical and relevant they are in the operation," he explains.
Fernandez also discusses the potential complications that may arise in companies using older technologies, "where it is not possible to have multiple access roles." "Newer technologies are usually more prepared for what is called Role-based Access Control (RBAC), which restricts access to the network based on a person's role within an organization and has become one of the main methods of advanced access control. There are cases where companies have legacy systems that are not designed to create or enforce these permission options, and that is often a difficulty for Zero Trust policies," he specifies.
An additional complication that may arise when implementing a Zero Trust strategy is resistance on employees' behalf. "Users do not easily accept limitations on their use of the corporate tools. This can be a problem when implementing a very restrictive policy, as established by the Zero Trust model," notes De la Cruz.
Similarly, WatchGuard's Iberia sales engineering manager points out that "limiting access to certain information can generate friction." Thus, it is a question of "finding a balance between security and productivity." In addition, he stresses the importance of "having the support of the company's management, to have their backing in case these conflicts arise."