+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is Zero Trust Security?

Understanding the principles of Zero Trust Security will help Security and Network Managers evolve their network design to better defend against new and emerging cyber security threats and increased remote working.

To understand and appreciate the benefits of the Zero Trust approach, we need to consider the limitations of more traditional network designs that Zero Trust Architectures were created to mitigate.

What is wrong with traditional network designs?

A traditional corporate network is often designed like a walled garden.  A strong perimeter is designed to keep unauthorised people out, but once you are inside the perimeter you can pretty much go where you like.  In other words, a firewall between the corporate network and the internet provides the secure perimeter but once a device is connected to the network inside the firewall (or a user connects through the firewall to establish a session with a device) they have few limits on their movement or actions.

Since not all systems are equally valuable or vulnerable, network design then developed to break up the walled garden into different areas – or segments – with different levels of protection provided to each segment.

For example: a DMZ segment contains servers running web applications that could be accessed from the internet, but the other segments of the network are not accessible from the web.

Especially valuable systems, such as database servers, may be placed in their own segment with only limited access granted to authorised users or applications.  The main corporate network is its own large segment and allows desktop PC and application servers to connect to internal email and file servers, print servers and each other.  In most cases, systems can communicate freely with all other devices on the same network segment as themselves due to the working assumption that all the systems on a particular network segment were equally trustworthy.

In a very real sense, the geography of a device on the network is taken as a statement of its trustworthiness. As a result, ransomware that could infect one device, can easily laterally move to all other devices in the same network segment.  An attacker that gains access to one device, inherits the implicit trust granted to that device based on its network location.

Zero Trust network architectures break this model and no longer impute trust to a device simply based on where it is connected on the network.  As the NIST paper of Zero Trust architectures puts it:

Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
NIST SP 800-207

The growth of remote working, especially in the last year, and Bring Your Own Device strategies has led to an evolution of network design which often splits access control into two functions:

Access Layer: the access layer sits on the network perimeter and is focused on authenticating the device that is attempting to access the network (think VPN endpoints)

Presentation Layer: the presentation layer sits behind the access layer and is focused on authenticating users to internal systems, often using a layer of abstraction (think Terminal Services, Citrix or reverse proxies) to further protect internal services and systems.

Zero Trust Architecture

A zero-trust architecture (ZTA) removes the inherent trust based on where in the network a request is coming from and instead evaluates every single request on its own merits.  This makes ZTA particularly helpful for environments which are heavily cloud based with limited on-premise systems, however some of the principles of ZTA can be used to enhance the security of more traditional network designs.

ZTA works by assessing the context of each request – authenticating the device as well as the user, and considers the device health, the value of the data being access and authorisation of the user.

The core elements of a Zero Trust approach are:

A single strong source of user identity.  A single enterprise user directory is needed that provides the definitive list of users, their roles and the granular access they have been granted

Strong user authentication that combines multi-factor authentication with Single Sign On based on the enterprise user directory.  Users are added, suspended, removed or configured in a single place for all systems and services.

Device authentication which not only confirms the device is authorised (through certificates issued by MDM systems for example) but also that the current device health confirms it is configured according to the security baseline, is free from malware and shows no other indicator of compromise.  This form of device health attestation is appearing in more MDM solutions.

A ZTA access decision can include context to further protect assets based on their value. For example:

An access request to valuable Intellectual Property documents from the Managing Director’s user account, with a valid password, could be declined because it does not come from the user’s usual laptop or because the device originating the request is located in a foreign country.

Certain resources, such as an employee manual, could be available to any logged in user but a request to access a financial report could require additional multi-factor authentication.

How to adopt Zero Trust principles in your network

Zero Trust network architectures are still a relatively new approach and best practices and technology are still developing, so it is advisable to regularly revisit your approach to check alignment with evolving best practices.

A ZTA approach will often result in a simpler network design and could result in making systems more accessible from the web so the implications of vulnerabilities or configuration errors could be very significant.  Each and every system must be secure in its own right – not relying on the layers of protection previously provided by the walled garden approach of network design.  Every system must be hardened against attack, require multi-factor authentication of the user, and authenticate the device originating the request as well.

Where a full zero trust network approach cannot be adopted, implement the traditional remote access architecture and as many zero trust networking recommendations as possible.
NCSC – Zero Trust Architectures

ZTA is easier to design in from the beginning, especially for new cloud centric deployments but the principles can also inform the development of more traditional and on-premise network designs as they evolve to accommodate increased remote working.

Resources on Zero Trust Security

NCSC guidance on Zero Trust Network Architectures

NIST SP800-207 Zero Trust Architecture

NCCoE Zero Trust Architecture project

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.