Cloud and Data Security
CybersecurityZero Trust Security: Everything You Need to Know
Zero trust is a security model that assumes risks are present both inside and outside of a network. Learn about technologies involved, core principles, and more.
By
Spanning Cloud Apps
17 minute read
The pandemic has changed the business world as we know it, with digital transformation taking place at a feverish pace, data footprints increasingly moving off-premises and hybrid work culture becoming the way forward. However, in the midst of this new normal, is traditional IT network security sufficient for an organization to protect its data from cybercriminals? The answer is no. Here’s why.
The IT sector has traditionally relied on the castle-and-moat network security model to protect its most valuable resources, data and intellectual properties. Consider an organization’s network as the “castle” and its network perimeter as the “moat.” The perimeter-based castle-and-moat model has a “trust but verify” approach that dedicates resources to protect the moat (network access) and extends trust to all users and devices within the castle. Once someone enters the castle ground by crossing the moat, they have no restrictions inside. Imagine what happens when an attacker gains access to such a network. The attacker will be able to move laterally throughout the network and have free reign over everything inside.
This model is particularly risky in the new normal, where remote and hybrid workforces have become the standard. Since employees’ home networks do not have conventional on-premise infrastructure for protection, they are more susceptible to cyberattacks, putting entire business networks at risk. The increasing adoption of hybrid cloud infrastructure exacerbates the vulnerability of this model since organizational data is spread across multiple cloud vendors today rather than remaining behind an on-premise network perimeter.
What is zero trust?
Unlike the castle-and-moat model, the zero trust model assumes that security risks are present both inside and outside the network. TechTarget defines the zero trust security model as “a cybersecurity approach that denies access to an enterprise’s digital resources by default and grants authenticated users and devices tailored, siloed access to only the applications, data, services and systems they need to do their jobs.” Zero trust has a “never trust, always verify” approach that trusts no one by default from inside or outside the network and defines how and when users can access systems and data.
What is the purpose of zero trust?
Traditionally, organizations focused on protecting network access with technologies such as on-premise firewalls and virtual private networks (VPN). Remote users gain access to business networks and resources by logging into a VPN, creating a secure virtual tunnel into the networks. However, problems arise when VPN login credentials fall into the wrong hands or a security risk originates within the organization. As enterprises now need to support secure remote access at scale, the risks associated with VPN use only surge.
The expansion of the data footprint is also a factor that necessitates zero trust. The castle-and-moat model was designed for a time when an organization’s resources resided locally on-premise. But today, most enterprises’ resources lie scattered across multiple cloud platforms and data centers, diffusing the traditional perimeter. The legacy approach to cybersecurity has become less effective in these hybrid cloud environments.
Why do we need zero trust?
In the wake of the digital revolution and remote-work policies in response to the pandemic, the number of employees and systems outside the conventional IT perimeter has grown exponentially. Cybercriminals are exploiting this opportunity by blending in with the growing volume of data traffic and launching sophisticated attacks.
Cybercriminals may steal user credentials, exploit a security vulnerability or carry out a social engineering attack to gain access to a business network. In the event of such a cybersecurity incident, the castle-and-moat model becomes obsolete. Once an attacker crosses the moat and enters the network, they can access any data and systems within. According to IBM, the global average total cost of a data breach reached an all-time high of $4.35 million and the average cost of a data breach in the U.S. is $9.44 million in 2022.
The zero trust security model is designed from the ground up to prevent and mitigate the damage of such data breaches by necessitating even authorized users, devices and systems to prove they are authorized before gaining any access. Through microsegmentation, it empowers IT teams to arrange resources in discrete zones, containing potential attacks and preventing them from spreading laterally throughout the network. Sensitive data and information are secured through the use of granular, role-based access policies.
The history of zero trust
The castle-and-moat approach is not a strategy that organizations deliberately choose; rather the term emerged to differentiate the traditional IT network security model from the zero trust framework.
Statista reports that 15 million data breaches took place in the third quarter of 2022, up 167% from the previous quarter. This uptick in breaches occurred despite organizations investing more time, money and effort on their cybersecurity posture. The recognition that the traditional approach to IT security is no longer effective at stopping today’s threats leads to more and more organizations adopting the zero trust network security model. According to Gartner, 60% of organizations will embrace zero trust as a starting point for security by 2025.
Although the concept of the zero trust model has been around for more than a decade, it has continuously evolved and grown over time.
Where did the term zero trust come from?
The term “zero trust” was first coined by Stephen Paul Marsh in 1994 for his doctoral thesis on computational security at the University of Stirling. Marsh believed trust could be mathematically modeled and constructed in the IT system administration realm. However, it was John Kindervag, a Forrester Research analyst, who popularized this term in 2010 when he put forward the idea that an organization should not extend trust to anything that is inside or outside its perimeters.
It was also around this time Google started leveraging the zero trust architecture. Google’s initiative in 2009, called BeyondCorp, implemented a deparameterized framework based on zero trust. Thereafter, organizations slowly started adopting the security model. The proliferation of cloud and mobile technologies accelerated adoption in the past few years, bringing the zero trust framework into the mainstream.
What is zero trust network access?
Earlier, users and systems outside the traditional network perimeters used VPNs to access enterprise networks. However, as discussed, if attackers could steal a user’s credentials, it becomes easy for them to access the network. That vulnerability is what zero trust network access (ZTNA) aims to address.
Zero trust network grants access based on various criteria, including the identity of the personnel and devices, time and date, historical usage patterns and geolocation. Once authenticated, the ZTNA offers an extra layer of protection that shields applications and services from users who do not have permission to access them. This prevents attackers from laterally moving through the network even if they gain access.
What was the zero trust executive order?
On May 12, 2022, President Biden signed Executive Order 14028, “Improving the Nation’s Cybersecurity,” which pushes agencies to implement zero trust security principles to protect the critical infrastructure and Federal Government networks. To aid this effort, the Cybersecurity and Infrastructure Security Agency (CISA) developed a Zero Trust Maturity Model, which is essentially a roadmap that agencies can refer to as they transition toward a zero trust architecture. Moreover, the CISA has also published “Applying Zero Trust Principles to Enterprise Mobility” — a publication to support federal agencies and other organizations on their journey toward zero trust.
How does the zero trust model work?
Zero trust philosophy assumes that there are attackers within and outside the network. Thus, organizations must continuously monitor and validate whether users and devices have the right attributes and privileges. A zero trust network only provides users the least privileged access, which means it gives users only as much access as they need. This, in turn, helps minimize the exposure of sensitive information to users.
In addition to user access controls, zero trust implements strict device controls as well. It necessitates monitoring all devices accessing a particular business network to ensure their authorization and security. This helps further minimize the attack surface of that network.
Another core principle behind zero trust networks is microsegmentation — a fundamental cybersecurity principle. Microsegmentation empowers organizations to manage their resources in discrete zones and apply role-based granular access to each. An employee with access to a particular zone will not be able to access any other zones without separate authorization. Meanwhile, the Segregation of Duties (SoD) principle ensures that no individual or device has full access to all critical IT resources. For instance, no developer should have access from test to production in a software publishing pipeline or be able to self-elevate their privileges without proper oversight.
Multifactor authentication (MFA) is another central principle of zero trust, which requires more than one authentication method to verify user identity. These, along with other principles like just-in-time access and auditing and tracking, ensure that potential threats do not spread laterally through an enterprise network, thereby minimizing their potential damage.
How is zero trust different from traditional security?
Zero trust is a framework of many principles and technologies that significantly augments an organization’s security posture. It relies on various existing technologies, governance processes and best practices to secure an enterprise network. Let’s see how zero trust stacks up against or relates to other cybersecurity standards.
Zero trust vs. VPN
While VPNs have traditionally been a cornerstone of network security plans, the increasing scalability demands of the remote workforce, new security architecture demands from SaaS platforms and sophisticated cybersecurity threats in the cloud are forcing organizations to think beyond VPNs. On that front, a modern, cloud-native solution like ZTNA offers organizations the granular security they demand without sacrificing productivity.
There’s no doubt that the zero trust model offers a considerably better outcome than the conventional perimeter-based model. However, organizations can leverage the advantages of the zero trust model without overhauling their existing traditional network security because zero trust and VPN can work in tandem. For instance, zero-trust microsegmentation and a VPN can reduce a company’s attack surface and prevent attackers from carrying out damaging lateral movements should a breach occur, although not as much as a whole zero-trust initiative would.
Zero trust vs. SDP
Software-defined perimeter is a network architecture that utilizes zero trust concepts to secure remote access. TechTarget defines software-defined perimeter, or SDP, as “a security technique that controls access to resources based on identity and forms a virtual boundary around networked resources.”
SDP acts as an overlay network that conceals its resources from attackers and unauthorized users like an invisibility cloak. In fact, the terms zero trust and SDP are often used interchangeably and some even refer to ZTNA as SDP 2.0.
Zero trust vs. least privilege
Least privileged access only provides users and devices the access rights required to do their job. It is like a key that can only open certain rooms and is given to users based on their roles and responsibilities.
Zero trust and least privileged access are similar in the way that they both restrict user and device access depending on resources. However, unlike least privileged access, zero trust also applies to user and device authentication and authorization. While zero trust policies are often based on privileged access, they continuously reverify authentication and authorization.
Zero trust vs. defense in depth
Defense in depth, as its name suggests, is a cybersecurity approach that uses multiple layers of protection to contain cyberthreats. It is centered on the core belief that a single defense mechanism is insufficient to defend against all threats, and employs various measures to guard against a vulnerability exploit or a security control failure. In this strategy, when one layer of security fails, other layers protect the network.
While a zero trust environment leverages a defense in depth security strategy, these are not equivalent. No matter how many layers of controls the defense in depth security strategy adds, zero trust necessitates verification for all users and devices, inside and outside any network perimeters. However, including defense in depth principles in a zero trust framework can make your organizational security strategy even more potent.
Zero trust vs. SASE
Secure access service edge (SASE) is a security framework designed specifically for the cloud. TechTarget describes SASE as “a cloud architecture model that bundles network and security-as-a-service functions together and delivers them as a single cloud service.” It brings cloud-native security technologies along with wide area network (WAN) capabilities to securely connect users, systems and endpoints to applications and services. In SASE, security controls are delivered at the connection source rather than at the point of a data center.
SASE is built on zero trust principles, and ZTNA is a significant component of SASE architecture. While you cannot implement SASE without zero trust principles, you can implement a zero trust strategy without incorporating SASE.
What does zero trust prevent?
Zero trust is the framework that organizations sorely need to secure their infrastructure and data in this data-driven digital era. Organizations were forced to quickly adapt remote or hybrid work policies to maintain their business operations in response to the pandemic. According to studies, a hybrid workforce is indeed the way forward for organizations. However, this new work culture opens the door for numerous inherent network security risks. The new security architecture demands from SaaS platforms also lend to this factor, rendering traditional network security architecture obsolete.
The zero trust network security model, on the other hand, addresses the challenges of modern businesses, including securing remote workforce and hybrid cloud environments, and mitigating the damage of sophisticated cyberthreats. Its increased security and compliance agility, along with its threat detection and remediation efficiency, makes zero trust the go-to network security model for enterprises today.
What are the 3 foundational zero trust principles?
While we have already discussed some principles behind zero trust, there are three core principles on which the zero trust strategy relies. Here are the three foundational concepts of zero trust.
Continually verify
One of the major zero trust principles is “Never Trust, Always Verify.” The zero trust network requires organizations to always authenticate and authorize based on all available data points such as user identity, service or workload, location, data classification and anomalies. It assumes, by default, that everything that is and happenswithin a network is malicious unless authorized. It trusts no users, devices or credentials, and necessitates stringent identity and access management (IAM), requiring each user or device to undergo strict verification and authentication before accessing a network resource.
Limit access
Zero trust network doesn’t provide excessive implicit trust like traditional network security solutions. Instead, zero trust relies on microsegmentation, granular access policies and risk-based adaptive policies to secure both data and productivity.
Some of the policies through which zero trust limits access and minimizes the network attack surface are:
Just-in-time access
With just-in-time access, the privilege granted to access resources is limited to predetermined periods of time.
Just-enough-access or the principle of least privilege (POLP)
This offers granular access controls and sets role-based access policies to grant users only the necessary network access required to do their jobs.
Segmented application access
Through application-specific tunnels, the zero trust model also lets you ensure that employees can access only those applications they are permitted to access.
Minimize impact
Zero trust strategy always assumes a breach or attack is underway. Consequently, organizations must constantly introspect how the blast radius or attack surface can be minimized, and should continually verify the security controls in place to limit the resulting damage.
Organizations can integrate intelligence and behavior analytics to support this cause. For instance, the cloud provides rich telemetry that enables better access control decisions. It can help infer abnormal user or entity behavior to identify and mitigate threats. Similarly, a security information and event management (SIEM) system help in aggregating and correlating data to better detect suspicious activities and patterns.
What are the 7 core zero trust pillars?
While it’s evident that zero trust is the way forward for organizations, transitioning from a perimeter-based model to a zero trust framework requires logistical considerations and meticulous planning. According to the Department of Defense (DoD), there are 7 key areas to focus on with the zero trust security model.
User security
The workforce security pillar centers around authenticating and authorizing access controls for the workforce. It advocates the usage of principles like multifactor authentication and privileged access to secure and limit the access of person and non-person entities to enterprise data. The workforce security pillar also necessitates organizations to continuously authenticate, authorize and monitor user activity patterns while governing access and privileges.
Device security
Similar to the workforce security pillar, the primary goal of the device security pillar is to identify and authenticate when devices try to connect to network resources. In that regard, it mandates continuous real-time authentication, inspection, assessment and patching of devices as an enterprise’s critical functions. The DoD asserts that the ability to identify, authenticate, inventory, authorize, isolate, secure, remediate and control all devices is essential in a zero trust approach.
Network/environment security
The network security zero trust pillar aims at segmenting (both logically and physically), isolating and controlling the network/environment (on-premises and off-premises) with granular access and policy restrictions. It is critical to prevent the lateral movement of attackers within a network.
Applications and workload security
The applications and workload security pillar refers to applications, digital processes and IT resources used by an organization for operational purposes. Zero trust workloads span the complete application stack. Securing and adequately managing the application layer, computing containers and virtual machines is central to zero trust adoption.
Data security
This zero trust pillar revolves around categorizing data in terms of mission criticality and developing a comprehensive data management strategy. The data security pillar determines the storage and encryption of data.
Visibility and analytics
End-to-end visibility and advanced analytics help detect anomalous patterns and make dynamic changes to security policies and access decisions. The visibility and analytics pillar may advocate using artificial intelligence to automate some processes, including anomaly detection, configuration control and data visibility.
Automation and orchestration
The final pillar of the zero trust strategy — automation and orchestration — centers around automating and orchestrating manual and disparate systems and processes. It aims at automating manual security processes to take policy-based actions across the network with speed and at scale. Meanwhile, it also integrates SIEM and other automated security tools to assist in managing disparate security systems.
What are the advantages of zero trust?
The zero trust security model offers a plethora of advantages for enterprises. First and foremost, zero trust significantly improves data protection and reduces organizational risk. Its granular access policies prevent rogue employees or cybercriminals from gaining access to large portions of your enterprise network. Limiting what a user or a device can access and how long they can access it dramatically reduces the impact of a data breach.
Another major advantage of the zero trust model is its enhanced visibility across an enterprise network. It can provide end-to-end visibility into who or what accesses your network, including the time and location of every access request.
Zero trust simplifies IT management and streamlines security policy creation, not to mention its support in achieving continuous compliance by logging every access request. Zero trust also provides complete flexibility while migrating apps, data and services from private data centers to a cloud environment or vice versa.
What are the disadvantages of zero trust?
Zero trust has many additional cybersecurity strengths, but it makes a security strategy more convoluted. The fact that each user, device and application has to be authorized and monitored adds an extra layer of complexity, particularly for organizations with a large number of users. The zero trust model also demands considerable time and effort to set up. Since an enterprise network needs to function during the transition from the traditional network security model to zero trust, reorganizing policies may become complicated.
Another disadvantage of zero trust is its implementation cost. Since it requires additional security measures like multifactor authentication, the overall implementation cost of the system can be high. However, while it can seem like the zero trust model is expensive, it pales in comparison to the direct and indirect costs of a data breach.
How Spanning helps support a zero trust model
While zero trust is the go-to security strategy for an organization in this evolving cybersecurity threat landscape, it is essential to understand that it doesn’t warrant an impenetrable network. Thus, organizations must gear up for a situation in which their zero trust architecture fails.
That’s what makes backup and recovery a significant part of an enterprise’s zero trust model. Having a reliable backup and recovery solution will help organizations swiftly recover from a cybersecurity incident when it happens and continue their operations with minimal or no downtime.
Spanning Backup for Google Workspace, Microsoft 365 and Salesforce offer organizations a purpose-built, cloud-native backup and recovery solution that makes backup seamless and ensures your business data stays available, compliant and secure all the time. The set-and-forget system will save your business countless hours of manual work and money.
Especially in today’s cyberthreat landscape, cybercriminals are increasingly targeting data backups with sophisticated attacks to corrupt, encrypt or delete them, which can cripple the recovery capacity of the target company. However, Spanning Backup encrypts your data entirely, preventing cybercriminals from accessing it. Its bring-your-own-key (BYOK) feature gives you increased control over encryption keys, enabling you to control cloud service providers’ level of access to your data. It also empowers you to suspend or shut off access at any time, thereby mitigating risks related to data security.
Learn more about the industry’s most comprehensive and reliable data loss protection solution for SaaS applications like Google Workspace, Microsoft 365 and Salesforce.
Learn more about Spanning Backup