It was 2010 when John Kindervag, then an analyst with Forrester Research, first wrote about the idea of a zero-trust security framework in which the idea of a network edge or perimeter was no longer the front lines of the cyber battlefield for an organization.
Instead of an organization implicitly trusting anything inside its perimeter as being “friendly fire,” nothing inside or outside the perimeter should be trusted. Both users and devices should be authenticated, authorized, and determined based on who, what, when, and even where a user or device is from, and what it's trying to access should be scrutinized using identity and access management (IAM), orchestration, analytics, encryption, scoring, and file system permissions.
The concept of zero-trust security effectively erases the castle approach to security architecture in that the “castle has left the moat” with data now being everywhere; it’s no longer behind the defenses of a network perimeter but instead extends to mobile devices, cloud drives, and cloud servers, and the threat to those assets are everywhere, everyone, and everything.
This approach to cybersecurity implements an inside-out mentality of protecting the organization's most critical assets, in which security is designed as “microperimeters” around the assets being protected, and the “bad guy” is not trying to be kept out of the perimeter but is already inside.
Zero-trust security is achieved through a litany of security solutions with identity access management and microsegmentation at the very heart.
The implementation of zero trust in a pre-existing enterprise is a challenge but is not impossible. Unfortunately, it isn't as simple as throwing money at the problem and implementing a stack of security solutions that gives you “zero trust.” It does, of course, involve a healthy amount of budgeting, but it also involves a re-architecture of the network and understanding of “who needs access to and from what” and “what needs access from and to where.”
Step 1: Create an asset catalog that includes devices and applications, making sure to document data transmission paths (ports and protocols) that the applications talk over.
Step 2: Locate your data. What is it you are trying to protect? Where is it? Is it on a shared folder on a file server or on a NetApp server? Who needs access to it? Where are they going to access it from?
You can't protect something when you don't know where that something is or what that something is.
Step 3: Implement microsegmentation. Segment the network into virtual local area networks (VLANs), not just moving devices based on their role to their own unique subnetwork but also implementing VLAN access control lists (VACLs) between those subnetworks or default routing them directly to a firewall responsible for internal core traffic filtering.
Step 4: Implement IAM solutions. No one should be trusted inside or outside the network. Eliminate forms of single-factor authentication inside and outside the Active Directory (AD) environment, such as passwords, by moving to multifactor authentication using solutions such as Duo Security or Okta, or take it further with Yubico, StrongKey, or Trusona.
Step 5: Protect the data where it's at. Implement role-based authentication to where the data is being stored using solutions such as Varonis to ensure that individual users are granted access to specific data based on their need to know, and implement endpoint detection and response solutions to detect and autonomously respond to those detected threats.