Cybersecurity, Policies and Training

Trust No One: Staying Secure with a Zero-Trust Security Model

It seems that Fox Mulder from the hit television show “The X-Files” had it right when he said, “Trust no one.” It’s a philosophy that is central to the zero-trust security model, an information technology approach that forces computer systems to always verify devices before connecting to them rather than automatically trusting them.

Security professionals should be aware of the zero-trust security model and educate their customers and colleagues to ensure their computer systems are not vulnerable to cyberattacks.

Zero-trust security has gained popularity. Previously, someone with the right credentials would automatically be given access to the entire network, like a virtual private network (VPN). Such access was granted quite a bit during COVID-19, when a lot of workers were working remotely. Sometimes, these workers were utilizing a company’s bring-your-own-device (BYOD) policy or utilizing public Wi-Fi, further putting network resources at risk.

Zero-Trust Network Access

Even though some employees have returned to the office on a full-time basis, remote working is  here to stay. As a result, some security professionals have replaced their company’s VPN with zero-trust network access (ZTNA).

While ZTNA is the most important way security professionals can implement zero-trust security, zero trust can include several technologies and principles.

Not only is the identity and health integrity of devices checked when the zero-trust security model is executed, but user authentication is also required before a device can connect to network resources that contain applications and data.

According to the National Cybersecurity Center of Excellence (NCCOE), ZTNA is especially important, as network resources have expanded for many companies to include the following:

  • Cloud computing—computing resources hosted at a remote data center
  • Mobile device use—includes smartphones and tablets
  • Internet of Things (IoT)—includes lighting, thermostats, appliances, and wearable technology

The main principles of zero-trust security that security professionals should follow include the following:

  1. Continuous monitoring and validation—identities, privileges, and security are verified. Users and devices need to continually log in to networks.
  2. Least privilege—only necessary privileges are assigned, and user permissions are carefully examined.
  3. Device access control—this has three parts:
    • 1) Limits how many devices can log into the network simultaneously
    • 2) Double-checks that all devices are authorized
    • 3) Ensures the devices have not been previously compromised
  4. Micro-segmentation—security perimeters are broken into parts to assign separate access. This prevents any one person from having access to the entire network.
  5. Preventing lateral movement—stops attackers from moving between different parts of the network, as each part is segmented. Portions of the network under attack can be quarantined from the rest of the network to limit the amount of damage an attacker can do.
  6. Multifactor authentication (MFA)—this requires users to have more than one piece of evidence to be authenticated. For example, two-factor authentication could require a user to provide a password and a code texted to the user’s cellphone.

To set up a zero-trust security architecture, read the National Institute of Standards and Technology’s (NIST) extensive report.

Now more than ever, security professionals should be diligent about securing their company’s resources using the zero-trust security model.