The 5 Core Principles of the Zero-Trust Cybersecurity Model

When even the US Government concludes that to ensure baseline security practices are in place and to realize the security benefits of cloud-based infrastructure while mitigating associated risks, they must migrate to a zero-trust model, every organization should be actively moving in that direction.

The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, the organization must verify anything and everything attempting to establish access. The US Government’s strategy boils down to these fundamental points that need to be satisfied to create a real zero-trust model:

• Employee access privileges are actively managed by the enterprise, which gives them access to everything they need to do their job while at the same time reliably protecting them from advanced phishing and spear phishing scams. 
• The enterprise actively monitors the devices that employees use to do their jobs. Devices are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
• Agency systems are isolated (siloed) from each other, and the network traffic flowing between and within them is reliably encrypted.
• Enterprise applications are tested internally and externally and can be made available to staff securely over the internet.
• The enterprise and data security teams collaborate to develop data categories and security policies to make it easier to automatically detect and ultimately block unauthorized and policy-violating access to sensitive information.

The backbone of a zero trust model and the key to its ultimate success is maintaining an unwavering emphasis on stronger enterprise identity and privileged access controls, including enterprise-wide multi-factor authentication (MFA). Implementing secure, enterprise-managed identity systems is the most effective way to prevent cybercriminals from executing account takeover (ATO) attacks and gaining a foothold in an enterprise’s back end to steal data or launch other attacks. The top priority for enterprise-wide privileged access controls is to defend against sophisticated phishing. To achieve this priority, the enterprise must require all departments to consolidate their identity systems to apply the necessary monitoring and security policy enforcement consistently. Tightening access controls will require departments to leverage data from different sources to make intelligent decisions, such as analyzing device and user information to assess the security of all data access activity in their systems. 

Enterprises cannot assume that any network is implicitly considered trusted nor rely on network perimeter protections to guard against unauthorized access to data. Enterprises must compel users to log into applications rather than networks. In addition to implementing robust internal testing programs as they go down the path of zero trust model implementation, enterprises should welcome external partners and independent perspectives to evaluate the real-world security and risk posture of their data and applications. For example, an enterprise may bring in a penetration tester, or pentester to routinely conduct an authorized vulnerability assessment and audit tests on systems. The purpose is to expose weaknesses in an organization’s cybersecurity model that could be exploited by bad actors in the future.  A white hat or ethical hacker is an almost identical role to a pentester but in a broader context. An ethical hacker reports the identified vulnerabilities to the organization (as opposed to exploiting them), often provides remediation advice, and with the organization’s consent, may re-test networks and systems to be sure any found vulnerabilities have been fully resolved.

Achieve specific zero-trust security goals

For the US Federal government, the Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to cyber and physical infrastructures. CISA’s zero trust model describes five complementary areas of effort (pillars) (Identity, Devices, Networks, Applications and Workloads, and Data) that must be achieved to create a zero trust model.

1. Identity: Employees must use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those employees from sophisticated online attacks.
   To ensure properly controlled privileged data access, enterprises must employ risk-based access by taking a holistic view of users and gaining a deep understanding of their responsibilities and authorities, as well as having the ability to verify user identities when they attempt to access data. They must also implement strong enterprise-wide authentication practices and consolidate the means of authenticating to as few department-managed identity authentication systems as practicable. This improves insights into “normal” user activities, enables better detection of anomalous behavior, facilitates more effective security policies that limit unnecessary access, and enables quick detection and action against anomalous behavior. 
2. Devices: Enterprises must maintain a complete inventory of every device it operates and authorizes for business use so it can prevent, detect, and respond to security incidents on those devices.
3. Networks: Agencies must encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments. 
4. Applications and Workloads: Departments within enterprises must treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
5. Data: Create a clear, shared path to deploy protections that make use of thorough data categorization and security responses, focusing on tagging and managing access to sensitive structured, unstructured, and semi-structured documents.

Enterprises should leverage whatever cloud security services are available to monitor access to their sensitive data, and implement solutions that enable enterprise-wide data visibility, logging, and information sharing.  

The road to a zero-trust model is long and rarely aligned with the traditional cybersecurity strategies to which we have grown accustomed. As global organizations, government agencies and multi-national businesses continue to operate within regulated, complex and technologically diverse environments, this will require transition plans that build on a foundation to automate security access rules, regulate access based not only on who or what is accessing data, but also on the sensitivity of the data being requested. The good news is, the more goals you can achieve that lead to a real zero trust model, the better you will be at mitigating security risks to your enterprise. Don’t be shy about asking for help. Imperva has solutions that can help overcome the most significant challenges that come with implementing a zero trust model. If you’d like to learn more please contact us.