Demystifying the concept of zero trust security

Cyber security is a risk management function and organisations need to make decisions on trade-offs or risk acceptance when they implement controls

The Cybersecurity hazard is at an all-time high due to several changes in the business environment. The proliferation of personal devices and the adoption of the hybrid work model and digital technologies are creating multiple vulnerable nodes that are exposed to security breaches.

Organisations and their CISOs are challenged by the evolving threat landscape. The need for strategic thinking and rehashing the fundamental security architecture construct is much higher than ever. In this context, the Zero Trust Security Architecture is one approach that’s increasingly getting a lot of traction. At a higher level, Zero Trust assumes that your business is continuously compromised, and the architecture aims to mitigate that.

Security from a different perspective

Fundamentally, cyber security is a risk management function where we need to make decisions on trade-offs or risk acceptance when we implement controls. It is difficult to imagine a world where we would only have absolute control. Another important factor to note is that trust is contextual. The security world has built various models and solutions for adaptive controls or transparent controls. These models are based on answering questions about who, where, why, when and what of a transaction before any verification, approval or denial is made.

Security architecture has always relied on trust models. There are many technical controls that we trust before we grant or deny access to resources. For all this to work properly, security teams must ensure the highest degree of integrity to handshakes or trust.

The Zero Trust model challenges the risk management principles, adaptive nature of controls, defence in depth and trust relations across entities in security management. Essentially, it assumes that an organisation is constantly under attack and therefore controls and responses are built based on that assumption. It does not assume any trust across the controls and therefore subjects the transaction to the maximum level of scrutiny that’s possible. The traditional model of perimeter-based security is replaced with continuous security practices built across people, devices, networks, data, and the cloud within as well as outside the organisation.

This does not mean that one can make each control self-sufficient. The concept of defence in depth, and building trust across entities will remain, however, this approach helps in designing and building strong multi-dimensional and comprehensive controls.

The zero Trust model challenges the risk management principles, adaptive nature of controls, defence in depth and trust relations across entities.

We must not view Zero Trust as a replacement for the existing security architecture but as a complementary approach. Zero Trust focuses on deciphering the context by understanding user behaviour and expectations based on IP addresses, locations, access devices, time of day and more. For this to work, organisations must implement security controls within and outside the external perimeter. It can be achieved by a combination of strategies including strong identification, authentication, authorisation, isolation, segregation, encryption, obfuscation, and automation tools.

The key construct of Zero Trust

Zero Trust security needs to be enforced across all the five fundamental pillars of the enterprise fabric. These include identity, device, network, application workload and data. The Zero Trust framework must be applied to each of the five pillars and minor improvements over time can lead to a fully optimised security architecture.

Identity: Being the latest and the most important perimeter for the enterprise, an identity-centric zero-trust strategy is becoming mainstream. Organisations must lay down the policies to define what is a trusted user identity and what are the accesses associated with that identity. There are solutions such as Identity and Access Management as well as Identity Governance Application Controls which establish trust between users or devices and enterprise resources.

Security controls should include aspects such as single sign-on, multi-factor authentication, biometrics, password-less authentication and more. Security needs to recognise that apart from employees, users could also be contractors and vendors. Therefore, the security protocols need to be extended beyond just traditional business perimeters.

Devices: It is no longer just company-issued laptops that are used as workplaces become dynamic. Zero trust applies security controls to every device and keeps real-time watch to ensure compliance with security mandates.

Networks: Cloud-first strategies and remote working have made Zero Trust in network security critical. Here again, micro-segmentation and trust level definition help. Secure Access Service Edge (SASE) solutions play an important role here. SASE is a cloud-first network architecture framework which brings together native cloud security technologies and wide area network capabilities to securely connect not just users but also systems, application endpoints and services.

Data: It must be identified, classified, and encrypted for zero trust security to be successful. Preventing data loss or leakage, providing secure storage, and building the capability to recover information in real time are essential steps. Data must be made available irrespective of where it is stored or what state it is in.

Application workload: These include computer programs and services that execute on-premise and cloud environments. Zero Trust security must be applied to the workload and applications within the core of the business. Security controls such as Host AV/EDR, vulnerability management, cloud access security broker, app security, and DevSecOps among others can be employed in the software development life cycle process.

Organisations are already embarked on the journey to enforce zero trust security by implementing identity security for employees, business partners and contractors, customers, and even non-human devices. With the Zero Trust framework, defence-in-depth is applied technically across all the pillars of the enterprise. When adopting zero trust, perhaps there is a need to define a standard taxonomy in the context of information security and cyber security since trust is not absolute but contextual.

By Vishal Salvi

Vishal is a Chief Information Security Officer & Head of Cyber Security Practice at Infosys

feedbackvnd@cybermedia.co.in