What is Zero Trust?
by Spencer Nguyen • January 12, 2021
Traditional security systems rely on a castle and moat style approach wherein the objective is to protect the perimeter and assumes that anyone inside the network is safe and trustworthy. However, the modern enterprise computing environment has become incompatible with this approach, bringing about the emergence of the ‘zero-trust’ concept. Disruptive technologies and accompanying behaviors such as BYOD’s (bring your device), IoT, and cloud adoption have made attack surfaces and perimeters porous and diffuse making IT infrastructure increasingly difficult for security teams to safeguard.
Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Sign up for our free 14 day hosted trial to learn how! Our guided tour will show you how to create an API using an example MySQL database provided to you as part of the trial!
Under a zero-trust approach framework, all resources are considered external and continuously verified before being granted only the required access based on granular access control lists and rules. This approach implements a “software-defined perimeter,” which facilitates privileged access to human and non-human identities within IAM (Identity and Access Management) based controls.
Zero Trust Principles
It is fundamental that an organisation authenticates and verifies user access for all resources. Every time a user accesses an application, file, or cloud device, that user should be required to authenticate. In this way, it is assumed that every access attempt is a threat to the system and must be categorized and handled as a threat until authenticated as a friendly. Multifactor authentication (MFA) is an excellent way to establish a user’s identity. It relies on at least two pieces of evidence to assess the user’s credibility. These can include security questions, geolocation, Time of Request monitoring, biometrics, SMS messaging, tokens, email/text confirmation, or logic-based exercises. Generally, increasing the number of authentication factors will inherently strengthen the network security.
Attacks are further mitigated through least-privilege access, meaning that the organization grants the lowest access possible to each user or device. Identities are given the least amount of entitlements to perform their ongoing responsibilities which also prevents entities from granting or configuring new permissions. This in turn reduces the likelihood of attackers escalating privileges to more flexible roles.
Micro-segmentation allows for the logical division of a data center into distinct security segments down to the individual workload level. Software-defined micro-segmentation provides an ability to define granular segmentation at the host level. The ability to control workloads in a multi-cloud environment with granular policy controls restricts the spread of lateral threats when breaches occur. Traditionally, network firewalls would be deployed with access lists carrying out segmentation with static IPs and subnets. However, allowing the implementation of strong security controls with infrastructure as code makes the entire process more transparent, responsive, and robust.
Finally, a suite of logging, monitoring and analytics functions enhances an organization's enterprise security. Logging mechanisms enable an organization to continuously examine internal and external logs while monitoring allows teams to detect anomalies and bad actors within the system. In combination with logging and monitoring, security analytics assists in detecting compromised logins, ransomware attacks, or malicious actors uploading files to cloud systems.
Why Zero Trust?
Streamlined security. Implementing a security mechanism is often associated with increased cost and difficulty. This approach allows a business to achieve multiple security controls over a network while reducing capital expenditure and operating expenses. Security management is streamlined as the number of management consoles needed is reduced. Furthermore, organizations do not need to install a complex stack of equipment to secure each data center – a single cloud service can secure all of their applications, data, users, and devices.
Compliance. As zero trust systems are segmented by design, it reduces the need for time-consuming manual audits. Auditors can achieve clearer insight into what data flows the organization has and can see how workloads are protected. These systems are inherently transparent and reduce the number of ways bad actors can exploit network communications. Ultimately, this results in fewer negative audit findings and more straightforward remediation. Furthermore, segmentation allows organizations to create perimeters around certain types of data (e.g., PCI or credit card data, data backups, medical, legal, etc.) using refined controls that keep regulated data isolated siloed away from non-regulated data sources.
Reducing the risk of a breach. As the zero trust model focuses on system workload considerations, workloads with unverified workloads are prevented from communicating with anything else on the system until authenticated and verified. If a service behaves unusually or attempts a malicious activity, it will automatically be untrusted and essentially left in isolation. The service will therefore will be unable to communicate until it’s access control policies have been reset and verified. As the zero trust model requires constant authentication and re-authentication, an Edward Snowden style scenario is less likely to occur, enabling organisations to better mitigate risk.
Infrastructure awareness. In order to implement an effective zero-trust architecture, operations and security teams must have an effective relationship with the underlying systems. Zero trust forces an organization to implement security best practices whilst enabling a more effective IT operation cycle. Traditionally, friction has existed between rapid deployment and ensuring security protocols are observed. This method allows security to envelop applications in protection and assign them a unique fingerprint. As long as that fingerprint remains the same or matches an already-verified application, it can communicate freely. The application therefore develops and grows without imposing unnecessary constraints whilst also ensuring adequate security protocols.
Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Sign up for our free 14 day hosted trial to learn how! Our guided tour will show you how to create an API using an example MySQL database provided to you as part of the trial!
Zero Trust with DreamFactory
There is no panacea or one tool for implementing a zero-trust architecture. However, a journey of a thousand miles starts with a single step. Overcoming inertia is always the most challenging part, and implementing one piece of the puzzle will give you instant momentum to start building your zero trust architecture.
DreamFactory helps bring improved security with a minimum of time and effort on the part of your business. We offer instant API creation backed by comprehensive security features such as Role Based Access Control (RBAC) and authentication integration. From simple API generation to logging and scripting, DreamFactory is the ultimate REST API management platform. Integrate DreamFactory into your business by starting your free trial today!
Related reading:
Securing the Mobile Enterprise
As a seasoned content moderator with a keen eye for detail and a passion for upholding the highest standards of quality and integrity in all of their work, Spencer Nguyen brings a professional yet empathetic approach to every task.