Zero trust: mistrust by default as the key to security

Concern for security in communications in companies experienced significant growth with the arrival of the pandemic. Hundreds of thousands of workers around the world began telecommuting from home at its peak, and corporate security managers began living their worst nightmares: employees uncontrolled accessing company networks from thousands of offsite locations. . Had have protect your connections and accessand many started, in just a few days, to use VPNs for it.

But access through virtual private networks to company networks had limitations that, in many cases, were important. Especially in terms of scalability and, although it may seem paradoxical, also in security. For this reason, in a very short time the use of a different security system, based on zero trust in accesses and devices, began to gain momentum in companies. Its about Zero Trust Network Access (ZTNA), popularly known as “zero trust”.

What is the zero trust model

Zero trust is a security model that, by default, denies access to applications and data. Threat prevention, along with access to the systems that this system protects, is only achieved by granting access to networks and workloads through various policies. These policies are backed by ongoing, risk-based, contextual verification of both users and the devices they use to access networks and data.

This model is therefore based on three fundamental principles: distrust by default in all entities and people, least privilege access enforcement and implementation of full security monitoring. Therefore, access is denied by default, access is granted solely based on policy; and these are granted, one by one, to data, workloads, users, and devices.

The most important point of the zero trust model, therefore, is the reduction of implicit trust. It is an information security model that transfers its principles to both the network and the security architecture. When implemented, network user access is expressly limited to the applications and tools to which they must have access.

According to Gartner estimates, by 2025 there will be at least 70% of new remote access deployments that will primarily use the zero trust access model. This is a very notable growth in just five years, since at the end of 2021 the adoption of the zero trust model did not reach 10% of these deployments.

There are many technology options that support the zero trust model. These include software-defined wide area networks (SD-WANs), secure web gateways (SWGx), and cloud access security brokers (CASBs). Of course, the identity of the person making the connection is crucial for the access model, because it is as if the system asked you, when trying to access, who you are, what you have access to and what you are accessing. In addition, of course, to monitor the entire process and what you do every time you are connected to the network.

First steps to implement it

Putting a zero trust security strategy in place is not a quick process, according to ITbrew. It takes a long time, and security teams that want to get it up and running have to take several steps to get it done. In addition, they have to be prepared to progress little by little, and to constantly monitor the connections and access once it is launched.

It is, in addition to a process that will have to be continually evolving, and as indicated by the Cybersecurity and Infrastructure Security Agency (CISA)It’s about a incremental process that can take years to get going completely. And many companies are still taking the first steps towards their start-up.

That is not to say that companies are not willing to implement the zero trust method. Quite the opposite. According to a Forrester survey last February, 88% of the CIOs and CTOs surveyed said their addresses were committed to implementing a zero trust security strategy.

According to the CISA zero trust maturity model, the implementation of this strategy has to be divided into several steps. From the first steps, somewhat more traditional, to other more advanced practices that lead to optimal security objectives.

Among the first steps to take to move towards zero trust are the following: authenticate identity through a multi-step identification (MFA) system, connect the user and the activity of said user, and isolate critical workloads of the network.

Before you start deploying tools like firewalls and other tools for identity federation, and managed detection and response, you need to take the first step: find and identify company-critical data and assets.

As for critical data, it is not only necessary to identify it, but also to take into account which applications process it, what is the data flow or who has access to it. With all this information controlled, you can start looking for the technology necessary to implement the principles of the zero trust security model.

First of all, you can start by identifying one or two assets that are among the most critical for the organization. Once these high-priority objects are defined, a zero trust system can be implemented to protect them and see how they work. If the implementation of the zero trust system to protect access to them is adequate and works, it can be expand the model with other assets progressively.

Of course, as we have mentioned, it is a process of implementation and surveillance that never ends and is constantly evolving. Since the attack surfaces, and the different threats, are changing, it is necessary to be attentive to these developments to implement the changes in the system that are appropriate to protect data, applications, processes and the network against them.