“Zero trust” is a security strategy to meet today’s increasingly complex cybersecurity challenges. The zero trust approach allows companies to securely grant access to employees and users outside of their organizations, by granting user permissions based on authorization and authentication. Zero trust works on the premise of least privilege access, giving access to on-prem and cloud resources to specific users on a granular level, and protecting the corporate network from unauthorized users and devices. Zero trust goes beyond ensuring initial authorized network access. Instead, it continuously re-evaluates and re-authenticates access, providing cutting-edge security to an enterprise. But a weak link can undermine the best intentions. In a recent Gartner survey, 84% of the risk executives who responded said that third-party risk incidents in the prior twelve months had disrupted operations. So for effective third-party risk management (TPRM), an organization that implements a zero trust architecture must ensure that its third parties also have a properly functioning zero trust architecture.
A Little Bit of History: The U.S. Government and Zero Trust
Recognizing the increasing inadequacy of perimeter-based network security, the U.S. government is mandating that its agencies adopt zero trust.
- The National Institute of Standards and Technology (NIST) issued SP 800-207, “Zero Trust Architecture,” in August 2020, which presented a comprehensive set of zero trust principles and discussed what implementing a zero trust architecture (ZTA) requires. SP 800-207 made clear why security controls needed to shift focus.
- Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” was issued May 12, 2021. In view of the increasing number and impact of cyberattacks, the EO required agencies to enhance cybersecurity and software supply chain integrity. In Section (3)(b)(ii), it specifically required that U.S. government agencies develop a plan to implement a ZTA that would incorporate steps outlined by NIST.
It’s obvious why the U.S. government would want a better way to safeguard sensitive data. But private enterprise is equally determined. In a recent PWC survey, 36% of CISOs said they had started to implement components of zero trust, and another 25% aimed to start in the next two years.
Definitions: Zero Trust, Zero Trust Architecture
There are numerous definitions for zero trust. NIST SP 800-207 observes that “[z]ero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).”
NIST’s National Cybersecurity Center of Excellence (NCCoE) defines zero trust as “a cybersecurity strategy that focuses on moving perimeter-based defenses from wide, static perimeters to narrow dynamic and risk-based access control for enterprise resources regardless of where they are located.”
Zero trust architecture is defined as “a security model, a set of system design principles and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries. The zero trust security model eliminates implicit trust in any one element, component, node or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
In practice, a zero trust architecture evaluates each request for initial access based on a host of criteria, including user profile, the sensitivity of the resource and the device’s credentials. Once access is granted, the zero trust network continues to evaluate whether each further access request should be granted. The zero trust model ensures that every potential transaction is screened, in every measurable way that the enterprise has predetermined, to make sure it will not pose a threat to the enterprise.
Why Use a Zero Trust Solution?
The conventional security approach focuses on perimeter defenses: a strong password is good enough to allow access. Once inside the network perimeter, users are considered “trusted” and often given broad access to resources. But perimeter-based access won’t stop malicious actors that come from inside the perimeter.
It’s like those action movies that let someone into a secret location but continually monitor them, even after they are in, to make sure they still deserve access. Zero trust access eliminates location-based trust. Zero trust continually tests authorization for each transaction, not just the initial request for access, in order to protect resources.
SP 800-207 emphasizes that the goal of zero trust is to “prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.”
Zero Trust and Enterprise Mobility
Enhancing the security of mobile devices is essential, given today’s flexible working environment. Mobile devices can put an enterprise at risk if they are compromised or stolen. The zero trust model’s principles of assuming no implicit trust and monitoring every request for access, for every transaction, taking into account an enterprise’s zero trust policy, are key to securing mobile devices that are part of a zero trust environment.
The Potential Benefits of Zero Trust Network Access
The potential business benefits of a zero trust strategy are to:
- Support teleworkers with access to resources regardless of user location
- Protect resources regardless of their location (on-premises or in the cloud)
- Limit insider threat
- Limit breaches
- Protect sensitive corporate data by using strong encryption
- Improve visibility into who is on the network, what resources are accessed and protected, and how to improve incident detection, response and recovery
- Perform continuous, ongoing, dynamic, risk-based assessment of resources.
Implementing a ZTA — Roadmaps
U.S. government agencies have published guides on how to create a zero trust network. On April 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published the Zero Trust Maturity Model version 2 (the “CISA Maturity Model”). While CISA intends their maturity model to be used by U.S. government agencies, they note that “all organizations should review this guidance and take steps to advance their progress toward a zero trust model.”
The CISA Maturity Model rests on gradually implementing a zero trust strategy across five areas: identity; devices; network; data; and applications and workloads. It reflects the seven tenets of zero trust outlined in NIST SP 800-207:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications, and uses it to improve its security posture.
Another indispensable guide comes from the NCCoE, which released NIST Cybersecurity Practice Guide SP 1800-35, “Implementing a Zero Trust Architecture,” in five volumes. The guide shows how NCCoE and its collaborators are using commercially available technology to build “interoperable, open standards-based zero trust example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207.” The NCCoE aims to remove the sense of complexity around designing for zero trust with “how to” guides.
Of particular interest, SP 1800-35 includes ten examples of implementations of a ZTA.
How a Zero Trust System Verifies a Request for Access
A cornerstone of any zero trust strategy is verifying that a request for access should be granted. NIST SP 1800-35A, “Implementing a Zero Trust Architecture,” lists the information a ZTA would verify for each access request, depending on an organization’s defined access policy.
The information includes the requestor’s identity and role, geolocation, the requesting device’s health and credentials, the sensitivity of the resource, access pattern anomalies, and whether the request is warranted and in accordance with the organization’s business process logic.
If the defined policy is met and the system verifies access, a secure session is created to protect all information transferred to and from the resource. Then a real-time assessment is performed to establish and maintain access.
Is Zero Trust Security Hard to Implement?
CISA’s Zero Trust Maturity Model notes: “The path to zero trust is an incremental process that may take years to implement.” Some of the challenges to fully adopting a zero trust model are:
- Legacy systems often rely on “implicit trust,” in which access and authorization are infrequently assessed. This conflicts with the core principle of ZTA. Such systems require investment to adapt them to zero trust principles.
- Continually-evolving technology means that how best to adopt zero trust will be a fluid matter that requires ongoing discussions and flexible solutions.
- Adopting ZTA requires cooperation from all stakeholders — from senior leadership on down. The lack of a common understanding of ZTA among stakeholders can delay implementation.
- Modernization will require enterprises to transition “stove-piped and siloed IT services and staff” to coordinated and collaborative components of a zero trust security strategy.
- There is a misperception that ZTA is suited only for large organizations and requires significant investment. ZTA is a set of guiding principles suitable for organizations of any size.
- The requirement to design and integrate a ZTA for a specific organization’s requirements, risk tolerance, and existing technology, instead of implementing a one-size-fits-all solution, can be daunting.
The good news is that SP 1800-35, with its ten examples of ZTAs, can guide any organization on starting to assess their resources, strengths and weaknesses, and planning how to evolve to a full zero trust implementation to best protect their business.
The Main Elements of the Zero Trust Security Model
There are three core components of a ZTA: the policy engine, the policy administrator, and the policy enforcement point.
Policy Engine (PE): The PE handles the ultimate decision to grant, deny, or revoke access to a resource for a given subject. For each resource request it receives, the PE calculates the trust scores/confidence levels and ultimate access decisions based on enterprise policy and information from supporting components.
Policy Administrator (PA): The PA executes the PE’s policy decision by sending commands to the PEP to establish and terminate the communications path between the subject and the resource.
Policy Enforcement Point (PEP): The PEP guards the trust zone that hosts one or more enterprise resources. It handles enabling, monitoring, and eventually terminating connections between subjects and enterprise resources.
Together the PE and PA comprise a policy decision point, or PDP, which is where the decision as to whether or not to permit a subject to access a resource is made.
In addition, there are five categories of ZTA supporting components: Identity, Credential, and Access Management (ICAM), Endpoint Security, Data Security, Security Analytics, and Resource Protection.
ICAM
These components of the zero trust model include the strategy, technology, and governance for creating, storing, and managing user accounts and identity records and their access to enterprise resources. Aspects of ICAM include:
- Identity management – Ensuring that the correct subjects have the appropriate access to the correct resources at the appropriate time. This includes least privilege management. SP 1800-35B calls this “just-enough and just-in-time access rights.”
- Access and credential management – Using authentication (e.g., SSO and MFA) to verify user identity, and using authorization to manage access to resources. This includes continuous access evaluation.
- Federated identity – Aggregating and correlating all attributes relating to an identity or object that is being authorized by a ZTA, to avoid redundant user administration.
- Identity governance – Using policy-based, centralized automated processes to manage user identity and access control functions.
- Multi-factor authentication – Granting user access only if two or more pieces of evidence are successfully presented.
Endpoint Security
- EDR/EPP – Aim is to protect endpoints and their data from threats and attacks, and to protect the enterprise from threats from both managed and unmanaged devices.
- Unified endpoint management (UEM)/mobile device management (MDM) – Tools to manage and administer mobile, desktop, and laptop devices to ensure that they are secure. With the current routine use of personal devices, this step is essential.
Data Security
Policies for securing access to enterprise resources, as well as the means to protect data at rest and in transit. Aspects of data security include:
- Data discovery
- Data classification and labeling
- Data encryption
- Data integrity
- Data availability
- Data access protection
- Auditing and compliance
Data Security
policies for securing access to enterprise resources, as well as the means to protect data at rest and in transit. Aspects of data security include:
- Data discovery
- Data classification and labeling
- Data encryption
- Data integrity
- Data availability
- Data access protection
- Auditing and compliance
Security Analytics
This component of the zero trust model continuously gathers security and behavior information about enterprise assets and monitors those assets to be ready to respond to threats or attacks. Security analytics includes:
- Security information and event management (SIEM)
- Security orchestration, automation, and response (SOAR)
- Vulnerability scanning and assessment
- Network discovery
- Security controls validation
- Identity monitoring
- Security monitoring
- Application protection and response
- Cloud access permissions manager
- Security analytics and access monitoring
- Network monitoring
- Traffic inspection
- Endpoint monitoring
- Threat intelligence
- User behavior analytics
- Firmware assurance
Resource Protection
This category includes components deployed on-premises or in the cloud to serve as proxies for a resource or otherwise protect it. Examples:
- Application connector
- Cloud workload protection
- Cloud security posture management
Finally, three processes support a zero trust implementation: resource management, session establishment steps, and session management steps.
Resource Management: Ensures that a resource is authenticated and that its endpoint conforms to enterprise policy.
Session Establishment Steps: These establish the initial session between a subject and a resource to which it has requested access.
Session Management Steps: These enable the policy decision point to continually evaluate a session once it has been established.
The ongoing evaluation of each access request during a session is an essential aspect of ZTA.
Three Approaches to Zero Trust Network Access
NIST SP 800-207 presents three approaches to enacting ZTA for workflows. A full zero trust implementation will include elements of all three approaches. The approaches include enhanced identity governance, logical microsegmentation and network-based segmentation:
- ZTA Using Enhanced Identity Governance (EIG). Under the EIG approach, the primary requirement for resource access is based on the access privileges granted to the given subject. Other factors may include the device used, asset status, and environmental factors.
- ZTA Using Microsegmentation. An enterprise may choose to implement a ZTA based on placing individual or groups of resources on a unique network segment protected by a gateway security component. PEP components must be able to react and reconfigure as needed to respond to threats or changes in the workflow.
- ZTA Using Network Infrastructure and Software Defined Perimeters. The last approach uses the network infrastructure to implement a ZTA. This is sometimes referred to as a software defined perimeter (SDP) approach. In this approach, the PA acts as the network controller that continually authenticates users based on the decisions made by the PE.
How to Implement Zero Trust
An organization that wants to deploy and implement zero trust should take these steps:
- Discover and inventory the existing environment. Identifying all the enterprise assets is the essential first step, because the ZTA is aimed at protecting them. Monitor transaction flows and communication patterns.
- Formulate an access policy. Determine who should be allowed access to which resource, based on all relevant factors, including user’s work location, employment arrangements, device types, device ownership and the criticality of the resource being protected.
- Identify existing security capabilities and technology. Most organizations planning to implement a ZTA won’t be starting from scratch. They’ll already have an existing infrastructure and technology that provide security. Incorporating existing tools when implementing zero trust will save money, but the key is to assure that security will not be sacrificed.
- Apply a risk-based approach to eliminate gaps in zero trust policy and processes. Use the value of data as a basis to begin planning the enterprise’s access protection topology. Isolate critical resources in their own trust zones protected by a PEP but permit multiple lower-value resources to share a trust zone.
- Begin implementing ZTA components, and start phasing in zero trust components with an eye toward the ultimate goal. Once an organization has taken the initial steps, it is ready to begin implementing ZTA components — people, processes, and technology.
- Verify the implementation to support zero trust outcomes. Continue to monitor network traffic for suspicious activity, and use security tools to audit the access enforcement decisions of the ZTA; is the system working as it should? Perform periodic testing across a variety of use-case scenarios.
- Continuously improve and evolve. Once implemented, the ZTA must still adapt to changing conditions, including changes in the threat landscape, mission, technology, and regulations.
Slow and Steady: Adopting ZTA to Replace a Perimeter-Based Network
SP 800-207 acknowledges that ZTA might coexist for an indefinite period with a non-ZTA architecture, and that migration to ZTA processes may be undertaken one business process at a time.
Getting Third Parties on Board With Zero Trust
Implementing zero trust in your own organization is crucial, but understanding your third parties’ zero trust architecture is just as important. There are a number of ways to collaborate with third parties in order to work together on a zero trust approach:
- Send the third party a questionnaire. The first step is having the third party verify that they have a ZTA policy and they use a ZTA for every transaction, every time.
- Require proof of control design. The third party should be willing to submit artifacts of its policy and any other documentation sufficient to evidence that it has a zero trust policy.
- Require proof of control execution. Just as implementing a ZTA requires monitoring to assure that the ZTA is properly securing resources, a third party who claims to use a ZTA must provide evidence that their ZTA is actually working successfully.
How Panorays Helps Assure Third-Party Adherence to Zero Trust
When an enterprise has done the hard work of implementing a ZTA, it needs to be as certain as possible that its third parties have implemented a ZTA that is well-designed and appropriately monitored. Panorays’ automated questionnaires allow security teams to verify third-party policies and remediate any gaps when it comes to their zero trust approach and beyond.
Panorays also enables teams to make wiser security decisions by evaluating the cyber posture of their third parties and highlighting any vulnerabilities on the Network, IT and Technologies layer.
Get started with a Free Account today to manage third party cyber security risks.