What is zero trust network security?
Zero trust security is summed up as a principle of “never trust, always verify.”
In other words, a zero trust architecture means that whenever a new device appears on a network—or an existing device’s configuration changes—the device has no access to the network or the hosted resources until you have verified that the device should be granted access.
Zero trust security applies not just to devices that originate from outside a local network, but also those that appear inside it. Just because a business has a subnet that is firewalled off from the Internet—or a network running on a private IP address range—doesn’t mean that an employee could not bring an untrusted device online on that network, for example, or that an intruder who previously breached the network perimeter can’t deploy a malicious host on an internal network.
Zero trust principles and technologies
Zero trust security is founded upon several principles and practices, which help enforce the policy of not granting network access to devices until they are deemed trustworthy.
Inside and outside threats
Zero trust applies to devices regardless of whether they originate on a public or private network. You can’t rely on firewalls or private IP addresses as a way of guaranteeing that a device can be trusted. Instead, you must identify each device that exists on your network and ensure it can be trusted before you grant it access to network resources.
Determining that a device is trusted doesn’t mean granting it unfettered network access. Instead, adhere to a policy of least-privilege access, which means granting the device only the minimal access privileges it needs to operate. Don’t allow the device to run with open ports for services that aren’t actually necessary for the device to perform its function, and don’t allow network traffic among devices unless there is a reason for them to communicate with each other.
When you do grant access to network resources, enforcing multi-factor authentication (MFA) helps to mitigate the risk of abuse or privilege escalation by making it harder for intruders to steal or spoof access credentials. MFA is a security enhancement that allows a user to present two or more pieces of evidence when logging in to an account. These credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Credentials must come from two or more different categories to enhance security—so entering two or more different passwords would not be considered multi-factor.
Microsegmentation refers to the practice of granting access privileges to each device on a highly granular basis. Rather than applying blanket access-control policies to all devices of the same type, or across an entire subnet, you must adopt policies that are tailored to the individual needs of each device on the network.
By adhering to these principles, your business can put a zero trust network security into practice.
How to implement zero trust security
The previous section discussed high-level concepts that are a core part of zero trust security. Now, let’s take a look at specific practices that help in implementing a policy of zero trust.
Get visibility into the device attack surface
You can’t effectively determine access policies or assess whether devices can be trusted unless there is complete visibility into the devices that exist on your network.
Complete visibility means not only knowing where devices exist by listing IP addresses, but also establishing what each device consists of, such as:
FDA/device manufacturer alerts
It also means being able to quickly identify devices that:
have outdated operating systems
have FDA recalls
are banned by governing bodies
Gaining this level of visibility requires constant scanning of your network in order to be aware of new devices as they come online, and also to know about changes to the state of existing devices. If a previously trusted device changes its IP address or opens a new port, for example, zero trust security requires you to assume the device can’t be trusted until the security of its new configuration is verified.
Identify at-risk devices
As you identify and assess the devices on the network, assign a risk score for each one. This evaluation reflects information about device details—such as which services it is running and when its software was last updated—as well as behavioral data about how the device seeks to interact with other devices.
By determining the risk level of each device, you gain a stronger sense of how much access to grant it, and whether to allow the device to access resources on a temporary or permanent basis.
Devices determined to be high-risk should be segmented entirely from the network. Those that are medium-risk may be granted access to basic services, like connectivity, but not access to protocols that could be easily abused, like telnet or SSH.
Remember, too, that risk assessment is not a one-time affair. You must continually reassess risk and recategorize the risk-status of each device if its configuration changes.
Understand device communication needs
In order to determine what level of access to grant to devices on the network, you must know each device’s purpose, and the resources it needs in order to perform its function.
With this visibility, you will know which protocols and ports to allow for each device. You can also granularly configure other endpoints each device is allowed to access.
Note, too, that just because a given port is open on a device, or it is running a particular kind of service, doesn’t mean it actually needs that port or service to be available. Don’t trust the device itself to tell you what it needs; instead, perform systematic assessments using centralized monitoring tools that provide insight into what each device requires.
Dynamically segment devices
It is not enough to apply access policies across an entire subnet or category of devices. Instead, perform microsegmentation by enforcing access policies tailored to each device, which govern the resources each device can and cannot access.
Access policies should be dynamic and updated constantly as device requirements change. For example, a device that needs to access network-attached storage in order to upload data should be granted access while the upload takes place, then have that access revoked when it is no longer necessary.
New threats can emerge constantly, and you must monitor devices and network configuration on a constant, ongoing basis. Policies that suffice to mitigate security risks in one moment may be outdated the next.
Your ultimate goal should be to ensure that devices do only what you want them to do, only when you allow them to do it.
What are the benefits of zero trust network security?
By implementing a zero trust security policy, you gain several critical benefits:
Reduce business risk
By helping to prevent attacks that could disrupt workflows or take critical systems offline, zero trust security minimizes the overall risk to business continuity.
It also helps to defend against ransomware attacks, data theft, and other threats that can have steep financial and reputational consequences for the business.
Lower breach potential
Zero trust security ensures that devices are isolated and segmented by default. Even if attackers are able to deploy a malicious device on the network, or take control of one that is already deployed, damage is minimized if the device lacks access to network resources.
With zero trust network security, you gain a consistent security process that applies to all devices across all components of your network. Zero trust security simplifies management by eliminating the need to enforce different policies in different contexts, or manage multiple monitoring and access-control systems.
Your end-users also benefit from consistent, streamlined security policies like multi-factor authentication, which provides an extra layer of protection even for users who fail to set secure passwords.
Getting started with zero trust
Implementing a zero trust architecture requires systematic, centralized visibility into the location and status of all devices on your network. Device information must be available in real time and updated continuously as the network changes.
While the implementation details will vary depending on specifics such as which types of devices you are managing and which software stacks are running in your network, Ordr Systems Control Engine (SCE) provides the centralized visibility you need for tracking both managed and unmanaged devices in your current environment. SCE automatically discovers and assesses each device on the network, then enforces an appropriate security policy. Ordr also automatically learns the unique communication patterns of each device in order to provide another layer of visibility into the security context of the network.