As the traditional perimeter-based cybersecurity model disintegrates, “trust is a vulnerability” is rapidly becoming the cornerstone of security policy in 2021.

The strict auspices of zero-trust security framework consider pre-established (or assumed) levels of trust as a potential source of vulnerability. From this stance comes the imperative, therefore, to make verification a continuous process that draws on multiple sources for confirmation: verification of the user, the device, the location (geographic and network segment), and of the assigned privileges.

Luckily, continuous verification not only covers the contingency of remote workers (users accessing resources from home, on the move, and on-premise) but also of hybrid working (users partly at home, partly in the office).

A useful resource for cybersecurity professionals is the blueprint published by NIST for implementing a zero-trust environment. It provides practical guidelines on building a zero-trust environment, going into depth about many of the concepts, and details the steps that companies of any size need to take to enact zero trust, to stay as safe as they possibly can.

At the heart of the NIST proposals are three points of focus, which it describes as identity-centric, network-centric, and combining methods and tools in a cloud-based management system. While there is plenty of detail to work through, here is our summary of some of the key aspects:

Identity-centricity

For cybersecurity specialists, identity applies to services and devices, as well as people. Access privileges determine the levels of access granted to any identity, and policies usually encapsulate privileges in handy sets: administrator, user, and guest are the simplest versions — actual working examples are exponentially more granular & complex.

The policy decision point arbitrates, drawing together technological underpinnings like public-private key pairs, SIEM and CDM systems, and external threat intelligence data, as well as internally managed ID Management platforms and SSO applications.

The cloud element

A cloud-based zero-trust architecture is typically active at the service edge — thus the buzzword du jour, SASE. The advantage of cloud-based access management is that it becomes irrelevant for the end-user (human or system — like a database querying another repository) where it happens to be, and what device or method is used to attempt to access the protected system.

Typical SASE components are also informed or supported by SD-WAN platforms, NG firewalls, WAFs, VPNs, and so on.

Cloud-based zero-trust arbitrators can safely oversee access to and data movements between all different services elsewhere in the cloud, held locally on-premise or in private data centers. It’s much more efficient than forcing all data flows via a single point of security arbitration, which, typically, would have been the head office or main data center, and often via a fragile and slow VPN tunnel.

Network-centricity

In a zero-trust environment, local and wider area networks are segmented according to levels of trust. At a small scale, VLANs defined on smart switches achieve some measure of safety, but when configured in isolation, they lack the continuous oversight and attenuation that are required for best practice.

At a larger scale, NGFWs (next-gen firewalls) and SD-WAN subdivide the wide-area network, while security oversight for both LAN and WAN is provided from the SASE zero-trust platform.

Once in a predefined zone, the “user” (note, this term can also apply to a service or device) can roam without further verification for an uninterrupted session. Within that time frame, any security red flags may change the situation, prompted re-authorization, but these should be the exception, not the norm. A proactive zero-trust platform’s monitoring capabilities should be able to distinguish good from suspect behavior in real-time.

Conclusion and further reading

True zero-trust architectures are independent of on-premise infrastructure and are fully cloud-agnostic. All authentication and access decisions are policy-based and are enforced at every access point or border (between trust zones, for example).

To keep the security constraints to a minimum for the everyday business of the enterprise is also vitally important, and striking a balance, therefore, is one that will only come through trial and error.

However, today’s platforms, such as the Thales SafeNet Trusted Access platform does much of the heavy lifting for administrators and policymakers. You can read more about creating practical and business-focused zero-trust security architectures by reading this asset, available for download now.