What is zero trust?
- IAM Glossary
- What is zero trust?
Zero trust is a modern security framework that eliminates implicit trust, requires all human users and devices to be continuously and explicitly validated and strictly limits access to network systems and data. Instead of focusing on where users are logging in from, zero trust concentrates on who they are.
What are the core principles of zero trust?
Zero trust is based around three core principles:
Assume breach. Despite the best security defenses, breaches will eventually happen. Any user on your network (human or device) could be compromised right now. Take measures to minimise the "blast radius," such as segmenting networks, ensuring end-to-end encryption and using smart analytics to identify potential threats.
Verify explicitly. All humans and machines must prove that they are who they say they are before they can access your organisation's network and all of the systems, apps and data contained therein.
Ensure least privilege. Once logged onto the network, users should have the minimum amount of network access they need to perform their jobs, and no more. A zero-trust deployment always includes role-based access controls (RBAC) with least-privilege access.
How does zero-trust security work?
Zero trust works by eliminating implicit trust. Historically, network security models implicitly trusted all users and devices inside the network perimeter. This worked well when network components and users were almost exclusively located on-premises. However, thanks to the widespread adoption of cloud computing and – more recently – remote work, the “network perimeter” no longer exists. The overwhelming majority of organisations now use hybrid data environments composed of both on-premise “private” clouds and at least one public cloud, and users connect to organisational resources from anywhere and everywhere.
Even once users are authenticated and allowed onto the network, they’re not given free reign – because any user could be compromised. Identity and device verification are performed as the user moves through the network, and each user can access only the resources they need to perform their jobs.
In a zero-trust security model, least-privilege access and RBAC are supplemented by network segmentation, including the “microsegmentation” of especially sensitive data assets. The idea is that while the network as a whole has no perimeter, it should be separated into smaller segments for specific workloads and data, with each segment having its own ingress and egress controls. A common use case for zero-trust microsegmentation is separating regulated data, such as employee tax data and protected health information, from non-regulated data.
By limiting network access levels, segmenting and microsegmenting networks and strictly controlling the number of privileged users, zero trust limits the ability of threat actors to compromise sensitive systems and data.
What are the benefits of zero trust?
Zero trust has a world of benefits, which is why so many organisations are embracing it.
- IT and security administrators get visibility into all users, systems and devices across the data environment. They can see who’s connecting to the network, from where and what they’re accessing.
- Because zero trust enables people, apps and services to communicate securely, even across different networks, users get more freedom and flexibility. They can connect securely from their homes or other remote locations, even if they’re using their own devices.
- By explicitly verifying users and devices, zero trust greatly reduces the risk of password-related cyber attacks. Role-based access controls and privileged access management minimise the risk of privilege escalation if a breach does occur.
- Zero trust authentication mechanisms, role-based access controls and network segmentation/microsegmentation support compliance initiatives and result in fewer findings during compliance audits.
How is zero-trust security implemented?
One of the biggest challenges to implementing a zero-trust security strategy is that there are no universal implementation standards. Many organisations turn to the seven-step process laid out in NIST Special Publication 800-207:
1. Identify users
This encompasses both human users and non-human identities, such as service accounts. NIST notes that privileged users, including IT administrators and developers, need special scrutiny, as these users may have unfettered access to digital resources. In a zero-trust framework, even privileged accounts should be least-privilege, and account activity must be monitored and logged.
2. Identify and manage all assets connecting to the network
Identifying and managing all assets that connect to the organisational network is key to a successful zero-trust deployment. This includes:
- Laptops, mobile devices, IoT devices and other hardware components.
- Digital artifacts, such as applications and digital certificates.
- Devices that are not owned by the organisation, but that can connect to its network infrastructure or access network resources.
NIST admits that a comprehensive asset inventory may not be possible, so organisations should also ensure they can "quickly identify, categorise, and assess newly discovered assets that are on enterprise-owned infrastructure."
In addition to cataloging assets, this step includes configuration management and monitoring, as the ability to observe the current state of an asset is part of the zero-trust authentication process.
3. Identify key processes, assess their risks and identify zero-trust “candidates”
Identify, rank and evaluate the risks of your organisation’s business processes and dataflows, including their importance to your organisation’s mission. This will help inform which processes are good initial candidates for a zero-trust deployment. NIST recommends starting with processes that depend on cloud-based resources and/or are used by remote workers, as these will generate the most immediate security improvements.
4. Formulate zero-trust policies for “candidates”
This is a continuation of Step 3. After identifying an asset or workflow to migrate to zero trust, identify all upstream and downstream resources that the asset or workflow uses or affects. This helps finalise initial zero-trust migration "candidates" and ensures that least privilege and other policies applied to them achieve maximum security without hindering workflow.
5. Identify and select toolsets/solutions
There are many zero-trust-compatible solutions on the market, but not all of them are suitable for your specific data environment and business needs. NIST recommends taking the following into consideration when choosing zero-trust tools:
Does the solution require that components be installed on the client asset? This could limit business processes.
Does the solution work in cases where business process resources exist on premises? Some solutions assume that requested resources reside in the cloud (so-called north-south traffic) and not within an enterprise perimeter (east-west traffic). This poses a problem in hybrid cloud environments, where legacy line-of-business apps that perform critical functions may be run on-premises because migrating them to the cloud isn’t feasible.
Does the solution provide a means to log interactions for analysis? Zero-trust access decisions depend heavily on the collection and use of data related to process flow.
Does the solution provide broad support for different applications, services and protocols? Some solutions may support a broad range of protocols (SSH, web, etc.) and transports (IPv4 and IPv6), but others may only work only with web or email.
Does the solution require changes to existing workflows? Some solutions may require additional steps to perform a given workflow, which could require the organisation to make changes to the workflow.
6. Commence initial deployment and monitoring
NIST recommends that enterprises consider initially implementing zero trust in “monitoring mode” so that IT and security teams can ensure that policies and processes are effective and feasible. Additionally, once baseline user and network activity are established, security teams will be better able to identify anomalous behavior down the road.
7. Expand your zero-trust architecture
After the initial rollout of zero trust, it's time to migrate the next set of candidates. This step is continuous; whenever changes occur to the organisation’s data environment or workflows, the zero trust architecture must be reevaluated and adjusted accordingly.
How is zero-trust security implemented?
Zero trust and zero knowledge are quite different but complementary concepts. If the motto for zero trust is “Trust no one,” the motto for zero knowledge is, "We have no knowledge of your data, because we have no way to access it."
Zero trust ensures that only authenticated users can access network resources and data by continuously monitoring and validating that users and devices have the correct attributes and privileges.
Zero knowledge utilises a unique encryption and data segregation framework that prevents IT service providers from having any knowledge as to what is stored on their servers. Keeper is a zero-knowledge security provider, and all of our products are built using a zero-knowledge architecture. This means that:
- Customer data is encrypted and decrypted at the device level (not on the server).
- The application never stores plain text (human readable) data.
- Keeper's servers never receive or store data in plain text.
- The keys to decrypt and encrypt data are derived from the user's master password.
- Multi-layer encryption provides access control at the user, group and admin level.
- Sharing of data uses public key cryptography for secure key distribution.
- Data is encrypted on the user’s device before it is transmitted and stored in Keeper’s digital vault. When data is synchronised to another device, the data remains encrypted until it is decrypted on the other device.
Zero knowledge supports zero trust by limiting the “blast radius” of a remote data breach. In the highly unlikely event that Keeper were ever breached, threat actors would be completely unable to access the contents of our customers' vaults – because even we can’t do that!