Zero trust continues to gain traction as the strategic security approach best suited for today’s hybrid IT environments and mobile workforces. Introduced by Forrester analyst John Kindvervag in 2010, the zero trust model promises to stem the tide of high-profile data breaches caused by threat actors bypassing perimeter-focused security protections.
With Joe Biden signing an Executive Order requiring federal agencies to implement a zero trust architecture by 2024, it’s clear this security approach is the new standard to strive for. Keep reading to find out what the key principles of zero trust security are, implementation tips, and why zero trust security begins with file-level encryption.
1. Never Trust, Always Verify
The four-word motto, “never trust, always verify” captures the essence of what zero trust security aims to achieve. Many modern cyber attacks exploit the default trust given to traffic, users, and devices once they’re inside a network.
In a default trust network environment, obtaining a set of login credentials for a valid user provides malicious actors with the capability to log in, move through the network unchecked, and eventually exfiltrate sensitive data or install ransomware on critical systems. Zero trust mitigates these possibilities by regarding all network traffic as untrusted whether it’s in the public cloud or an on-premise WAN.
2. Data Security at the Core
Ultimately, most threat actors today understand the value of data to businesses. Data breaches continue to rise each year and ransomware attacks evolved to use double extortion tactics. Existing controls and strategies are not properly protecting business assets.
Rethinking data security lies at the core of the zero trust model. Data moves between users, devices, and applications across a complex on-premise and cloud infrastructure. By knowing where all your data is and authenticating every time a user tries to access that data, you shift to data-centric security and experience fewer breaches.
3. Robust Authentication
Authentication ensures that users and devices are who they claim to be. Always verifying is one of the basic principles of zero trust. Whenever and wherever a user tries to access files, applications, or cloud storage services, authenticate those requests.
Using IP addresses, usernames, and passwords to authenticate no longer suffices in today’s IT environments. Furthermore, always verifying with passwords ends up frustrating users. It’s important to use more robust, user-friendly methods of authentication. Multi-factor authentication and other security solutions that resemble it are the best candidates for robust authentication in a zero trust network.
4. Least Privilege Enforcement
The principle of least privilege plays an important role in a zero trust strategy by restricting user and device access permissions to only what’s strictly necessary. Zero trust strives to enforce least privilege access by accounting for who makes an access request, the context of the request, and the risk level of the request (e.g., accessing sensitive files containing Personal Identifiable Information).
By enforcing least privilege access, you can shrink the attack surface, limit lateral movement, and reduce the chances of malicious actors getting to your company’s most sensitive data assets. You also no longer run the risk of excessive access to critical services or data.
5. Monitoring and Logging
Another critical tenet of the zero trust model is to log and monitor everything happening on the network. Inspecting everything helps to detect and remediate threats far earlier in the typical attack cycle, which can mean the difference between a data breach or a mere account compromise.
Monitoring and logging provide a level of visibility that facilitates adaptive policy decisions based on a user’s trust score. Instead of a binary policy deciding what a user can or can’t do based on their role, logging and monitoring bring more cybersecurity intelligence into the equation. Zero trust’s increased cybersecurity intelligence isn’t limited to user actions, though—it also includes what devices and applications are doing on the network.
While many security leaders and professionals regard zero trust as a critical strategy for improving cybersecurity postures in today’s threat landscape, its implementation is not straightforward. Business-specific constraints, including budget and infrastructural complexity factor into how long it takes to migrate to a zero trust model.
To use one well-known example, it took Google six years to move from legacy VPN and privileged access management to its BeyondCorp zero trust model.
Here are some tips and details on implementing a zero trust strategy.
Identify Sensitive Data
Sensitive data is a critical target in the cyber attack surface of every business. Part of the reason zero trust implementation feels like such a complex undertaking is that organizations try to implement policies and secure everything at once.
It’s far more efficient and effective to start by identifying your most valuable data assets. This could include trade secrets, intellectual property, PHI, PII, and other sensitive data.
Create Policies and Limit Access
With sensitive data and other valuable digital assets identified, you can start to create zero trust policies and limit access in line with the five key zero trust principles. To get this right, it’s important to decouple access verification from identity and access management (IAM). The reason you don’t want to rely solely on IAM as a single source of truth for verifying access is that a stolen identity could compromise zero trust efforts.
Start with File Level Encryption
File-level encryption is a natural starting point for zero trust implementation. With sensitive data identified and located, and policies created, you then need to limit access to only those who strictly need it. File-level encryption provides a practical way to protect sensitive data assets and make sure they’re accessible to authorized users only.
Detect Threats
Knowing what’s going on in your network environment and on endpoints is vital for flagging anomalies in how data is being accessed and what users are doing. Several different types of security tools can help to gather intelligence or detect threats, and there’s a good chance you’re already using some of them (e.g., Splunk, NDR).
Atakama is a file-level encryption solution that makes it easy for your business to get started on its zero trust journey. You can encrypt files effortlessly whether they’re in the cloud or on-prem, and ensure file access is limited to authorized users only.
Atakama splits encryption keys into shards across multiple devices and lets authorized users decrypt files by tapping an “approve” button on their smartphone. The following three features demonstrate Atakama’s benefit as a zero trust solution to protect your most sensitive data:
Contact Atakama to get started with zero trust file level encryption for your business.