To describe Zero Trust in more detail, I like to break it down into a few core concepts:
1. Assume the network is hostile. Traditionally, you might be under the impression that firewalls or intrusion detection devices separated the “trusted” internal network from the “untrusted” Internet. These devices can restrict control for simple things like IP addresses, ports, or even services. The trust is then attributed to anything embedded in the network. Adversaries are really good at bypassing those simple controls and gaining this attributed trust. Once inside, lateral movement can be completely unimpeded.
2. Your environment contains active threats. Major breaches still take place despite environments having extensive defensive measures in place. This emphasizes the need for continued monitoring and analysis of network artifacts. You also cannot assume parts of your network are low risk, thus requiring little protection, or that vendor solutions spouting machine learning and artificial intelligence will solve all your problems.
3. Every user, device, and network flow is authenticated and authorized. This extends beyond simple authentication and can be implemented using the Kipling method. This means asking the Who, What, When, Where, Why, and How for everything and ensuring you have the tools or data to see and restrict this information.
4. Network policies are dynamic and calculated from multiple telemetry sources. A completely implemented Zero Trust policy cannot be implemented in a single day. This requires continued analysis of a changing network, implementation of new controls, and a continuous inventory plan to identify the necessary applications, assets, and services within a network. As environments evolve, your implementation needs to evolve with it.
Zero Trust is not easy and the hardest part may be driving the cultural change that forces different departments to share and coordinate information. However, the cost of not implementing good security practices can always be calculated by looking at the growing number of data breaches and ransomware that plague every organization.
