What is a Zero Trust Environment?
5 Min. Read | August 12, 2022
Cybersecurity is as guilty as any other industry when it comes to buzzwords, and one of the most bandied about security terms right now is “Zero Trust.” So, what is Zero Trust and why has it assumed prominence in cybersecurity conversations? Is there any substance beyond the hype? Let’s start by examining “what is Zero Trust”.
What is Zero Trust?
Zero Trust is a cybersecurity concept derived from the "never trust, always verify" approach to network access. Security researcher James Kindervag coined the phrase in 2010 to herald a more serious approach to a growing threat. Creating a Zero Trust environment presumes all users and devices, whether from inside or outside the network, are untrustworthy until verified.
Zero Trust is a more robust advancement of the obsolete “trust but verify" authentication posture and is different from the “defense in depth” cybersecurity paradigm, which seeks to protect data through multiple layers of obstacles. This is because many hackers have moved away from exploiting system flaws, such as open ports or forgotten backdoors, and instead try to get in the front door through fraudulent authentication. Unfortunately, this immediately offers significant data access and the opportunity to escalate the attack within the system.
Why is Zero Trust Necessary?
While sophisticated attacks on system defenses dominate public perception, the reality of modern security breaches is more mundane. In essence, attackers ask lots of people to give them their login credentials, and when someone does, they access their account and use it to steal data or upload malware. Of course, the “asking” is not exactly straightforward. Phishing, the predominant authentication attack, could, for example, use web pages spoofed to look like authentic login pages, so victims think they’re entering their details in a legitimate sign-in attempt.
With the vastly expanded networks of endpoints in most organizations' networks, a “secure perimeter” approach is no longer feasible. Therefore, following major attacks on critical US infrastructure, the White House issued an executive order in May 2021 mandating all federal agencies to adopt zero trust architecture. Shortly after that, the Office of Management and Budget (OMB) issued the Federal Zero Trust Strategy document to guide departments and contractors working with them.
Risk mitigation is another reason to deploy zero trust architecture. With many jurisdictions introducing strict data usage and protection legislation, such as GDPR and the NYDFS Cybersecurity Regulation, successful attacks can result in fines, public reprimand, clean-up costs and loss of consumer trust.
What is Zero Trust — Features
Zero Trust is a methodology and overall cybersecurity approach rather than a single change or silver bullet to protect your data. The question of “what is Zero Trust” can be answered by looking at its core characteristics and features.
With attacks targeting session cookies, and the potential for one successful fraudulent login to achieve a “break once, run everywhere” escalation, constantly challenging users for authentication is a necessity.
In general, multi-factor authentication (MFA) is an improvement on solely using username and password pairs. However, any MFA that uses shared secrets (including PINs, SMS, security questions, OTPs) can still be phished or intercepted by attackers. This negates the impacts of continuous authentication and authentication’s role as the Zero Trust gatekeeper. This is why the OMB’s guidance encouraged federal agencies “to pursue greater use of passwordless multi-factor authentication” that cannot, by nature, be phished.
Least Privilege Access
Although not unique to Zero Trust, this concept is a minimum standard rather than best practice. Least privilege access means that any user is only ever granted the absolute minimum access necessary to perform their role. Overlapping access could often see user accounts retaining privileges for departments and data that was far removed from their role and/or never used, but which attackers could leverage when they took over the account.
Like least privilege access, micro segmenting your network involves putting hard barriers between data and areas of the organization. This means any attacker would have to breach multiple access points rather than having broad access through one successful attack. Modern data cataloging and virtualization allow administrators to overcome the siloing problems that microsegmentation might have previously caused.
How is Zero Trust Implemented?
Guidance on zero trust implementations can be found in the National Institute of Standards and Technology’s (NIST) publication 800-207. This includes basic tenets such as the need to:
- Consider all computing services and data sources as resources
- Secure all network communications no matter the location of origin
- Maintain full and ongoing records of all data assets and locations
- Dynamic and strictly enforced authentication
A Zero Trust architecture, therefore, requires taking a user-centric approach with multiple mechanisms for enforcing Zero Trust protocols at every step of a user’s path in a network. It also requires robust identity and access management systems that can be trusted as the gatekeeper and ultimate source of truth for challenging users to prove identity. The only way this can reliably be achieved is with phishing-resistant MFA
Your Partners in Zero Trust MFA
An effective Zero Trust environment requires an authentication system that can be relied upon to form a strong, solid foundation. With passwords and other shared credentials the weakest links in any authentication system, Zero Trust MFA must fully eliminate these from the authentication process. The government has recognized this, with the Cybersecurity and Infrastructure Security Agency calling Fast Identity Online (FIDO) protocols the "gold standard" of MFA.
To learn what to look for in a passwordless MFA system to support Zero Trust initiatives, download our Passwordless Security Evaluation Guide.
To find out how HYPR’s True Passwordless™ MFA applies FIDO standards to deliver a secure authentication platform for your Zero Trust architecture, talk to one of our identity and access security experts.