IT security is changing. Time for a different approach
This new, fast, digital world requires an efficient and reliable approach to IT security. In the classic cybersecurity model, a line is drawn between ‘the unsafe outside world’ and the ‘familiar’ own network. Firewalls must keep out undesirable traffic and, once inside the network, all traffic is considered to be trustworthy.
The use of mobile devices, web applications and network access by customers, suppliers or patients requires a completely different IT security concept. In 2009, Forresters’ John Kindervag introduced his Zero Trust security strategy in the United States; shortly thereafter, ON2IT was the first to promote the same philosophy in Europe, where ON2IT is the prime European adopter of the Zero Trust strategy.
Never trust, always verify
The Zero Trust approach uses the guiding principle of ‘never trust, always verify’: There is no assumption in advance about the degree of reliability, whether that concerns users, hosts or data sets. In addition, access to data is limited – provided on a need-to-know basis.
Based on insight into the data and traffic flows, the network and its protection is set up ‘from the inside out’ and all traffic within the network will be inspected and logged.
Combined with the extensive segmentation of the network, applications, users, data sets and ‘crown jewels’, the Zero Trust strategy offers the best possible and most efficient IT security that you could want.
Zero Trust principles
Zero Trust Security is based on 4 principles, where the main goal is to reduce the impact of cyberattacks. John Kindervag described them himself as follows:
- Define business outcomes
- Design from the inside out
- Determine who or what needs access
- Inspect and log all traffic
The impact of Zero Trust Security
With Zero Trust Security, you are choosing to effectively reduce the area of the entire network that is subject to attack. Divide the network into different segments and apply protection measures consistent with the sensitivity of the data within each segment.
Make sure you also have segments that are maximally separated from each other, so any security incident will only have an impact on that segment and not on the entire network.
Are you interested in the application of Zero Trust within your organization?
Zero Trust architecture
In structuring a solid Zero Trust architecture, our security specialists use a fixed action plan:
1. Identify the data to be protected
and analyze the risks
Make sure you identify where your company data is located, who is using this data, how sensitive the data is, and how employees, partners and customers use the data. If you don’t know where your data is located, it will be impossible for you to protect it properly. Identification of the data also simplifies data classification. In short: What are the ‘crown jewels’ and how should we handle them?
Taking into account protection requirements arising from the various national and international guidelines, we make a segmentation of different data sets and their associated protection:
- Customer data (with privacy directives such as NEN75xx and the GDPR)
- Employee data (with the corresponding privacy directives)
- Financial data (for example, for PCI)
- Data related to intellectual property (use of industry-specific guidelines)
- Process data (use of industry-specific guidelines, such as for SCADA)
2. Map the traffic flows
It is essential to know how the company information moves over the network and among the users. Application and network architects can present differing insights in this stage. Security teams can then measure the existing security protocols using the traffic flows and make adjustments where needed.
Included in this phase is the inventory of applications and their connections to data sets. Which type of data is used where, within commercial applications as well as internally developed software. And which applications form a group because they are needed for one process?
The connection among functional applications and the sensitivity of a specific data set together form the foundation for segmentation of the network according to Zero Trust.
3. Determine users’ rights and the AIC rating per data set / application
Availability (A) of the data, Integrity (I) of the protection measures and Confidentiality (C) of the data determine, together, the AIC rating based on a high-medium-low risk classification. The AIC rating can be directly linked to the compliance requirements of the various directives. Security measures will have to consider compliance with various regulations, even those for external data centers or public cloud environments.
In many cases, a gap analysis in this regard will provide new insights about the use of applications and the users. As soon as the structure of rights and roles is clear for each application, the authorization matrix will also be established.
4. Design the network using
Zero Trust segmentation
The actual establishment of the format of Zero Trust segments. This stage gives the total picture of all applications and all data, wherever they may be found.
This design must be based on the combination of data traffic flows in the network and the degree of access to possibly toxic data. In an optimized traffic flow, it can be determined where micro-perimeters must be placed and whether segmentation is to occur using physical or virtual solutions.
5. Establish smart procedures and policies
for each Zero Trust segment
Which organizational and technical measures are required to implement optimal protection of each segment? Once the optimal traffic flows have been determined, it is important to employ access and inspection procedures. Here, too, the basic principle of Zero Trust applies: Access is limited to admission on a need-to-know basis.
To that end, designers must know precisely which users must have access to which data. Security teams must know the exact identity of both the user and the application. Originating and destination address, port and protocol are no longer relevant.
6. Verify all traffic continuously
Part of the Zero Trust Strategy is to inspect and log all traffic. Where, in the past, external traffic in particular was logged and analyzed, by now it has become clear that internal traffic must also meet these standards.
This is also possible with the Zero Trust network because all data traffic is visible, whether it goes from or to internal or external network segments.
Where we use Zero Trust as a strategy, we use the Kipling method as a tactic:
Zero Trust webinar
Zero Trust Strategy & Operations
Interested in the strategic and operational side of Zero Trust? This webinar is an absolute must-see.
Two Zero Trust powerhouses combined into one webinar: ON2IT Global CISO prof. Yuri Bobbert and Senior Security Architect Jeroen Scheerder discuss Zero Trust from both a strategic and as an operational view.