- Zero Trust Concepts
- Zero Trust Concepts
- Benefits of Zero Trust
- Zero Trust Components
- Five Pillars
- NETSCOUT's Role
Andrew Green
Product Marketing
What is Zero Trust Security Architecture?
Over the years, businesses have experienced significant increases in cyber threats and data breaches. The traditional perimeter-based network security architecture, designed to keep threats outside an organization's network, is no longer sufficient on its own. The modern workplace is characterized by mobile devices, cloud computing, and remote work, rendering perimeter defenses obsolete.
It's time for a new approach to security. Zero Trust Security Architecture is a cybersecurity model that is comprised of a collection of concepts and ideas designed to prevent data breaches and limit lateral movement in what has become a perimeter-less network.
Zero Trust Security Architecture is a set of security principles that are designed to provide comprehensive protection of digital assets, services, and communications in an environment that has increasingly become perimeter-less. This is accomplished by moving the defensive focus from static, network-based perimeters to one that focuses on users, resources, and assets. The zero trust model is the application of these principles based on the premise that no entity, whether inside or outside the network, should be trusted by default. This model assumes that an attacker is already present in the environment, whether it be via a device, user, or network location, and that an enterprise-owned environment is no different or more trustworthy than any non-enterprise-owned environment.
Zero trust architecture is based on the idea of least privilege access, which means that access is granted to users and devices on a per-request basis, ensuring that users and devices have only the necessary access to perform their functions and often for only a finite period of time. This minimizes the attack surface and limits the damage that can be caused in the event of a data breach.
Zero trust adoption is an ongoing maturation process. Initially, it will utilize traditional tools and techniques, but improvements in different areas, such as MFA or micro-segmentation, will improve the overall zero trust architecture maturity of the organization. Zero trust maturity can roughly be thought of as having 3 stages: Traditional, Advanced, and Optimal, with organizations simultaneously being in all three stages in particular ways but always working towards optimal zero trust security where possible.
Some components of the traditional level of zero trust maturity include dependence on traditional perimeters such as edge firewalls, password or multifactor authentication (MFA) with limited risk assessment, limited visibility into compliance, simple device inventory, macro-segmentation, local authorization access parameters, and unencrypted data.
In the advanced level of maturity, organizations utilize MFA with some identity federation with on-prem and cloud systems, device compliance enforcement, micro-perimeter configuration, basic network analytics, centralized authentication to control access, and encrypted data at rest stored in cloud or remote environments.
Finally, we have the optimal level of zero trust maturity, which includes continuous user validation, real-time machine learning analysis of access, constant device security monitoring, real-time risk analytics powered data access, machine learning-based threat protection, encryption of all traffic, continuous application access authorization, and encryption of all data.
Zero Trust Security Architecture Concepts
The zero trust model is based on several key concepts that make it different from traditional security models. These include:
- No trust by default - Zero trust assumes that no entity, whether inside or outside the network, should be trusted by default. Generally, access is granted on a per-request basis after some form of authentication and authorization.
- Least privilege access - Any user device that has been granted access should only be able to view specific data, applications, and resources necessary to complete a specific task.
- Assume breach - Zero trust assumes that an attacker is already present in the environment and that an enterprise-owned environment is no different or more trustworthy than any non-enterprise-owned environment.
- Network segmentation - Network segmentation is used to isolate sensitive data and resources from the rest of the network, limiting lateral movement.
- Layer 7 visibility and prevention - The zero trust security architecture uses Layer 7 visibility and prevention to identify and prevent threats at the application layer.
Benefits of Zero Trust Security Architecture
A mature Zero Trust Security Architecture has several benefits, including:
- Comprehensive protection - Zero trust architecture provides thorough protection of digital assets, services, and communications in an environment that is perimeter-less.
- Reduced attack surface - The zero trust security model minimizes the attack surface by limiting access to users and devices on a per-request basis.
- Limit lateral movement - The zero trust model limits lateral movement by using network segmentation to isolate sensitive data and resources from the rest of the network.
- Simplified management - A zero trust architecture model simplifies management by using granular, "least access" policies that are easier to manage and enforce.
- Lower costs - The average cost of a data breach is higher for organizations that have not deployed or recently started to deploy zero trust. Costs stay lower for organizations in the mature stage of zero trust.
Mature Zero Trust Architecture Can Greatly Reduce Costs
4 Components of Zero Trust Security Architecture
Zero Trust Security Architecture encompasses four components: Identity and Access Management (IAM), Operations, Endpoints and Hosts, and Infrastructure.
- Identity and Access Management (IAM): This component focuses on user and device authentication, authorization, and access control. IAM helps in verifying the user's identity and ensures that they have the necessary permissions to access the requested resources. It includes features such as multi-factor authentication, access controls, identity management, and user and device profiling.
- Operations: This component deals with monitoring, logging, and analyzing user activity, network traffic, and system events in real-time. It helps in detecting anomalies and suspicious behavior, identifying potential threats, and enforcing security policies. Operations also include incident response and disaster recovery planning.
- Endpoints and Hosts: This component focuses on securing endpoints and hosts, including servers, laptops, desktops, and mobile devices. It involves securing the operating system, applications, data, and network connections on the device, using techniques such as encryption, firewalls, antivirus software, and intrusion prevention systems.
- Infrastructure: This component includes securing the network infrastructure, including routers, switches, and firewalls. It involves protecting the network from external threats, such as malware, phishing, and DDoS attacks, as well as internal threats, such as unauthorized access or data exfiltration. Infrastructure security also includes network segmentation and micro-segmentation, which help in isolating and securing critical resources and applications.
Five Pillars of Trust in the Zero Trust Security Model
There are five pillars that make up the zero trust security model. These include Device Trust, Data Trust, Network and Environment, Application Trust, and User Trust:
- Device Trust - In zero trust security, device trust involves ensuring that only authorized devices can access a network or application. A device may be bring-your-own-device (BYOD) or agency-owned, with all devices inventoried and secured. This approach helps to mitigate the risk of attacks from untrusted devices, such as those infected with malware or those that have been compromised in some other way. By implementing Device Trust as part of a zero trust security strategy, organizations can control which user devices access specific information and areas of the network, decreasing the risk of breaches and other cyberattacks. Agencies should constantly monitor and validate the security posture of devices to maintain compliance, maintain access to data to consider real-time risk analytics, and integrate vulnerability and asset management across all environments, including remote, on-prem, and cloud.
- Data Trust - Data Trust is a critical component of the zero trust security architecture, which aims to protect sensitive data and assets from unauthorized access, whether it is on devices, in networks, or in applications. In this model, data is never trusted by default, and access is only granted on a need-to-know basis. This approach helps to prevent data breaches and ensures that only authenticated users have access to valuable resources. Implementing Data Trust as a component of a zero trust security architecture allows organizations to better safeguard their data, maintain compliance with regulations, and minimize the risk of cyberattacks. Agencies should have data inventoried, categorized, and labeled to protect data at rest and in transit with a mechanism for detection data and exfiltration in place. Robust tagging and tracking of data is a must for the zero trust maturity model while maintaining dynamic access to data to support just-in-time and just-enough principles. Agencies should also have all data at rest in an encrypted state.
- Network & Environment - The network and environment pillar of zero-trust architecture involves the segmentation and control of the network to map out any illegitimate traffic that crosses a boundary. Threat detection across the entire enterprise is achieved through feeds of known indicators of compromise (IOCs), which can be integrated with enforcement tools such as Arbor Edge Defense and Palo Alto Next-Gen Firewalls (Panorama) to allow for rapid and accurate isolation and mitigation. Contact tracing can also reveal the breadth of compromise, providing a complete picture of any potential threats. Other measures involved in the network/environment pillar include micro-segmentation, transport encryption, ingress/egress micro-perimeter implementation, and session protection. These measures ensure that only authorized users are allowed access to the network and that all communications are secure and protected.
- Application Trust - The Application Trust pillar involves identifying and detecting unsanctioned or non-compliant applications. Contact tracing can reveal inappropriate access or data leakage, while application identification can report inconsistent or down-versions. Threat intelligence feeds can inform of attacks as well as potentially vulnerable applications. Like the network pillar, the application trust pillar also involves revealing applications accessed by non-sanctioned sources. Single sign-on and isolation measures are also in place to prevent unauthorized access to applications and data. In the application trust pillar, agencies should manage and secure the application layer for all computer programs, agency systems, and services that execute on-prem and in the cloud in order to provide secure application delivery.
- User Trust - The User Trust pillar involves the detection of failed login attempts on services such as databases, web servers, and directory services. The user trust pillar ensures and enforces that the correct users have access to the correct information only when they need it, and that users need to have their identity re-validated periodically, not just at initial connection. Multi-factor authentication, user authentication, and conditional access are also used to ensure
How NETSCOUT Enables Five Key Pillars for Zero Trust Maturity
- NETSCOUT provides solutions to enable the five steps for zero trust maturity as follows:
- Identify the protect surface, including sensitive data and applications:
- NETSCOUT recognizes that firewalls, endpoint protection systems, OS and application patching, and honey pots can only provide partial protection against constantly attaching and detaching devices and services. Therefore, NETSCOUT Omnis Cyber Intelligence (OCI) with CyberStream can be used to identify and continuously monitor all critical services that need to be protected, including vulnerabilities that exist inside the network.
- NETSCOUT OCI provides Protection Groups to categorize services, devices, or networks with similar risk categories, allowing for easy identification of critical services.
- NETSCOUT OCI provides fast attack surface observability to identify and monitor all critical services while minimizing opportunities for attackers.
- Map the transaction flows of all sensitive data to learn how data moves between people, applications, and external connections to business partners and customers: a. NETSCOUT Omnis Security / CyberStream, ASI, and OCI can be used to map all transaction flows across an organization's entire digital infrastructure, including public cloud, showing the full path taken by attackers.
- Define a zero-trust architecture for each microperimeter based on how the data and transactions flow throughout the enterprise (and external partners):
- Omnis Network Security can verify that microperimeters are behaving as expected and detect when a perimeter has been crossed.
- Create a zero-trust policy once the network design is done. A granular layer 7 enforcement policy is ideal for this step:
- Omnis Security can verify that microperimeters are behaving as expected and detect when a perimeter has been crossed.
- NETSCOUT Omnis Security / ISNG / CyberStream, ASI, and OCI provide metadata and layer 7 visibility (full packets) into all applications, detecting all traffic and assisting in the identification of valid traffic that will become the basis for the zero trust security policies.
- Automate, Monitor, and Maintain to determine where any anomalous traffic is flowing by monitoring surrounding activity:
- Omnis Security continuously monitors, captures, and stores packets and metadata across an organization's zero trust network architecture.
- Omnis Security provides visibility throughout the dwell time of an incident with full context to restore normal operation with the shortest downtime.
- Omnis Security provides orchestration integrations to assist existing tools with enforcement.
- Identify the protect surface, including sensitive data and applications: