Zero Trust Security

Kapil Raina - May 6, 2021

What is Zero Trust?

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

Zero Trust is a framework for securing infrastructure and data for today’s modern digital transformation. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. While many vendors have tried to create their own definitions of Zero Trust, there are a number of standards from recognized organizations that can help you align Zero Trust with your organization.

Zero Trust and NIST 800-207

At CrowdStrike, we align to the NIST 800-207 standard for Zero Trust. This is the most vendor neutral, comprehensive standards, not just for government entities, but for any organization. It also encompasses other elements from organizations like Forrester’s ZTX and Gartner’s CARTA.

the nist zero trust framework

As a response to the increasing number of high profile security breaches, in May 2021 the Biden administration issued an executive order mandating U.S. Federal Agencies adhere to NIST 800-207 as a required step for Zero Trust implementation. As a result, the standard has gone through heavy validation and inputs from a range of commercial customers, vendors, and government agencies stakeholders – which is why many private organizations view it as the defacto standard for private enterprises as well.

Zero Trust seeks to address the following key principles based on the NIST guidelines:

  1. Continuous verification.  Always verify access, all the time, for all resources.
  2. Limit the “blast radius.”  Minimize impact if an external or insider breach does occur.
  3. Automate context collection and response.  Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate response.

How Zero Trust Works

Execution of this framework combines advanced technologies such as risk based multi-factor authentication, identity protection, next-generation endpoint security, and robust cloud workload technology to verify a user or systems identity, consideration of access at that moment in time,  and the maintenance of system security. Zero Trust also requires consideration of encryption of data, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.

Zero Trust is a significant departure from traditional network security which followed the “trust but verify” method. The traditional approach automatically trusted users and endpoints within the organization’s perimeter, putting the organization at risk from malicious internal actors and legitimate credentials taken over by malicious actors, allowing unauthorized and compromised accounts wide-reaching access once inside. This model became obsolete with the cloud migration of business transformation initiatives and the acceleration of a distributed work environment due to the pandemic that started in 2020.

Zero Trust architecture therefore requires organizations to continuously monitor and validate that a user and their device has the right privileges and attributes. It also requires enforcement of policy that incorporates risk of the user and device, along with compliance or other requirements to consider prior to permitting the transaction. It requires that the organization know all of their service and privileged accounts, and can establish controls about what and where they connect. One-time validation simply won’t suffice, because threats and user attributes are all subject to change

As a result, organizations must ensure that all access requests are continuously vetted prior to allowing access to any of your enterprise or cloud assets. That’s why enforcement of Zero Trust policies rely on real-time visibility into 100’s of user and application identity attributes such as:

  • User identity and type of credential (human, programmatic)
  • Number and privileges of each credential on each device
  • Normal connections for the credential and device (behavior patterns)
  • Endpoint hardware type and function
  • Geo location
  • Firmware versions
  • Authentication protocol and risk
  • Operating system versions and patch levels
  • Applications installed on endpoint
  • Security or incident detections including suspicious activity and attack recognition

Organizations should thoroughly assess their IT  infrastructure and potential attack paths to contain attacks and minimize the impact if a breach should occur. This can include segmentation by device types, identity, or group functions. For example, suspicious protocols such as RDP or RPC to the domain controller should always be challenged or restricted to specific credentials.

More than 80% of all attacks involve credentials use or misuse in the network. With constant new attacks against credentials and identity stores, additional protections for credentials and data extend to  email security and secure web gateway (CASB) providers that ensure greater password security, integrity of accounts, and organizational rules and enforcement avoiding high-risk shadow IT services.

The Complete Guide to Frictionless Zero Trust

Download the white paper to learn about frictionless zero trust and the key principles of the NIST 800-207 framework.

Download Now

Expert Tip

The term “Zero Trust” was coined by Forrester Research analyst and thought-leader John Kindervag, and follows the motto, “never trust, always verify.” His ground-breaking point of view was based on the assumption that risk is an inherent factor both inside and outside the network.

Zero Trust Use Cases

Zero Trust, while described as a standard for many years, has increasingly been formalized as a response to securing digital transformation and a range of complex, devastating threats seen in the past year. 

While any organization can benefit from Zero Trust, your organization can benefit from Zero Trust immediately if:

You are required to protect an infrastructure deployment model that includes:

You need to address key threat use cases including:

Your organization has these considerations:

  • SOC/analyst expertise challenges
  • User experience impact considerations (especially when using MFA)
  • Industry or compliance requirements (eg. financial sector or US Government Zero Trust Mandate)

Every organization has unique challenges due to their business, digital transformation maturity, and current security strategy. Zero Trust, if implemented properly, can adjust to meet specific needs and still ensure a ROI on your security strategy.

The Next Sunburst Attack Example

The 2021 software supply chain attack Sunburst demonstrates the importance of why organizations can’t drop their guard with even standard service accounts and previously trusted tools. All networks have automated updates within their technology stack, from web applications to network monitoring and security. Automating patches is imperative to good network hygiene. However, even for mandatory and automated updates, Zero Trust means preventing potential malicious actions.

The technical analysis of the Sunburst attack illustrates how any tool, especially one commonly used in a network, can be taken over from the vendor/update mechanism – and how Zero Trust architecture principles should be applied to mitigate these threats.

Zero Trust and the principle of least privilege mandate strict policies and permissions for all accounts, including programmatic credentials like service accounts. Service accounts in general should have known behaviors and limited connection privileges. In the case of Sunburst, an overly permissioned service account enabled lateral movement for attackers.  They should never directly attempt to access a domain controller or authentication system like ADFS, and any behavior anomalies should be quickly identified and escalated as they happen.

Expert Tip

With so many different interpretations of zero trust, it can be intimidating when trying to identify the solution that fits your organization. To lend a hand, we’ve put together 7 key questions to better assess solutions and services.7 Questions to Ask Zero Trust Vendors

What are the Core Principles of the Zero Trust Model?

The Zero Trust model (based on NIST 800-207) includes the following core principles:

  • Continuous verification.  Always verify access, all the time, for all resources.
  • Limit the “blast radius.”  Minimize impact if an external or insider breach does occur.
  • Automate context collection and response.  Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate

1. Continuous Verification

Continuous verification means no trusted zones, credentials, or devices at any time. Hence the common expression “Never Trust, Always Verify.” Verification that must be applied to such a broad set of assets and continuous means that several key elements must be in place for this to work effectively:

  • Risk based conditional access. This ensures workflow is only interrupted when risk levels change, allowing continual verification, without sacrificing user experience.
  • Easy to apply policy that works dynamically. Since workloads and users can move often, the policy must not only account for risk, but also include compliance and IT requirements for policy. Zero Trust does not alleviate organizations from compliance and organizational specific requirements.

2. Limit the Blast Radius

If a breach does occur, minimizing the impact of the breach is critical. Zero Trust limits the scope of credentials or access paths for an attacker, giving time for systems and people to respond and mitigate the attack.

Limiting the radius means:

  • Using identity based segmentation. Traditional network based segmentation can be challenging to maintain operationally as workloads, users, and credentials change often.
  • Least privilege principle. Whenever credentials are used, including for non-human accounts (such as service accounts), it is critical these credentials are given scope to the minimum capability required to perform the task. As tasks change, so should the scope.  Many attacks leverage over privileged service accounts, as they are typically not monitored and are often overly permissioned.

3. Automate Context Collection And Response

To make the most effective and accurate decisions, more data helps if it can be processed and acted on in real-time. NIST provides guidance on using information from the following sources:

  • User credentials – human and non-human (service accounts, non-privileged accounts, privileged accounts – including SSO credentials)
  • Workloads – including VM’s, containers, and ones deployed in hybrid deployments
  • Endpoint – any device being used to access data
  • Network
  • Data
  • Other sources (typically via APIs):
    •  SIEM
    • SSO
    • Identity providers (like AD)

Stages of Implementing Zero Trust

Although each organization’s needs are unique, CrowdStrike offers the following stages to implement a mature Zero Trust model:

  • Stage 1: Visualize – understand all of the resources, their access points, and the risks involved
  • Stage 2: Mitigate – detect and stop threats or mitigate impact of the breach in case a threat cannot be immediately stopped
  • Stage 3: Optimize –  extend protection to every aspect of the IT infrastructure and all resources regardless of location without creating a poor user experience

For a detailed breakdown of each stage, including goals and best practices, read our article on How to Implement Zero Trust in 3 Stages.

Expert Tip

When you invest in a Zero Trust solution, can that solution reduce security complexity, save money, and reduce time to identify and remediate breaches? The answer is a resounding ‘YES’! Watch this webcast to explore real-life use cases for Zero Trust that affect your profit margin and overhead to support the whole program.How to Maximize ROI with Frictionless Zero Trust

Why CrowdStrike for Zero Trust

CrowdStrike’s Zero Trust solution has the industry’s only frictionless approach to Zero Trust with:

  • Industry’s only CLOUD-NATIVE ZERO TRUST SOLUTION to stop breaches in real-time for any endpoint, workload, or identity. CrowdStrike Falcon Zero Trust solution adheres to the NIST 800-207 standards and maximizes Zero Trust coverage across your hybrid enterprise. Stop breaches in real-time and protect against supply chain attacks, ransomware and wormable exploits.
  • Industry’s highest fidelity attack correlation and fastest policy enforcement ensuring a FRICTIONLESS ZERO TRUST journey for organizations of any size. Deploy Zero Trust faster and in phases, with just two components – the sensor and the administrative dashboard. Reduce the load on security operations center (SOC) analysts with high-fidelity correlations and enhance user experience with adaptive conditional access.
  • Industry’s only cloud native solution that empowers security teams to achieve Zero Trust protection without the overhead of managing TB’s of data, threat feeds, hardware/software, and ongoing personnel costs resulting in REDUCED SECURITY COMPLEXITY AND COSTS. Using high-fidelity, cloud-delivered attack correlations, behavioral risk analytics and simple policy enforcement, improve the mean time to detect and respond to threats; cut down manual data analysis and management; and decrease the need to invest in additional hardware, software, storage and personnel.

Falcon Zero Trust Demo

Schedule a live demo with our security expert and see how the Falcon Identity Protection solution can help your organization strengthen user authentication and enable frictionless Zero Trust security.

Request Demo

Get to Know the Author

Kapil Raina, a cybersecurity marketing executive of 20+ years, has built and led product, marketing, sales, and strategy teams at startups and large brands such as VeriSign, VMware, and Zscaler. Mr. Raina, currently serves as CrowdStrike’s VP of Zero Trust & Identity Protection marketing. He was previously the VP of Marketing at Preempt Security, which was acquired by CrowdStrike. He is a recognized speaker and author of books on AI, PKI, Mobile Commerce, Biometrics, and other security topics. Mr. Raina holds a B.S. from the University of Michigan (Ann Arbor) in Computer Engineering.