What is Zero Trust?
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.
Zero Trust is a framework for securing infrastructure and data for today’s modern digital transformation. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. While many vendors have tried to create their own definitions of Zero Trust, there are a number of standards from recognized organizations that can help you align Zero Trust with your organization.
Zero Trust and NIST 800-207
At CrowdStrike, we align to the NIST 800-207 standard for Zero Trust. This is the most vendor neutral, comprehensive standards, not just for government entities, but for any organization. It also encompasses other elements from organizations like Forrester’s ZTX and Gartner’s CARTA. Finally, the NIST standard ensures compatibility and protection against modern attacks for a cloud-first, work from anywhere model most enterprises need to achieve.
As a response to the increasing number of high profile security breaches, in May 2021 the Biden administration issued an executive order mandating U.S. Federal Agencies adhere to NIST 800-207 as a required step for Zero Trust implementation. As a result, the standard has gone through heavy validation and inputs from a range of commercial customers, vendors, and government agencies stakeholders – which is why many private organizations view it as the defacto standard for private enterprises as well.
Zero Trust seeks to address the following key principles based on the NIST guidelines:
- Continuous verification. Always verify access, all the time, for all resources.
- Limit the “blast radius.” Minimize impact if an external or insider breach does occur.
- Automate context collection and response. Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate response.
How Zero Trust Works
Execution of this framework combines advanced technologies such as risk based multi-factor authentication, identity protection, next-generation endpoint security, and robust cloud workload technology to verify a user or systems identity, consideration of access at that moment in time, and the maintenance of system security. Zero Trust also requires consideration of encryption of data, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.
Zero Trust is a significant departure from traditional network security which followed the “trust but verify” method. The traditional approach automatically trusted users and endpoints within the organization’s perimeter, putting the organization at risk from malicious internal actors and legitimate credentials taken over by malicious actors, allowing unauthorized and compromised accounts wide-reaching access once inside. This model became obsolete with the cloud migration of business transformation initiatives and the acceleration of a distributed work environment due to the pandemic that started in 2020.
Zero Trust architecture therefore requires organizations to continuously monitor and validate that a user and their device has the right privileges and attributes. It also requires enforcement of policy that incorporates risk of the user and device, along with compliance or other requirements to consider prior to permitting the transaction. It requires that the organization know all of their service and privileged accounts, and can establish controls about what and where they connect. One-time validation simply won’t suffice, because threats and user attributes are all subject to change
As a result, organizations must ensure that all access requests are continuously vetted prior to allowing access to any of your enterprise or cloud assets. That’s why enforcement of Zero Trust policies rely on real-time visibility into 100’s of user and application identity attributes such as:
- User identity and type of credential (human, programmatic)
- Credential privileges on each device
- Normal connections for the credential and device (behavior patterns)
- Endpoint hardware type and function
- Geo location
- Firmware versions
- Authentication protocol and risk
- Operating system versions and patch levels
- Applications installed on endpoint
- Security or incident detections including suspicious activity and attack recognition
The use of analytics must be tied to trillions of events, broad enterprise telemetry, and threat intelligence to ensure better algorithmic AI/ML model training for hyper accurate policy response. Organizations should thoroughly assess their IT infrastructure and potential attack paths to contain attacks and minimize the impact if a breach should occur. This can include segmentation by device types, identity, or group functions. For example, suspicious protocols such as RDP or RPC to the domain controller should always be challenged or restricted to specific credentials.
More than 80% of all attacks involve credentials use or misuse in the network. With constant new attacks against credentials and identity stores, additional protections for credentials and data extend to email security and secure web gateway (CASB) providers. This helps ensure greater password security, integrity of accounts, adherence to organizational rules, and avoidance of high-risk shadow IT services.
The Complete Guide to Frictionless Zero Trust
Download the white paper to learn about frictionless zero trust and the key principles of the NIST 800-207 framework.Download Now
Zero Trust Use Cases
Zero Trust, while described as a standard for many years, has increasingly been formalized as a response to securing digital transformation and a range of complex, devastating threats seen in the past year.
While any organization can benefit from Zero Trust, your organization can benefit from Zero Trust immediately if:
You are required to protect an infrastructure deployment model that includes:
- Multi-cloud, hybrid, multi-identity
- Unmanaged devices
- Legacy systems
- SaaS apps
You need to address key threat use cases including:
- Ransomware – a two-part problem involving code execution and identity compromise
- Supply chain attacks – typically involves unmanaged devices and privileged users working remotely
- Insider threats – especially challenging to analyze behavioral analytics for remote users
Your organization has these considerations:
- SOC/analyst expertise challenges
- User experience impact considerations (especially when using MFA)
- Industry or compliance requirements (eg. financial sector or US government Zero Trust Mandate)
- Concern in retaining cyber insurance (due to the rapidly changing insurance market as a result of ransomware)
Every organization has unique challenges due to their business, digital transformation maturity, and current security strategy. Zero Trust, if implemented properly, can adjust to meet specific needs and still ensure a ROI on your security strategy.
The Next Sunburst Attack Example
The 2021 software supply chain attack Sunburst demonstrates the importance of why organizations can’t drop their guard with even standard service accounts and previously trusted tools. All networks have automated updates within their technology stack, from web applications to network monitoring and security. Automating patches is imperative to good network hygiene. However, even for mandatory and automated updates, Zero Trust means preventing potential malicious actions.
The technical analysis of the Sunburst attack illustrates how any tool, especially one commonly used in a network, can be taken over from the vendor/update mechanism – and how Zero Trust architecture principles should be applied to mitigate these threats.
Zero Trust and the principle of least privilege mandate strict policies and permissions for all accounts, including programmatic credentials like service accounts. Service accounts in general should have known behaviors and limited connection privileges. In the case of Sunburst, an overly permissioned service account enabled lateral movement for attackers. They should never directly attempt to access a domain controller or authentication system like ADFS, and any behavior anomalies should be quickly identified and escalated as they happen.
What are the Core Principles of the Zero Trust Model?
The Zero Trust model (based on NIST 800-207) includes the following core principles:
- Continuous verification. Always verify access, all the time, for all resources.
- Limit the “blast radius.” Minimize impact if an external or insider breach occurs.
- Automate context collection and response. Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate
1. Continuous Verification
Continuous verification means no trusted zones, credentials, or devices at any time. Hence the common expression “Never Trust, Always Verify.” Verification that must be applied to such a broad set of assets continuously means that several key elements must be in place for this to work effectively:
- Risk based conditional access. This ensures the workflow is only interrupted when risk levels change, allowing continual verification, without sacrificing user experience.
- Rapid and scalable dynamic policy model deployment. Since workloads, data, and users can move often, the policy must not only account for risk, but also include compliance and IT requirements for policy. Zero Trust does not alleviate organizations from compliance and organizational specific requirements.
2. Limit the Blast Radius
If a breach does occur, minimizing the impact of the breach is critical. Zero Trust limits the scope of credentials or access paths for an attacker, giving time for systems and people to respond and mitigate the attack.
Limiting the radius means:
- Using identity based segmentation. Traditional network based segmentation can be challenging to maintain operationally as workloads, users, data, and credentials change often.
- Least privilege principle. Whenever credentials are used, including for non-human accounts (such as service accounts), it is critical these credentials are given access to the minimum capability required to perform the task. As tasks change, so should the scope. Many attacks leverage over privileged service accounts, as they are typically not monitored and are often overly permissioned.
3. Automate Context Collection And Response
To make the most effective and accurate decisions, more data helps so long as it can be processed and acted on in real-time. NIST provides guidance on using information from the following sources:
- User credentials – human and non-human (service accounts, non-privileged accounts, privileged accounts – including SSO credentials)
- Workloads – including VMs, containers, and ones deployed in hybrid deployments
- Endpoint – any device being used to access data
- Other sources (typically via APIs):
- Identity providers (like AD)
- Threat Intelligence
Stages of Implementing Zero Trust
Although each organization’s needs are unique, CrowdStrike offers the following stages to implement a mature Zero Trust model:
- Stage 1:Visualize – understand all of the resources, their access points, and visualize risks involved
- Stage 2: Mitigate – detect and stop threats or mitigate impact of the breach in case a threat cannot be immediately stopped
- Stage 3: Optimize – extend protection to every aspect of the IT infrastructure and all resources regardless of location while optimizing the user experience for end-users, IT, and security teams
For a detailed breakdown of each stage, including goals and best practices, read our article on How to Implement Zero Trust in 3 Stages.
Why CrowdStrike for Zero Trust
CrowdStrike’s Zero Trust solution has the industry’s only frictionless approach to Zero Trust through:
- Security for the most critical areas of enterprise risk to stop breaches in real-time for any endpoint and cloud workload, identity, and data. CrowdStrike’s Zero Trust solution adheres to the NIST 800-207 standards and maximizes Zero Trust coverage across your hybrid enterprise to secure and enable people, processes, and technologies that drive modern enterprise security with built-in protection for high-risk areas such as identity and data.
- Hyper-accurate detections and automated protection ensuring a FRICTIONLESS ZERO TRUST journey for organizations of any size. Deploy Zero Trust faster and in phases, with just two components – the single lightweight-agent sensor and the administrative dashboard. Reduce the load on security operations center (SOC) analysts with automated protection and remediation and enhance user experience with adaptive conditional access.
- The world’s most advanced cloud-native platform that empowers security teams to achieve superior Zero Trust protection and performance without the overhead of managing TBs of data, threat feeds, hardware/software, and ongoing personnel costs resulting in REDUCED SECURITY COMPLEXITY AND COSTS. All these benefits are achieved through the CrowdStrike Security Cloud which correlates trillions of security events per day with indicators of attack, the industry’s leading threat intelligence and enterprise telemetry from across customer endpoints, workloads, identities, DevOps, IT assets and configurations.
Falcon Zero Trust Demo
Schedule a live demo with our security expert and see how the Falcon Identity Protection solution can help your organization strengthen user authentication and enable frictionless Zero Trust security.Request Demo