What is Zero Trust?
Zero Trust is a security concept that requires all users, even those inside the organization’s enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data. This approach leverages advanced technologies such as multifactor authentication, identity and access management (IAM), and next-generation endpoint security technology to verify the user’s identity and maintain system security.
Zero Trust is a significant departure from traditional network security, which followed the “trust but verify” method. The traditional approach automatically trusted users and endpoints within the organization’s perimeters, putting the organization at risk from malicious internal actors and allowing unauthorized users wide-reaching access once inside.
However, Zero Trust can only be successful if organizations are able to continuously monitor and validate that a user and his or her device has the right privileges and attributes. One-time validation simply won’t suffice, because threats and user attributes are all subject to change.
As a result, organizations must ensure that all access requests are continuously vetted prior to allowing connection to any of your enterprise or cloud assets. That’s why enforcement of Zero Trust policies heavily relies on real-time visibility into user attributes such as:
- user identity
- endpoint hardware type
- firmware versions
- operating system versions
- patch levels
- applications installed
- user logins
- security or incident detections
In addition, the organization should thoroughly assess its network structure and access privileges to contain potential attacks and minimize the impact if a breach should occur.
Why is Zero Trust important?
Zero Trust is one of the most effective ways for organizations to control access to their networks, applications, and data. It combines a wide range of preventative techniques including identity verification, microsegmentation, endpoint security and least privilege controls to deter would-be attackers and limit their access in the event of a breach.
This added layer of security is critical as companies increase the number of endpoints within their network and expand their infrastructure to include cloud-based applications and servers. Both of these trends make it more difficult to establish, monitor and maintain secure perimeters. Furthermore, a borderless security strategy is especially important for those organizations that have a global workforce and offer employees the ability to work remotely.
Finally, by segmenting the network and restricting user access, Zero Trust security helps the organization contain breaches and minimize potential damage. This is an important security measure as some of the most sophisticated attacks are orchestrated by internal users.
The Edward Snowden Example
The case of Edward Snowden demonstrates the importance of why organizations can’t drop their guard with approved internal users. As a subcontractor for the NSA, Snowden had the appropriate credentials to access the network.
However, without a Zero Trust framework in place, once he was granted access to the network, there were no further authentication procedures required for Snowden to download top-secret material.
Had Zero Trust and the principle of least privilege been in place, Snowden’s activities would have been more easily discovered, if not outright prevented.
Core Principles of the Zero Trust Model
The Zero Trust model is based on the following principles:
1. Re-examine all default access controls.
In a Zero Trust model, there is no such thing as a trusted source. The model assumes would-be attackers are present both inside and outside the network. As such, every request to access the system must be authenticated, authorized and encrypted.
2. Leverage a variety of preventative techniques.
A Zero Trust model relies on a variety of preventative techniques to stop breaches and minimize their damage.
Multifactor authentication (MFA) is one of the most common ways to confirm the user’s identity and increase the security of the network. MFA relies on two or more pieces of evidence, including security questions, email/text confirmation or logic-based exercises to assess the user’s credibility. The number of authentication factors an organization uses is directly proportional to network security — meaning that incorporating more authentication points will help strengthen the organization’s overall security.
Zero Trust also prevents attacks through least-privilege access, which means that the organization grants the lowest level of access possible to each user or device. In the event of a breach, this helps limit lateral movement across the network and minimizes the attack surface.
Finally, the Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network — to contain attacks. If a breach occurs, the hacker is unable to explore outside the microsegment.
3. Enable real-time monitoring to identify malicious activity quickly.
While a Zero Trust model is largely preventative in nature, the organization should also incorporate real-time monitoring capabilities to improve their “breakout time” — the critical window between when an intruder compromises the first machine and when they can move laterally to other systems on the network. Real-time monitoring is essential to the organization’s ability to detect, investigate and remediate intrusions.
4. Align to the broader security strategy.
A Zero Trust architecture is just one aspect of a comprehensive security strategy. In addition, while technology plays an important part in protecting the organization, digital capabilities alone will not prevent breaches. Companies must adopt a holistic security solution that incorporates a variety of endpoint monitoring, detection and response capabilities to ensure the safety of their networks.
Tips to Achieving Zero Trust
Although each organization’s needs are unique, CrowdStrike offer the following recommendations to develop and deploy a Zero Trust model:
1. Assess the organization.
Define the protect surface and identify sensitive data, assets, applications and services (DAAS) within this framework. Assess the organization’s current security toolset and identify any gaps within the infrastructure. Ensure that the most critical assets are given the highest level of protection within the security architecture.
2. Create a directory of all assets and map the transaction flows.
Determine where sensitive information lives and which users need access to it. Consider how various DAAS components interact and ensure compatibility in security access controls between these resources.
3. Establish a variety of preventative measures.
Leverage a variety of preventative measures to deter hackers and thwart their access in the event of a breach, including:
- Multifactor authentication: MFA, 2FA, or third-factor authentication, are essential to achieving Zero Trust. These controls provide another layer of verification to every user inside and outside the enterprise.
- Least privilege principles: Once the organization has determined where the sensitive data lives, grant users the least amount of access necessary for their roles.
- Microsegmentation: Micro-perimeters act as border control within the system, preventing any unauthorized lateral movement. The organization can segment based on user group, location or logically grouped applications.
4. Monitor the network continuously.
Figure out where the anomalous activity is occurring and monitor all the surrounding activity. Inspect, analyze and log all traffic and data without interruption.
Challenges of Zero Trust
To truly understand Zero Trust at a granular level, we must understand the challenges enterprises face with implementing a Zero Trust framework. Here are a couple of examples:
1. Legacy apps, legacy network resources, administrative tools, and protocols are part of the network and enterprise operations. For example, Mainframe, HR Systems, Powershell, PSexec, and more are commonly excluded from the Zero Trust architecture. However, they are essential tools for the operations just like protocols such as NTLM that need to go away years ago but are there to stay.
Traditionally, all of these can’t be protected with identity verification, posing a cost-prohibitive obstacle (it’s often too expensive to re-architect these systems). Many times these legacy systems are excluded from the approach, which makes them the weakest link. In other cases, security teams create an inconsistent user experience, or when possible (e.g. PSexec), prohibit tools from being used, which reduces staff productivity.
2. Regulations have not yet adopted the Zero Trust model, which means the organizations under compliance will have trouble passing an audit. If PCI-DSS requires the use of Firewalls and Segmentation of sensitive data how do you pass audits if there are no firewalls? Will such a move put the whole environment under the regulation? What are the implications of regulations are about segmentation and Zero Trust is not? Regulations will need to change before we can completely use this model in a robust way.
3. Visibility and Control within the network are often one of the major factors challenging enterprises’ implementation of Zero Trust networks. Most organizations don’t have a comprehensive view into – or ability to set protocols around – all individual users within their network and are thus vulnerable to threats posed by unpatched devices, legacy systems, and over-privileged users.
While there are more examples, these topline points highlight the fact that we are a long way away until organizations will become 100 percent Zero Trust compliant: for now, this would require major surgery on an organization’s IT infrastructure. In the near term, a hybrid approach to Zero Trust will likely be the status quo.
How CrowdStrike Can Help
The CrowdStrike® Falcon platform provides real-time, continuous visibility and security across the organization’s assets regardless of whether they are on or off the enterprise network. CrowdStrike helps customers establish a comprehensive security strategy, including Zero Trust principles, to create a cybersecurity solution that is:
- Customizable: CrowdStrike Falcon® is easy to install, maintain and operate, and can be tailored to address each organization’s unique needs and protect individual assets.
- Actionable: CrowdStrike Zero Trust Assessment, available in Falcon Insight, determines endpoint health across the organization. With this real-time security posture assessment, customers can easily identify and update Falcon sensor policies and OS settings that are out of date or increase risk. Customers can share assessment scores with CrowdStrike zero trust ecosystem partners for real-time conditional access enforcement.
- Comprehensive: The Falcon platform provides continuous visibility and security across a variety of touchpoints, including endpoint hardware type, firmware versions, operating system versions, patch levels, vulnerabilities, applications installed, user logins, and security or incident detections.
- Continuous: The Falcon platform enables ongoing, automatic monitoring, detection and response capabilities.
- Flexible: The Falcon platform is built for the future. It is designed to protect against new threats, adapt to the landscape and scale to meet the organization’s changing needs.
- Open API First Platform: The Falcon platform provides a full-spectrum set of Restful / JSON APIs that enable end customers and the CrowdStrike partner ecosystem to integrate third-party tools that help to seamlessly implement your Zero Trust Architecture. Some examples of third-party integrations include Okta, ZScaler, NetSkope, ForeScout, Splunk/Phantom and many more.
Trusting Zero Trust
Download this FAQ to get answers to the most common questions about Zero TrustDownload Now