In an era where cybersecurity breaches loom as a constant threat, traditional network parameters no longer suffice in safeguarding sensitive information. Enter Zero Trust Security, a paradigm shift in cybersecurity strategy, championed by experts like Kenny Natiss. This innovative approach challenges the conventional notion of trust within networks, requiring strict verification for every user and device, regardless of their location or previous access privileges.
In this article, Kenny Natiss provides insights into the realm of Zero Trust Security, redefining how organizations fortify their digital landscapes in an age of heightened cyber threats. He explores the principles, benefits, and implementation strategies of this cutting-edge security framework, poised to revolutionize the way we safeguard critical data and assets.
Malware. Phishing. Insider threats.
We live in an era where no network is safe from cyber attacks. These digital threats continuously evolve, demanding constant shifts in our approach to security. One revolutionary concept at the forefront of this transformation is Zero Trust.
This security philosophy challenges the conventional concept of trust within network perimeters. It acknowledges that the rapidly evolving digital security environment is in need of a more proactive approach; one that carefully analyzes every device, user, and transaction regardless of their location and assumed reliability or trustworthiness.
Kenny Natiss explains how with the stakes higher than ever, and with the potentially catastrophic risk of a breach, Zero Trust has become an essential safeguard for all in this digital age.
This guide provides an in-depth look into the principles and implementation of Zero Trust security models, emphasizing the importance of continuous authentication and authorization in cyber security.
Kenny Natiss on Revolutionizing Cyber Security: Zero Trust Defined
Trust is earned, not assumed.
The Zero Trust security model, also referred to as zero trust architecture (ZTA), is a high-level security framework that requires all users, whether inside or outside of the organization’s network, to be authenticated, authorized, and validated continuously for security configuration before gaining tailored access to company resources such as data, applications, systems, and services.
It denies access to these resources by default, and users must be verified every time they request access, even if they were previously authenticated. In essence, Zero Trust revolves around the concept of always verifying rather than ever assuming that any point of access is trustworthy, according to Kenny Natiss.
In addition, this dynamic security model operates on the premise that the boundaries of conventional networks are now gone. In this day and age, networks now exist in various forms, such as local networks within company premises, cloud-based networks hosted on remote servers, or a combination of the two.
These networks also extend to multiple geographical locations wherein employees can access resources from any corner of the world, whether they are working remotely, on the road, or from the company office.
The concept relies on real-time visibility to hundreds of users and app identity attributes such as:
- User identity and credential type (whether it’s a human or programmatic credential)
- Credential privileges per device
- Normal connections for the device and credential, including their behavior patterns.
- Information about the function and type of endpoint hardware
- Geo-location data
- Firmware versions in use
- Protocol of authentification and associated risk levels.
- Versions of operating systems and patch levels
- Security-related detections which include attack recognition and suspicious activities
Kenny Natiss reports that it is important to note that over 80 percent of attacks involve the use or misuse of credentials in the network. Due to this, additional protection for data and credentials now extends to secure web gateway (CASB) and email security, which enhances password security, compliance with organizational rules, authenticity of accounts, and prevention of high-risk IT services.
The adoption of this security model offers organizations the following benefits:
- Protection of sensitive data
- Reduced risk of breach and lower detection time
- Assistance for compliance auditing
- Network traffic visibility
- Enhanced control in navigating cloud environments
Research conducted by Gartner finds that about 60 percent of organizations will implement a Zero Trust strategy in their security system by 2025.
A Brief History and Evolution
Historically, companies often relied on a traditional cybersecurity model known as castle-and-moat, in which anyone inside the corporate network perimeter is assumed trustworthy, while those outside are suspect.
This approach, which is rooted in implicit trust, has resulted in countless expensive data breaches, with the attackers being able to move freely about the network once they make their way inside.
The Zero Trust model’s approach is quite different from this. Instead of focusing on the locations of users and devices in relation to the perimeter of the network – whether inside or outside – it grants users access to information based on their roles and identities, regardless of their location. It limits which individuals have privileged access to a company’s sensitive data, which substantially reduces the possibility of hackers making it through.
Kenny Natiss says that the term “zero trust” was first coined in a doctoral thesis on computer security by Stephen Paul Marsh in April of 1994. Over the years, the concept has been discussed in numerous publications, and various systems have been developed based on it.
In 2010, John Kindervag, a former analyst at Forrester Research, introduced the revolutionary Zero Trust Security Model. Not long after, Google adopted the model’s principles internally and implemented a zero trust architecture known as BeyondCorp.
Today, this ZTA continues to grow and evolve.
NIST 800-207 and Zero Trust
In 2018, cybersecurity researchers at NIST and NCCoE published the NIST 800-207, Zero Trust Architecture. According to the publication, zero trust (ZT) is a collection of ideas and concepts designed to lower the uncertainty in enforcing access decisions on a per-request basis within information systems and services.
The NIST 800-207 is considered to be the most comprehensive and vendor-neutral of standards, ideal for both organizations and government entities. Kenny Natiss reports that this standard also ensures compatibility and effective safeguarding against modern attacks for a cloud-first, remote work setup that most companies are aiming to achieve.
Kenny Natiss Discusses the Core Principles
Based on the NIST guidelines, Zero Trust aims to address the following key principles:
- Continuous Verification: Constant access verification at all times for all resources.
- Limit the “Blast Radius”: Reduce the impact of an insider or external breach by limiting its scope.
- Automate Context Collection and Response: Leverage gathering information and behavioral data from the entire IT infrastructure which includes identities, endpoints, workloads, etc. to improve the accuracy of responses.
Continuous Verification
Kenny Natiss notes that this principle revolves around the saying “Never Trust, Always Verify.” It means that nothing is to be assumed as trustworthy at any time – devices, credentials, or zones. Assets are verified continuously, which means numerous key elements must be put into place to ensure effectiveness:
Implementation of risk-based conditional access to lessen interruptions of workflow, with verification only triggered when there is a change in risk levels, which preserves user experience.
Deployment of a quick and scalable dynamic policy model that accommodates the free movement of users, data, and workloads. The policy must not consider only the risks, but also cover IT requirements and compliance for policy. With Zero Trust, companies are not exempt from compliance and requirements.
Limit the Blast Radius
In the occurrence of a breach, minimizing its impact immediately is critical. The Zero Trust model limits the scope of the attacker’s credentials or access paths, allowing individuals and systems to respond and mitigate the situation promptly.
This means:
- Employing identity-based segmentation: Traditional network-bases segmentation can be operationally challenging to maintain due to the frequent change in users, credentials, data, and workloads.
- Adhering to the least privilege principle: When credentials are used, including from non-human accounts like service accounts, it’s important that they are provided only with the minimum amount of permissions necessary to perform the task. A change in tasks automatically calls for a change in scope. Numerous attacks exploit privileged service accounts because are usually inadequately monitored and overly permissioned.
Automate Context Collection and Response
Kenny Natiss also explains that the addition of data contributes to more accurate and more effective decisions, as long as they are processed and acted upon in real-time.
NIST has provided guidelines on how to use information from these sources:
- User Credentials: Human and non-human accounts such as service accounts, non-privileged accounts, and privileged accounts which include SSO credentials.
- Workloads: This covers VMs, containers, and those used in hybrid deployments.
- Endpoint: All devices being utilized for data access.
- Network
- Data
- Other sources, usually through APIs – SIEM, SSO, Identity providers like AD, and threat intelligence.
Planning and Implementation of the Zero Trust Architecture
Experts believe that the concept of this perimeterless security is critical in theory, but often difficult to implement in practice. Companies who are looking to implement the security model should consider challenges such as:
- Potential security gaps due to piecemeal implementation: It is difficult to transition to a zero-trust framework quickly because the traditional IT environment is so ingrained in implicit trust. As a result, the adoption of the new system is often piecemeal, which typically results in security gaps and growing pains.
- Incompatibility with legacy tech: The modern tools that the Zero Trust system utilizes may cause friction with legacy tech and could potentially lead to major architectural, software, and hardware overhauls.
- Uncertainty in adoption: Zero trust is a high-level strategy that encompasses the entire IT environment. It’s not a single product nor a simple technology, therefore the path to full adoption is an open-ended matter.
- Requirement of constant administrative updates: The whole strategy of Zero Trust revolves around identity and access control, which may require constant and continuous administrative updates to user identities, roles, and permissions to achieve efficacy.
- Negative impact on productivity: The aim of the system is to validate and restrict user access without getting in the way of the business. However, there’s a high chance that users may end up getting blocked from the resources they need, which slows productivity.
To minimize these challenges, corporations should start small and scale slowly by running trials. Those planning to transition to the Zero Trust model are also advised to form a dedicated team for developing effective strategies and initiating implementation efforts, according to Kenny Natiss.
The members of this team should have expertise in these areas:
- Data security and applications
- Network and infrastructure security
- User and device identity
- Security operations
The Stages of Implementation
Every company’s needs are unique.
However, this 3-step implementation strategy can help guide all entities, big or small, to the path of the perimeterless security implementation.
- Step 1 – Visualize: Gather data and get a good understanding of all resources and their access points. It’s crucial to visualize all the risks involved at this stage.
- Step 2 – Mitigate: Detect and halt threats to mitigate the breach impact when the attack is not immediately stopped.
- Step 3 – Optimize: Safeguard all aspects and resources of the IT environment, regardless of location and maintain an optimized user experience for IT, end-users, and security teams.
Use Cases
Kenny Natiss says that, like with any new technology, the use cases of Zero Trust should be considered before making any decisions.
Here are some examples how the perimeterless security model can help safeguard any enterprise:
- Secure third-party access
- Secure remote access
- IoT visibility and security
- Data center microsegmentation
While regarded as a standard for some years, Zero Trust has emerged as a response to the security of digital transformation and the various substantial threats seen in recent years.
The revolutionary security model can eventually be beneficial to any organization, but a company can immediately benefit from it by following the steps and advice provided here.
Kenny Natiss points out the need to safeguard infrastructure deployment models, including:
- Hybrid, multi-cloud, multi-identity
- Legacy systems
- Unmonitored devices
- SaaS applications
There is a need to keep effective threat use cases in mind, which include:
- Ransomware: A two-part problem that involves identity compromise and code execution
- Supply Chain Attacks: Usually involves privileged users who are working remotely on unmonitored devices
- Insider threats: Analyzing the behavioral analytics of insider remote users is challenging
A company must also make these considerations:
- Challenges in SOC/Analyst expertise
- User experience impact considerations, especially with the use of MFA
- Compliance and industry requirements such as the US government trust mandate or the financial sector
- Concerns in keeping cyber insurance, due to the ransomware causing the fluctuating insurance market
All companies have their own unique business challenges, digital transformation maturity, and existing security strategy. If implemented properly, the Zero Trust architecture can be adjusted to suit any company’s specific needs while ensuring an ROI on its security strategy.
Zero Trust isn’t merely a strategy in security; it’s a fundamental shift in the way digital protection is approached. Kenny Natiss reports that this approach is both dynamic and proactive, helping organizations fortify their defenses. Staying secure and resilient in the face of the ever evolving threat-scape in this digital age is vital for paving the way to a safer, more resilient digital landscape.
That being said, trust may be something that is usually earned, but it is viewed as a commodity that must always be verified in the world of Zero Trust.