Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
“Zero trust” has graduated from buzzword to repeatable architecture pattern, with standards bodies such as NIST putting out guidance and vendors improving the tooling. Add to that the move to provide security during the shifts in work brought
on by the COVID-19 pandemic, and zero trust adoption is accelerating in many organizations. This piece provides an update on zero trust use cases, tooling and effectiveness.
Zero trust is an evolving set of principles and architectures that favors dynamic trust boundaries over traditional static and long-lived indicators of trust. Zero trust can be summarized by these characteristics from Google BeyondCorp.
These characteristics have been further developed in NIST SP 800-207: Zero Trust Architecture. Fundamentally, trust is established when a service or resource
The principle of least trust is in play here, with zero or little trust being provided before access and when the access request fails to meet the policy requirements. Otherwise, appropriate trust is provided to allow identities to complete their work.
To achieve this, zero trust architectures must have a policy decision point (PDP) and policy enforcement point (PEP) between every identity (user and device) and the resource (application). The access is then determined by the observable state at the
PDP/PEP, which includes the context and conditions of the request, behavioral attributes and other signals of trust.
Some combination of the following zero trust architecture patterns is currently being established in large organizations to implement the principle of least trust through dynamic policy:
DOWNLOAD: Zero Trust: A Step-by-Step Guide
Initially, the primary use case for zero trust revolved around securing remote work and enabling hybrid work. This evolved into securing cloud access for SaaS applications for the workforce and enhancing privileged access for IT professionals. Meanwhile,
use cases for applications and equipment continue to be on the roadmaps of many organizations.
More recently, common use cases based on identity for zero trust are detailed in Figure 1 below.
Figure 1: Common Use Cases for Zero Trust
Source: IANS, 2022
Organizations effective in zero trust deployments are taking an iterative approach that’s use-case driven. Broadly, this means:
It’s best to begin with verifying entities (people, devices, resources) and implementing risk-based authentication. After that, you can focus on deepening the policy enforcement to increase trust signals and risk factors, and then plan for how to
handle in-session trust and data protection.
Organizations that applied zero trust to securing remote work and enabling hybrid work have achieved early successes. These include:
Those early gains also have also proven effective in improving user satisfaction and reducing operational overhead (admin time, licensing, bandwidth, etc.).
Zero trust tooling falls into two categories: the policy engine (PEP, PDP) and signals of trust. The policy engine extends or revokes trust when the identity is accessing the resources. This is informed by detective controls. The policy engine piece is
usually performed within one of the following areas:
For signals of trust, the deciding factor is whether it integrates with the policy engine. If it is not integrated, then it may be a strong security control, but it should not be considered part of the zero trust implementation. Signals of trust categories
to consider include:
Attackers take advantage of long-lived indicators of trust and static trust boundaries. A driver for zero trust initiatives is to improve security and breach prevention, while enabling the business to achieve objectives. Depending on the use case and
the extent to which the policy is deployed, zero trust helps mitigate several common threat scenarios. See Figure 2.
Figure 2: Zero Trust Threat Mitigations
Account takeover through phishing, password spraying or password guessing
Business email compromise through phishing, password spraying or password guessing
Unknown devices accessing resources or applications
At-risk devices (unpatched, infected, noncompliant) accessing resources or apps
Man-in-the-middle and on-network attacks
Ransomware spread through compromised user session or infected device
Insider threat via negligent, malicious or compromised session
Network lateral movement
Early zero trust initiatives have also faced some common pitfalls. These include:
READ: Enterprise Security Architecture Best Practices
Establishing a zero trust architecture across an enterprise is a complex undertaking that is iterative and incremental. To improve your chances of success:
Overall, it’s important to tie back efforts to first principles—the zero trust tenets and the organization’s reference architecture—to plot a course that’s right for you.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.