How to Get Started with Zero Trust

Zero Trust is a vision. It’s a concept ‒ it is not a product. It basically means, “Trust no-one, trust nothing, without full identification and authorisation.”

It’s a response to the evolution of computing and IT infrastructures over the last decade. This can be characterised as a move to cloud computing and a growth in remote computing. The common factors in both are there is no defined network perimeter that can be defended, and that companies now have assets beyond the corporate network and outside of the traditional network perimeter defences.

Security professionals have limited visibility into both cloud assets and employee’s home computers. Since these assets and devices can no longer be automatically trusted, the Zero Trust concept says do not trust them ‒ any of them at any time ‒ until and unless they can absolutely prove their trustworthiness. Zero Trust is not ‘trust but verify’; it is ‘verify before you trust’.

The components of the Zero Trust Framework

The basic component of a Zero Trust framework is controlled access between visitor and asset. This applies to both access from an untrusted network (for example, via the internet), and access from within the trusted network (such as inside the data centre). So, for example, there is no implied trust when a home worker attempts to access the company network. That trust must be established every time before access is granted. Similarly, within the data centre: if someone in IT wishes to access a file in HR, the right to do so must be established before access is granted.

Zero Trust into the data centre is designed to prevent malicious actors gaining access. Zero Trust within the data centre prevents lateral movement by hackers already present. The precise components used to achieve this will vary between different companies and their infrastructures. However, the concept can be visualised within the data centre by a combination of microsegmentation (firewalls around assets) with identity management supported by multi-factor verification so that only trusted users and devices can cross from one microsegment into another. Think of it has having virtual firewalls around every asset.

How long has it been around?

The concept is not new. It evolved from the early work of the Jericho Forum which was formed in 2004 to define and solve problems emerging from the cloud-based de-perimeterising of traditional perimeter-based security. John Kindervag, an analyst with Forrester, coined the term ‘Zero Trust’ in 2010. In 2014, Google published its BeyondCorp model, designed to allow its globally distributed engineers to securely access its numerous data centres via the internet.

By 2019, the UK’s National Cyber Security Centre (NCSC) was recommending Zero Trust be used for new deployments, especially where the cloud was part of the planning. In 2021, President Biden’s Executive Order on Improving the Nation’s Cybersecurity said, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes…” Those bold changes include a requirement for federal agencies to adopt Zero Trust ‒ which will be on the advice of experts within the NSA, DOD and DHS.

Zero Trust has evolved from its nascence as a potential method of providing security in a cloud-centric environment to a recommendation from the British government and a requirement from the US government. But it remains a concept; and the route to applying that concept is long and complex.

How to achieve Zero Trust in your organisation

The NCSC has published eight principles “to help you to implement your own Zero Trust network architecture in an enterprise environment.”[1] These principles are:

  1. Know your architecture including users, devices, services and data
  2. Know your user, service and device identities
  3. Assess user behaviour, service and device health
  4. Use policies to authorise requests
  5. Authenticate and authorise everywhere
  6. Focus your monitoring on users, devices and services
  7. Don't trust any network, including your own
  8. Choose services which have been designed for Zero Trust

While these are useful principles behind the concept, they do not tell you how to implement the concept.

Biden’s Executive Order[2] of May 12, 2021, is also of little immediate assistance ‒ but it does better illustrate the complexities involved. It says first that federal agencies should prioritise the adoption of cloud services, and then:

"Develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them…"

This is key to understanding how the US government is proposing to introduce Zero Trust ‒ the Executive Order is a plan for a plan. What this tells us is that Zero Trust is an aspiration that cannot be rushed but must be planned and implemented meticulously.

What you need to know before introducing Zero Trust to your business

Some of the elements you will need in place to introduce Zero Trust include a complete, accurate and detailed inventory of all your assets, and a complete inventory of all the users, processes and devices that are entitled to access those assets. This should include your own staff and any third parties such as suppliers, contractors and customers. This is not a one-off, but must be continuously maintained, so some form of identity management system that will also control ‘privilege creep’ is necessary.

Access should be further supported by an acceptable form of multi-factor authentication to limit any danger from credential stuffing or guessing attacks. You need to be able to authenticate both the user and the device being used. Do not assume the latter is simple. A new version of Houdini malware able to steal device information was recently discovered[3]. The stolen details are then used in a virtual machine that effectively mimics the real device, and is sold on dark web forums.

You need to have confidence in the security of the endpoints being used to access your internal assets. If a remote worker’s home computer is compromised, and if you don’t have visibility into that device, then you cannot be confident in anything coming from that device.

These are just the very basics of a Zero Trust implementation. But fundamentally there are just two things to understand: firstly, that both the UK and US governments are recommending Zero Trust as the way to go, and secondly, it is not an easy or simple route.

The best solution may be to use an expert third party to design, develop and run your Zero Trust implementation.

  • [1] https://www.ncsc.gov.uk/collection/Zero Trust-architecture/introduction-to-Zero Trust
  • [2] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
  • [3] https://www.securityweek.com/houdini-malware-returns-and-amazons-sidewalk-enter-corporate-networks