This is why the U.S. Department of Defense published information<\/a> regarding plans to shift its network to a \u201czero trust architecture\u201d by 2027. In its Zero Trust Strategy and Roadmap document, the federal defense agency shared its goals about what it aims to achieve and what its vision is for the future: implementing stronger defenses against cyber attacks via a dynamic and adaptive approach (zero trust).<\/p>\n\n\n\n This move toward zero trust security has been picking up traction with businesses and other organizations globally over the past several years. It contrasts the traditional notion that cyber security efforts should focus on external threats and hardening your perimeter defenses to protect against threats outside your network. Imagine the cyber security incidents (and resulting data breaches) that could have been avoided if the targeted organizations had implemented zero trust:<\/p>\n\n\n\n But what is zero trust and why is it something that can benefit organizations and businesses across all sectors (not just the DoD)?<\/p>\n\n\n\n Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n Zero trust<\/strong> is an organization\u2019s answer to the childhood warning \u201cstranger danger!\u201d It\u2019s both a framework and strategy that operates with the understanding that no one \u2014 not you, your devices, your apps, or even your CEO \u2014 can (or should) be trusted automatically. And it\u2019s nothing personal \u2014 it\u2019s not because your IT admin doesn\u2019t like you. This real-time security strategy approaches cyber security from the perspective that everyone<\/em> inside and outside your network is a potential threat<\/strong>.<\/p>\n\n\n\n Zero trust touches everything relating to your IT ecosystem and everything that goes on in the background. It promotes the idea that there are no traditional network boundaries; your assets and resources can be anywhere \u2014 on prem, in the cloud, or a mix of both. This makes it a versatile approach to hardening your cyber defenses. Therefore, everyone with access to your organization\u2019s network or IT resources must have their identities continuously vetted throughout their connections.<\/p>\n\n\n\n Regardless of where your assets are that you want to secure, there are three guiding principles at the heart of zero trust security:<\/p>\n\n\n\n What we mean by this is that users need to authenticate in a verifiable name. Simply taking them at their word just won\u2019t cut it. This entails using setting default-deny policies, setting least access privileges, and using public key infrastructure (PKI) based tools (such as client authentication certificates<\/a>).<\/p>\n\n\n\n Whenever someone logs in or tries to access something in a zero trust environment, they\u2019ll need to continually authenticate (prove their identity) throughout the session. Why? Because session IDs can be hijacked and someone unintended can take over a connection. By implementing comprehensive identity and access management, you\u2019re reducing the potential harm an account compromise could cause.<\/p>\n\n\n<\/span><\/span>\n\n\n With zero trust, you assume the worst (someone bad is already in your network) but hope for the best. You\u2019ll want to assume that every network connection and access request is from an attacker. This involves monitoring all users, devices, connections, requests, and configuration changes continuously to ensure that no one is accessing something they shouldn\u2019t.<\/p>\n\n\n\n Verify that users are accessing things securely. Have security mechanisms in place to ensure they\u2019re doing that. This includes enforcing policies dynamically via the policy engine and policy administrator (PE determines whether access is approved or denied and the PA executes that decision). And, as always, monitor and log all access requests and traffic.<\/p>\n\n\n\n There are different approaches to zero trust put out by different organizations and different standards as well. Probably the most commonly known zero trust framework is the National Institute of Standards and Technology\u2019s (NIST) special publication: NIST SP 800-207 \u2014 Zero Trust Architecture<\/a>. This document laid the groundwork for other frameworks from agencies such as the U.S. Department of Defense<\/a> and the National Security Agency<\/a> (NSA).<\/p>\n\n\n\n These other frameworks have a lot to offer information of information and applications. (The DoD guidelines, in particular, offer more breadth and depth than the NSA\u2019s.) And we\u2019ll touch on key concepts from these resources throughout the article.<\/p>\n\n\n\n We live in a time when you can no longer take things at face value. You can\u2019t simply assume that someone is who they claim to be simply because they type in a username and password; all it takes is a small third-party data breach for someone\u2019s password to become known to the dark web. And if that person uses that same password to secure multiple accounts, then attackers can use it to brute force their way into their accounts.<\/p>\n\n\n\n This is why it\u2019s crucial that we look much deeper and look at other verifiable and contextual information. This approach helps us determine whether someone requesting access to sensitive resources is authentic and has the authorization to access those assets.<\/p>\n\n\n\n Discussing this topic of zero trust always makes me think of scenes from the Mission: Impossible<\/em> movie franchise. In several movies, Tom Cruise\u2019s character, Ethan Hunt, wears masks and contact lenses to impersonate key characters. Sure, on the surface, he looks like each of the people he\u2019s pretending to be. He can even use a voice modulator of some kind to sound like each person he\u2019s impersonating. But just because he looks and sounds like that person doesn\u2019t mean Ethan Hunt (Cruise) really is them.<\/p>\n\n\n\n Now, let\u2019s leave Hollywood behind for a second and imagine if someone who looks and sounds like your boss or CEO walks into your building. You\u2019d likely assume that it\u2019s him or her. That would be pretty hard to fake, right? Heck, if I saw someone walk in who looked and spoke like our CEO, Bill Grueninger, I\u2019d likely assume it\u2019s really him, too. But if I walked up and started tugging on his face to see if it\u2019s a latex mask or is the real deal, I\u2019d likely find myself landing a really uncomfortable meeting with HR.<\/p>\n\n\n\n In a digital environment where users authenticate remotely, though, you need to have a way to verify their identities are legitimate. It makes you wonder what major cyber security incidents and data breaches may well have been avoided if the targeted organizations adopted zero trust policies and processes\u2026<\/p>\n\n\n\n A zero-trust environment differs from a traditional security approach in that zero trust means you have continuously prove your trustworthiness, whereas a traditional environment means that once you\u2019re inside the network, you\u2019re automatically assumed to be safe.<\/p>\n\n\n\n Unfortunately, the traditional model no longer works in a world of credential phishing and session hijacking. You need more robust security and authentication measures in place.<\/p>\n\n\n\n If you search online, you\u2019ll notice that different organizations approach zero trust in different ways. For the sake of this article, we\u2019ll talk about the seven pillars of zero trust in terms of how the U.S. Department of Defense framework defines them. The seven zero trust pillars we outline below are overarching categories of focus for implementing zero trust. Each pillar involves monitoring and logging but also entails other specific protections.<\/p>\n\n\n\n Zero trust as a cyber security approach has gained strong support over the last several years. This is partly because of the use of identity-based authentication and user authorization that\u2019s required. In a nutshell, here\u2019s a quick overview of how access controls and management play together to boost your organization\u2019s cyber security:<\/p>\n\n\n\n Of course, neither of these things is foolproof and requires another security layer in the form of authentication. User and device authentication are all about ensuring that only entities (i.e., those whose digital identities have been verified and their authorizations confirmed) can access your secure digital assets.<\/p>\n\n\n\n A key element of the zero trust approach is a concept known as continuous authentication<\/em>. The idea behind continuous authentication is that all network users, including your employees, must not only prove their identities when they first log in but also continuously prove their identities throughout their sessions.<\/p>\n\n\n\n Why is this necessary? Because session IDs can be set to last for extended periods \u2014 anywhere from a few hours to even a few weeks. This means that if a cybercriminal steals an authenticated user\u2019s access tokens (session IDs and cookies), they can pretend to be them and access whatever protected resources their account has the authorization to access.<\/p>\n\n\n\n While some platforms have mechanisms to prevent authentication from happening, this may not always be the case. And it\u2019s true that you can set timeout limits to take effect after certain periods, but if you don\u2019t bother setting up these security limits, then it\u2019s inevitable that at least one bad guy might slip through the cracks.<\/p>\n\n\n\n For zero trust security to work, you need to have a way to prove that you\u2019re really you and aren\u2019t an imposter who\u2019s trying to fraudulently access sensitive data, systems, and other resources. The way to achieve this level of reliable and verifiable digital identity is through the use of public key infrastructure (PKI) and digital certificates. (We\u2019ve talked a lot about these concepts before, but we\u2019ll talk more about them again a little later in the article.)<\/p>\n\n\n\n Digital certificates are small data files that pack massive punches. They contain verified identifying information about you and\/or your organization that a trusted authority (certificate authority) attests is authentic.<\/p>\n\n\n\n You can think of digital certificates<\/a> in much the same way as an official passport: that little government-issued booklet contains verified information about you that proves your identity to people you\u2019ve never met. This way, you can show your passport to airport security and other authorities (i.e., people who don\u2019t know you) to prove you\u2019re really you. (Sorry, there were a lot<\/em> of \u201cyous\u201d in that paragraph.)<\/p>\n\n\n\n What do digital certificates and continuous authentication have to do with one another? Everything, really. <\/p>\n\n\n\n In a zero-trust environment, each employee, device, or other network user must have a way to mutually authenticate in a way that\u2019s verifiable. How? By using a security mechanism that the security of the internet itself is built upon: public key infrastructure (PKI).<\/p>\n\n\n\n Public key infrastructure is the combination of rules, processes and technologies that enable two parties to communicate securely. Without PKI, if you were trying to connect to your bank\u2019s website, it would be risky: you wouldn\u2019t have a way to securely send your data because you wouldn\u2019t know for sure who was on the other end of the connection. Even if the connection is encrypted, if you\u2019re connecting to a cybercriminal, they\u2019d have the decryption key to unscramble your data and read it.<\/p>\n\n\n\n Remember the DoD Zero Trust initiative that we mentioned earlier? Its DoD Zero Trust Architecture document shares one of the most beautiful lines we could hope to read in a government resource as an explanation: \u201cThe use of mutual authentication of users with PKI-based client authentication or mutual authentication certificates to web applications has long been the effective standard.\u201d<\/em><\/p>\n\n\n\n Darned right, it is. And that\u2019s because PKI isn\u2019t the new kid on the block; it\u2019s been around the block many times since its inception in the mid-1980s. PKI has served as the trusted foundation of internet security since that time because it\u2019s what enables secure remote communications and data transmissions that, otherwise, would be impossible.<\/p>\n\n\n\n When it comes to remote user authentication and access, looking beneath the surface is a necessity. You can\u2019t simply see that someone logs in using a basic username-password combination and assume it\u2019s the legitimate account owner; you need an additional layer of verification that continually proves it\u2019s the authentic user. Adopting a zero-trust approach can help in several ways:<\/p>\n\n\n\n Implementing zero trust is a way to prevent cybercriminals from taking advantage of vulnerable access tokens (session cookies, IDs, or weak credentials) to gain access to sensitive resources while pretending to be legitimate network users. Yup, that\u2019s right \u2014 if even one of your employees who has privileged access uses a weak password for their account, it could be game over for your business. All it takes is one bad enough \u201coops\u201d to cause you to face immense penalties, lawsuits, or even have to close your doors forever. <\/p>\n\n\n\n Incorporating zero trust into your cybersecurity strategy is also a great way to help protect your organization\u2019s reputation, brand, and bottom line. Okta\u2019s 2021 State of Digital Trust report<\/a> shows that 75% of American consumers say they likely won\u2019t do business with brands they don\u2019t trust (i.e., after a data breach or misuse of data). Almost half, a whopping 47%, say they\u2019d take things a step further and would permanently stop using a company\u2019s services for the same reasons.<\/p>\n\n\n\n Imagine what would happen if an unauthorized user gained access to your most sensitive data. This could be your intellectual property (IP), customers\u2019 financial data, or even employees\u2019 records. Regardless of which type of data they get their slimy paws on, exposing sensitive data would spell disaster for your organization.<\/p>\n\n\n\n In addition to the no-brainer reason of you don\u2019t want your information accessed by unauthorized individuals<\/em>, there are also other concerns that adopting zero trust could help you avoid<\/p>\n\n\n\n We\u2019ve seen this type of scenario happen time and again in various data breaches. Here\u2019s a quick example of what could happen without a continuous authentication mechanism in place:<\/p>\n\n\n\n Because your organization didn\u2019t require continuous authentication (i.e., didn\u2019t implement zero trust) or have restricted policies in place that are enforced, your IT security admin or cyber security team doesn\u2019t realize that anything is amiss until it\u2019s too late. Now, you\u2019re not only dealing with a data breach, you\u2019re also scrambling to deal with the ransomware situation as well.<\/p>\n\n\n\n But wouldn\u2019t a firewall be able to tip off your cyber defenders that something\u2019s wrong? Sure, event logs will show a significant increase in traffic. But since the traffic appears to be legitimate (because the attacker is using the employee\u2019s legitimate credentials, may be using a proxy IP address to disguise their true location, and you\u2019re not analyzing device identity attributes or behaviors), they may not initially realize that it\u2019s actually an external attacker and not your legitimate employee accessing your systems until the damage has already been done.<\/p>\n\n\n\n Oh boy. We hope you have business continuity, disaster response and disaster recovery<\/a> plans in place, and that those plans are not only current but that your employees know what their roles and responsibilities are! Cyber resilience<\/a> is crucial; but without the right security mechanisms, strategies and plans in place, you may not like the outcome.<\/p>\n\n\n\n Attackers are becoming increasingly sophisticated and potential attack surfaces are expanding. As such, our defense of these systems must become more robust and dynamic. To go beyond discussing zero trust from a largely conceptual standpoint, let\u2019s dive deeper and explore the damage caused to a real-world organization by bad actors within its trusted internal network<\/a>.<\/p>\n\n\n\n In January 2021, the Pennsylvania law firm Elliott Greenleaf was the victim of an insider attack<\/a> and sustained catastrophic financial losses, according to WestLaw.com. According to multiple reports, four attorneys and a paralegal secretly downloaded a slew of invaluable sensitive data, including confidential files, trade secrets, and client lists. Their actions as insider threats resulted in irreparable damages to their former employer, which has since filed a lawsuit against the four attorneys and the paralegal<\/a>.<\/p>\n\n\n\n The National Institute of Standards and Technology (NIST)<\/a> defines insider threats as:<\/p>\n\n\n\n \u201cThe threat that an insider will use her\/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation. This threat can include damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of organizational resources or capabilities.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n As it turns out, these legal professionals, who were trusted to operate internal systems (seemingly with little to no oversight), were wolves in sheep\u2019s clothing. They were joining a rival law firm in Delaware (Armstrong Teasdale)<\/a> and, it appears, wanted to take Elliott Greenleaf\u2019s info with them.<\/p>\n\n\n\n Unfortunately, this isn\u2019t an uncommon scenario; Code42\u2019s research<\/a> shows that there\u2019s a one in three chance an organization will lose intellectual property when one of its employees quits. <\/em><\/p>\n\n\n\n Let\u2019s quickly break down what occurred that enabled these insiders to wreak havoc based on information shared by Digital Guardian and WestLaw:<\/p>\n\n\n\n Unfortunately, the Elliott Greenleaf law firmed learned a valuable lesson the hard way: This catastrophe likely could have been prevented (or identifier earlier) if Elliott Greenleaf had adopted a zero trust approach. With zero trust:<\/p>\n\n\n\n It\u2019s our hope that you that you keep this story in mind and recognize that the threat from within your organization can be as, if not more, dangerous than outside attackers. Although the damage caused by this insider breach is irreversible, future attacks of this nature can be prevented through by adopting a zero trust posture.<\/p>\n\n\n\n Now, we\u2019re not going to get into the nitty-gritty of how to actually implement zero trust. There\u2019s far too much information that would need to be covered that it would, basically, entail creating a whole other article. However, NIST (SP 800-207) and the DoD (DoD Zero Trust Reference Architecture) provide some guidance for federal agencies on how to build zero trust architectures (from the ground up or migrate their systems to zero trust over time). Some of this information may be useful to your organization as well.<\/p>\n\n\n\n Zero trust isn\u2019t totally new, and it certainly isn\u2019t going anywhere anytime soon. It\u2019s gaining traction over time. Okta reports that 55% of surveyed organizations globally indicate that they have a zero trust initiative in place. A whopping 85% of global 2000 (G2000) companies said they\u2019d allocated \u201cmoderate\u201d or \u201csignificant\u201d year-over-year increases in budgets to fund these initiatives.<\/p>\n\n\n\nWhat Is Zero Trust Security? The Strategy of Trusting Nothing & Verifying Everything<\/a><\/h2>\n\n\n\n
1. Never Trust, Always Verify<\/h3>\n\n\n\n
2. Assume a Hostile Environment or That a Breach Has Occurred<\/h3>\n\n\n\n
3. Verify Explicitly<\/h3>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2023\/01\/overview-zero-trust.png\")
There\u2019s No One-Size-Fits-All Approach to Zero Trust<\/h3>\n\n\n\n
Why Zero Trust Matters: Looking Beyond the Surface to Secure Your Digital Assets<\/h2>\n\n\n\n
Zero Trust vs Traditional Trust-Based Environments<\/a><\/h2>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2023\/01\/zero-trust-vs-trust-based-network-shadow.png\")
The Seven Pillars of Zero Trust<\/a><\/h2>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2023\/01\/zero-trust-pillars.png\")
\n
Access Controls & Access Management Are Critical to Your Organization\u2019s Cyber Defenses<\/a><\/h2>\n\n\n\n
\n
Continuous Authentication Is Integral to Zero Trust<\/a><\/h3>\n\n\n\n
Continuous Authentication Requires Verifiable Digital Identity<\/a><\/h3>\n\n\n\n
\n
Public Key Infrastructure and Zero Trust = The Perfect Combination<\/a><\/h3>\n\n\n\n
Why Zero Trust Is Necessary to Improve Cyber Defenses<\/a><\/h2>\n\n\n\n
Prevents Compromised Credentials and Access Tokens From Being Exploited<\/a><\/h3>\n\n\n\n
Protects Your Brand and Nurtures Customers\u2019 Trust<\/a><\/h3>\n\n\n\n
Helps Mitigate Other Issues<\/a><\/h3>\n\n\n\n
\n
What It Looks Like When You Don\u2019t Adopt Zero Trust and Things Go Wrong<\/a><\/h2>\n\n\n\n
\n
![\"This](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2023\/01\/what-can-happen-without-zero-trust.png\")
Insider Threats in Action: A Real-World Look at the Elliott Greenleaf Breach (2021)<\/h2>\n\n\n\n
What Happened<\/h3>\n\n\n\n
\n
How It Happened<\/h3>\n\n\n\n
\n
The Big Takeaway From the Elliott Greenleaf Law Firm Situation<\/h3>\n\n\n\n
\n
How to Adopt a Zero Trust Strategy<\/a><\/h2>\n\n\n\n
Adopting a Zero Trust Strategy Is One of the Best Ways to Secure Your Organization<\/h2>\n\n\n\n