Zero Trust – Verify Then Trust?

Home // Resources // Zero Trust – Verify Then Trust?

Today’s workforce is distributed more than ever before. With remote work increasing every day, the need to secure your network infrastructure beyond the four walls of your corporate headquarters continues to evolve, and this has sparked a shift in the security paradigm. The security perimeter has no boundaries: growing risks such as remote employees, sketchy public Wi-Fi, and bring-your-own-device initiatives have security professionals working overtime to keep up!  A wider attack surface and threat landscape has made the job of protecting your business more difficult but implementing a Zero Trust security model is one way to mitigate these risks. Most of us have heard the quote “Trust but verify” however, when it comes to the Zero Trust security model, the mantra is, “never trust and always verify”.  A Zero Trust model is exactly that; no device or user is trusted implicitly, no matter where it’s located.  

Zero Trust Architecture (ZTA) should include: standardization of one authentication method via single sign on (SSO), using multifactor authentication (MFA) to prove identity, implementing adaptive security solutions, micro segmentation with access control lists, and continually monitoring end points for anomalies or indicators of compromise. Legacy VPNs are no longer the standard. With end users directly accessing cloud applications (SaaS), there is the need for visibility into these environments and the ability to apply policies is critical to your organization’s security posture. Once implemented, ZTA policies dynamically adapt to isolate compromised devices and improve overall security and response to cyber security threats. 

When implementing Zero Trust Architecture, consider these tenants as outlined by NIST in publication SP 800-207: 

  1. All data sources and computing services are considered resources.
  2. Access to individual enterprise resources is granted on a per-session basis. 
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy – including the observable state of client identity, application/service, and the requesting asset – and may include other behavioral and environmental attributes.
  5. The enterprise monitors and measures integrity and security posture of all owned and associated assets. 
  6. All resource authentication and authorizations are dynamic and strictly enforced before access is allowed.   
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.   

For more information on Zero Trust Architecture, or to read the entire publication from nist.gov, please click here.  Need help implementing your Zero Trust strategy?  Weidenhammer can help, click here for more information.