Zero Trust Architecture: Best Practices for Safer Networks
Learn what is a zero trust architecture, what principles a zero day model should enforce, in order to effectively protect the network from insider threats.
A zero trust architecture enables organizations to prioritize access and restrictions. The goal is to implement a zero trust policy across all traffic, to ensure no user, device, or system can put the network at risk.
Zero trust architectures typically enforce three main principles — there is no such thing as trustworthy users, multifactor authentication (MFA) is a must, and micro-segmentation is critical for enforcing restrictions.
To implement zero trust security, organizations need to adopt information security practices and tools that expand their endpoint visibility and enable control over access and privileges.
In this article, you will learn:
- What is zero trust architecture
- 3 key elements of a zero trust architecture
- How to implement a zero trust architecture
What is zero trust architecture?
Zero trust architectures are constructed on the basis that there is no secure perimeter. Instead, every event and connection is considered untrusted and potentially malicious.
The goal of zero trust architectures is to keep networks protected despite increasingly sophisticated threats and complex perimeters. This is why zero trust architecture is also called zero trust network, or in general — zero trust security.
What is zero trust?
A zero trust model implements data security that prioritizes access and restrictions. This is particularly relevant in today’s business environment, as organizations increasingly need to secure a remote workforce.
In a zero trust architecture, users, devices, and services receive the least possible privileges until proven trustworthy. Sometimes, when implementing zero trust network access, privilege restrictions extend even after authentication and authorization.
In particular, zero threat architectures are designed to reduce the vulnerabilities associated with cloud resources, ephemeral endpoints, dynamic attacks and internet of things (IoT) devices. These architectures are often adopted by organizations with highly sensitive data and systems.
3 Key Elements of a Zero Trust Architecture
When evaluating a zero trust architecture, there are three elements that should be considered. These elements are vital to the successful deployment and construction of zero trust architectures.
1. No false sense of security
In traditional architectures, anything that happens inside the perimeter of a network is considered trusted. The assumption being that any users or activity in the network has already passed authentication and is authorized to be there. This model assumes that perimeter security is flawless and that insiders are never malicious.
To anyone familiar with security, the flaws in this model should be obvious. There are many situations in which users and events inside your perimeter are not to be trusted. For example, an attacker who has entered with compromised credentials or insider threats, which may abuse privileges or move laterally through the network. A zero trust architecture makes this understanding explicit, and prioritizes protection against insider threats.
2. Multifactor authentication
Multifactor authentication (MFA) is the use of credentials in combination with an additional authenticator. For example, requiring a user to scan their fingerprint or confirm a PIN sent to a mobile device. MFA significantly reduces the chance that attackers are able to use compromised credentials to access your systems and data.
A zero trust architecture implements MFA as a double-check against its own security measures. It uses MFA to ensure that users are who they claim to be and ensures that access and transactions are allowed correctly. MFA also plays a large role in PCI security, which helps organizations protect credit card data in accordance with the PCI standard.
Microsegmentation is the use of access controls to isolate the various components and services in your system. It allows you to layer security measures, such as firewalls or authorization measures, for greater security. It also lets you restrict access to assets on a granular level, reducing the chance of an attacker taking advantage of lateral weaknesses.
A zero trust architecture leverages microsegmentation to ensure that even users or applications inside a network are properly restricted. It ensures that even if an attacker does enter the network, the amount of damage they can cause is severely limited.
Microsegmentation and cloud native development often go hand in hand. However, microsegmentation by itself does not cover all of your cloud security needs. It’s important to make the distinction between microsegmentation as a security measure, and cloud security as a whole.
Zero trust: principles for successful implementation
When building a zero trust architecture there are several best practices you can employ. Below are four practices to help you prioritize your efforts, securely validate devices, ensure visibility of your systems, and eliminate false trust.
1. Know your architecture including users, devices, and services
To secure your network and assets create a full inventory of your users, devices and services. This includes what data and assets each need to be accessed, what possible liabilities that access creates, and how access is managed.
In particular, focus on those assets and components that are connected to your network. For example, prioritizing focus on servers with internally or externally facing endpoints over tape backups.
It is also important to pay attention to pre-existing configurations and permissions. If you are transitioning from a traditional network model to zero trust you may need to update services and assets to ensure continued functionality.
2. Create a strong device identity
To ensure that only trusted devices are allowed on your network, start by establishing a unique, traceable identity for each. These identities allow you to verify that assets are managed efficiently and to expose untrusted devices. Additionally, the identities you create for devices are necessary to authenticate permissions and access according to the policies you define.
There are several ways to identify devices, depending on the device’s hardware, platform and type. The most reliable method is to store identity information on secure hardware co-processors. This is very difficult to fake and is a high-trust method.
When hardware storage isn’t possible you can use software-based key stores. This method provides a reasonable amount of confidence for well-managed devices. However, it can only give low confidence for poorly-managed or unmanaged devices.
3. Focus your monitoring on devices and services
Comprehensive and continuous monitoring helps ensure that even if your security measures fail, you are able to detect and stop attacks. In particular, focus on monitoring how devices and services are interacting. For example, what is being requested, what processes are performed, and what data is accessed.
When monitoring, keep in mind that each device needs to be evaluated individually. This does not mean that you should not correlate data across your devices. It does, however, mean that you can’t rely on traffic choke points to catch suspicious events. Rather, evaluate device data in context of the events occurring on your network to ensure that the traffic matches your defined security policies.
4. Don’t trust the network, including the local network
Remember that zero trust means zero. This includes your local network. You should not be relying on your network itself to protect communications.
Instead, build trust into the devices and services operating within your network. For example, by enforcing encryption protocols such as TLS. If you rely on local networks to be secure, you are potentially opening your connections to attacks such as DNS spoofing, man in the middle (MitM) attacks, or unsolicited inbound connections.
Zero Trust Architecture With Exabeam
To understand individual devices across the network, you can leverage user and entity behavior analytics (UEBA) tools. To be effective, UEBA tools must tie individual behavior back to an individual user. These tools can not only put device data in the context of your defined security policies, but also establish a behavioral baseline for normal activity.
Zero trust architecture and UEBA work together to emphasize that abnormal behavior may indicate a threat is present, even if permissions and credentials appear legitimate.
Exabeam is a smart SIEM platform that is easy to implement and use. Exabeam comes with built-in zero trust capabilities. In particular, Exabeam’s user and event behavior analytics (UEBA) features can help with the following objectives:
- Incident detection that does not rely on rules or signatures—Exabeam identifies abnormal and risky activity without predefined correlation rules or threat patterns and provides meaningful alerts with lower false positives.
- Security incident timelines—Exabeam stitches sessions together to create a complete timeline for a security incident, spanning users, IP addresses and IT systems.
- Peer groupings—Exabeam dynamically groups similar entities, such as users who have the same organizational role, to analyze normal behavior across the group and detect unusual behavior.
- Lateral movement—attackers who penetrate a system move through the network, gaining access to more and more systems using different IP addresses and credentials. Exabeam combines data from multiple sources to uncover an attacker’s journey through the network.
Learn more about the Exabeam Security Management Platform, an integrated SIEM, UEBA and SOAR platform.
Want to learn more about Information Security?
Have a look at these articles:
- Information security (InfoSec): The Complete Guide
- The 8 Elements of an Information Security Policy
- PCI Security: 7 Steps to Becoming PCI Compliant
- Cloud Security 101
- Threat Hunting: Tips and Tools
- IT Security: What You Should Know
- Machine Learning for Cybersecurity : Next-Gen Protection Against Cyber Threats
- Penetration Testing: Process and Tools
- Cyber Kill Chain: Understanding and Mitigating Advanced Threats