What is Zero Trust?
Zero Trust is a cybersecurity concept that suggests that organizations
should not automatically trust any user, device, or network, even if
they are inside the network perimeter. Instead, all access to resources
should be strictly controlled and verified based on the principle of
least privilege.
The idea behind Zero Trust is that traditional network security models,
which rely on perimeter defenses to keep out external threats, are no
longer sufficient in today’s connected world. With the proliferation of
mobile devices and cloud services, it is increasingly difficult to
define a clear perimeter, and attackers can easily gain access to an
organization’s networks and systems from within.
By adopting a Zero Trust approach, organizations can better protect
themselves against these types of attacks. Instead of relying on
perimeter defenses, they can implement granular access controls that are
based on the specific actions and resources a user is trying to access.
This can help prevent unauthorized access and reduce the risk of a
security breach.
With all of the huff and puff around Zero Trust, it is frustrating when
vendors claim that their product is a Zero Trust “Solution.” For
example, in a post this morning, a connection of mine shared some of the
technical solutions to help achieve a Zero Trust approach but skipped
the first steps of the Zero Trust Design Principles.
According to the Zero Trust Principles by John Kindervag, you start with the following:
* Define the protect surface (which you need to work with the business to understand the critical things to watch)
-> There will be more than one “protect surface” and potentially
more than one “protect surface” for a given business application
*
Map the transaction flows (which means understanding the business
processes, how they flow, and they can be best designed considering any
constraints)
->Look at What needs to be protected, Who needs access, When they need access, and Why they need access.
*
Architect a Zero Trust environment ( which means combining the protect
surface, transactions flow, and an environment that includes access zero
open access to people/systems that do not need access)
* Create Zero
Trust Policies (the formal design, governance, playbooks, incident
response, etc., which will determine the way the systems are created)
*
Monitor and maintain (which ensures that the Zero Trust policies are
managed, enforced, and continue to function in the manner designed, if
not, the process for that protected surface should be re-designed).
As you can see, Zero Trust is a design strategy that leads to something that can be managed and measured. Adding
tools to the stack will not equal a Zero Trust environment if the
protect surfaces and transaction flows are not designed with Zero Trust
in mind.
Zero Trust Design PrinciplesZero Trust Principles by John Kindervag
---
Send in a voice message: https://podcasters.spotify.com/pod/show/breakingintocybersecurity/message
Mentioned in this episode:
Thank you to CPF Coaching for Sponsoring
Thank you to CPF Coaching for Sponsoring