The Five Pillars of a Zero-Trust Security Strategy

The Five Pillars of a Zero-Trust Security Strategy

It’s no coincidence that cyber attacks are increasing at the same time organizations have become more reliant on mobile, remote and cloud computing models. The continued migration of data, applications and services beyond the network perimeter enables new operational efficiencies, but also creates new targets for malicious actors.

That’s why more organizations are adopting a zero-trust model for network security. Unlike the traditional “trust, but verify” approach, zero trust encourages a “never trust; always verify” style. It is a system-wide cybersecurity strategy that assumes every user and device accessing the network is a threat until their identity has been validated.

According to the federal government’s Cybersecurity and Infrastructure Security Agency (CISA), a zero-trust architecture is built on the following five pillars:

Identity. Traditionally, network access has been granted through the use of passwords but that is no longer sufficient. It’s estimated that four of every five data breaches result from compromised credentials. Recommendations include using identity and access management (IAM) and privileged access management (PAM) solutions that bundle user provisioning, password management,strong authentication, single sign-on and other technologies into comprehensive platforms. A zero-trust environment also enforces least-privilege access principles that ensure users are limited to only the data and systems access necessary for their jobs.

Devices. Organizations should develop a complete inventory of every device they own, support or authorize, and use asset management solutions to continually monitor and validate device security. Administrators need to ensure that every device accessing the network has the latest operating system and application patches and are compliant with security policies.

Networks. Organizations should segment networks to gain more control over access. Segmentation limits risk by breaking up the network into smaller, isolated parts, preventing malware from propagating and attackers from moving laterally through the network. Additionally, organizations should consider using automated threat detection solutions that use machine learning and advanced analytics to actively hunt for threats and disrupt them before an attack.

Applications. Organizations should treat all applications and interfaces as if they are connected to the Internet and exposed to outside risk. Like users and devices, all applications should be authenticated before being allowed any data access, and all access should be based on least-privilege access principles. All apps should be inventoried and cataloged, and they should be scanned regularly to find and fix any vulnerabilities. Security testing should also be integrated into the application development and deployment process. In addition, organizations must improve the security of the application programming interfaces (APIs) used for accessing growing numbers of web and mobile apps. Because APIs expose application logic and sensitive data, they have become enticing targets for hackers. Organizations should regularly test APIs to identify vulnerabilities and address them using security best practices.

Data. With increased reliance upon mobile, remote and cloud computing, critical data can be widely dispersed across a variety of networks, devices and applications. The average organization has data stored in more than a dozen different repositories — not including informal repositories such as email, collaboration portals, messaging services and personal devices. To protect all that data, organizations should first identify, categorize and inventory their data assets, establish least-privilege access controls, and encrypt all data at rest or intransit. Once data has been categorized, organizations can prioritize data protections for their most critical data assets. The most sensitive data willrequire strong security measures such as multifactor authentication,risk-based/adaptive security and granular password management.