Implementing Zero Trust as a Small Business
The zero trust security model may be the most significant strategic change the industry has seen in years. Over the past two decades, organizations have turned their internal networks into fortresses. They’ve created a barrier around the perimeter of their environments and implemented measures such as firewalls, access controls, and intrusion detection and prevention (IDS/IPS) to protect themselves from the outside world.
This perimeter-based security model assumes that anything inside an organization’s network is trustworthy. With this mindset, a user within the boundary can traverse the network, accessing or exfiltrating any data they please. We have seen through many breaches and incidents that this is not the best approach to securing an organization’s critical data.
Through changes such as the introduction of remote work, bring your own device (BYOD), and the growth of cloud-based applications, the internal perimeter of the organization is expanding. This expansion has opened the door to many other threats and vulnerabilities that firewalls and IDS/IPS can’t contain on their own.
The introduction of a zero-trust security model creates an alternative solution where everything and everyone is treated with the same initial baseline level of risk.
What is Zero Trust?
The concept of zero trust is simple: trust nothing, verify everything. The primary purpose of this security model is to challenge all users and devices to prove that they’re not attackers.
Zero trust differs from perimeter-based security by assuming there is no traditional network perimeter. The network can be local, in the cloud, or a combination of both, where users can access organizational resources in any location. With this boundary gone, organizations are forced to acknowledge every user and every device attempting to connect to their data and resources.
This strategic approach requires all users in or outside the organization’s network to be authenticated and authorized continuously. Regardless of the data or device the user is attempting to access, they will be required to re-authenticate and re-validate themselves before being granted access.
What are the Principles of Zero Trust?
The following principles should be the key areas organizations focus on when implementing a zero trust security model.
1. Continuous verification
2. Least privilege
3. Continuous monitoring
Core Principle #1 – Continuous Verification
This principle focuses on authenticating a user’s entire engagement with a network, service, or device rather than just once at login. This can be done when accessing specific data or requiring a user to authenticate after a certain period during the session.
Organizations implementing zero trust will have to develop robust policies throughout their network and applications. With the help of technologies likely already on hand, continuous verification can be completed without completely inconveniencing the user.
Core Principle #2 – Least Privilege
This principle focuses on limiting user access with just enough access and just-in-time access. Just enough access ensures users receive only the access required to perform specific job duties. In contrast, just-in-time access limits the period users will have access to these privileges.
Core Principle #3 – Continuous Monitoring
Without a continuous monitoring practice, zero trust access cannot be achieved. This principle continually monitors and verifies access requests through re-authentication and re-validation.
How to Implement Zero Trust
As stated before, implementing a zero trust security strategy begins with a mindset change. Aside from that, an organization can take these steps to establish zero trust across its network.
1. Identify all aspects of your network
This step is crucial in discovering the scope of your network. It should include items such as:
Servers
Switches
Routers
Firewalls
DMZ
Wireless access points
Virtual networks
Computers
Printers
Security cameras
Once the scope of your network is defined, you will be able to have a complete picture of what can be accessed by your users and what needs to be protected.
2. Identify all applications and services used
In addition to physical assets, logical assets should be identified. This will include installed software and cloud applications such as:
Antivirus/antimalware software
Cloud storage such as Dropbox and G Drive
Work suite software such as Microsoft 365 and G Suite
Meeting/collaboration software such as Slack, Zoom, and Facetime
Project management software such as Trello, Basecamp, and Asana
VPNs
Virtual firewalls
3. Identify all personnel who access your network, data, and assets
All employees, contractors, executives, and freelancers should be listed and categorized based on the access they receive. This can be broken down by essential job functions and levels of authorization.
4. Establish a network baseline
A network baseline will show the normal day-to-day functions of the standard processes on your network. This creates a behavior baseline for your security team and software to draw inferences.
Some examples to capture would be the flows of traffic, who accesses the network and when the network is typically accessed, and what kind of data enters and leaves the network.
5. Develop your security policies
Once your network scope is identified, applications are accounted for, and personnel is categorized, the next step is to develop the policies that will govern your zero trust architecture. This will include policies that focus on the following:
Who is authorized to access what and when
What authentication is required to access those assets
What is authorized to enter or leave your infrastructure
How assets, applications, and data can be used
What behaviors to look out for
How to enforce the rules and policies created
6. Monitor and update your infrastructure as needed
Security is not a set-it-and-forget-it thing. As new issues and concerns arise, fine-tuning may be required to keep your network as secure as possible.
Conclusion
While no security strategy is perfect, and data breaches will never be eliminated, zero trust is one of the most effective strategies. By implementing zero trust, your organization can reduce its attack surface, minimize the impact and severity of cyberattacks, and reduce the cost and time of recovering from an attack.
Following these principles and implementation steps sets you on a path to building a secure, scalable business capable of tackling the most common causes of data breaches. For questions on how you can get started with a zero trust architecture, contact one of GSec LLC’s experts today.