The zero-trust model

Aiming for the impossible

James Zhou
| 8/26/2022
The transion to remote work always means a transition to a zero-trust model for cybersecurity. A Crowe cybersecurity professional explains why.

Implementing a zero-trust model can help organizations mitigate the risk that accompanies fully remote and hybrid workforces.

The COVID-19 pandemic reshaped work environments in the physical world, and it reprioritized IT security architecture in the virtual world. The new normal of remote work has transformed how, when, and where people work beyond the confines of the office. Transitioning from a traditional security approach to a zero-trust model can help organizations mitigate risk to their networks.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Remote work trends

Traditional approaches to network security establish a perimeter between an organization's internal network resources and the internet, preventing intrusion from outside threats. However, with the rise of cloud and the impact of the pandemic, network boundaries defined in the past no longer exist.

Before 2019, many organizations already were shifting to remote work. The pandemic accelerated this process, and some organizations had to work quickly to adopt hybrid or remote work strategies to keep their businesses running.

IT teams in many organizations have deployed corporate applications and virtual desktops in the cloud. However, policies or restrictions on remote employees using unmanaged or unregistered devices for their work often are not in place, which opens the door for attackers. Employees working from home but not following proper security protocols is one of the biggest threats to organizations in a remote work environment.

Additionally, remote work also increases insider threats, already identified as a problem years ago. In a remote environment, both intentional and unintentional insider threats are difficult to regulate using a traditional network security approach because they exist outside the original perimeter.

According to Gallup's monthly trends from April 2020 to September 2021, the percentage of full-time U.S. employees working partially or fully remotely stabilized at 45%. Additionally, approximately 90% of U.S. employees would prefer to work fully or partially remotely in the future.

As hybrid work becomes the new normal, the number of network connections, or attack surfaces, that bad actors are eager and ready to exploit has greatly increased. In the current context, organizations should consider a new security approach that emphasizes on implementing strong authentication and identity-based access controls: the zero-trust model.

The zero-trust model: What is it, and why does it matter?

Traditionally, security professionals have followed a trust-but-verify method of threat protection: Once users and endpoints have been verified at the entrance, they will automatically be allowed into the internal network and resources. But the concept of network perimeter is phasing out because of the rise of remote working and the cloud computing.

In addition, in the world of traditional computer security, the definition of trust is inherently flawed because it’s based on implicit trust. Malicious actors rely on this implicit trust, and they manipulate and exploit it to penetrate private networks and gain access to valuable resources. For example, if a user has been verified, that user is trusted, even if the account is later compromised.

The zero-trust model is a strategic approach to cybersecurity that helps secure an organization by eliminating implicit trust and continually validating every request of a digital interaction. Based on the zero-trust principle of “never trust, always verify,” this model is designed to protect IT environments by using strong identity authentication methods, implementing microsegmentation and endpoint security to prevent lateral movement, and applying least access policies in three areas: workforces, workloads, and workplaces.

Workforces

Identity authentication and privilege verification are the two main concerns for workforces. People engaged in or available for work, such as employees, contractors, vendors, and partners, are all considered part of an organization’s workforce.

With the zero-trust model, usernames and passwords are not the golden ticket to the internal network and resources anymore. By enforcing multifactor authentication (MFA), additional evidence is required to help prove a person’s identity, which includes something the user has, something the user knows, something the user is, and somewhere the user is.

Furthermore, security assertion markup language (SAML) allows an identity provider to authenticate users and then pass an authentication token to another application known as a service provider. This layer of protection reinforces zero trust: Users can only connect based on their identities – not their passwords. Because identities cannot be switched, secure and authentic access can be better protected.

Such controls can be managed and applied by identity and access management (IAM). IAM encompasses MFA and SAML and applies permission policies such as least privilege that make sure users have only necessary privileges to finish the work and verify whether users have the correct privileges to access or modify the requested resource.

Workloads

Any application or service that operates in the cloud, in data centers, or other virtual environments that interacts with others is considered a workload.

Network segmentation creates subnetworks within the overall network to prevent attackers from moving inside the perimeter to attack. Similarly, microsegmentation logically divides the data center into distinct security segments down to the individual workload level, and then defines security controls and delivers services for each unique segment.

The zero-trust model follows the principle of “least privilege,” which provides users access only to the specific workload necessary to successfully perform the work. Microsegmentation helps organizations to better apply this principle by requiring verification on a more granular scale.

Workplaces

Many workplaces are transitioning from physical offices to remote locations, which makes securing and managing them more complex.

IT teams traditionally have relied on virtual private networks (VPNs) to provide secure remote access to workforces, which assumes by design anything that passes through the established boundaries can be trusted.

Zero-trust network access (ZTNA) is a category of technologies that provides secure remote access to applications and services based on defined access control policies. Unlike the traditional VPN, a ZTNA solution’s default is to deny access and provide only the necessary access to services the user has been explicitly granted.

ZTNA uses identity-based authentication and IP-based access control to reduce the attack surface. It allows organizations to implement location- or device-specific access control policies to help regulate bring-your-own-device policies and prevent unpatched or vulnerable devices from connecting to the internal network. For example, even if the right credentials are used in a request for access, with the zero-trust model, such access would not be allowed unless the request originates from a device that’s known to the organization and has device-installed agents and the latest certificates linked to specific users.

A worthwhile effort

Identity is at the heart of cybersecurity, and the zero-trust model is a relevant strategic approach in other areas in which processes rely on trust. For example, the zero-trust principle of “never trust, always verify” can be applied to the supply chain to verify the quality and quantity of a product or to physical security operations to strengthen building security.

Implementing zero-trust architecture is not a one-step job. Instead, it’s a process of eliminating threats and aiming for the impossible. The effort needs the expertise of IT teams, support from directors and executives, and coordination with staff. A transition from the traditional security approach to the zero-trust model will take time – but the process is worth the investment.