Zero Trust: Principles

What is Zero Trust Security?

Zero Trust turns the traditional detect-and-remediate approach to cybersecurity on its head. Instead of trusting everything except for known threats, Zero Trust assumes that all traffic – regardless of whether it originates from a trusted source – is untrustworthy. This forces web sites, web apps, Software-as-a-Service (SaaS) platforms and even email content to be treated as if it is malicious. It then needs to be authenticated continuously, before each interaction with a user, device or application on the network.

How is this different from traditional security strategies?

Traditional security strategies are built to authenticate entities (a user, device or application) once at the edge of the network and then give them access to everything inside the network. This worked well when enterprise networks were set up in a hub and spoke model where there was little mobility. Users tended to log in from corporate headquarters behind a robust firewall that could control traffic flowing in and out of the data center.

Today’s networks, however, are highly-distributed and mobile. Users, devices, apps and data are spread out across private and public cloud infrastructures where they are spun up and down on demand. This decentralized architecture hasn’t so much eliminated the perimeter as it has expanded it to anywhere users do business – whether it is a remote office, a home office, a customer site or on the road. The perimeter is everywhere – making it impossible to stop breaches. Zero Trust, on the other hand, continuously authenticates entities at the perimeter and inside the network, ensuring that nothing gets through the cracks.

How does Zero Trust stop malicious actors from getting access to my network?

A Zero Trust security strategy begins with no access as the default. No user, device or application – regardless of location or status – can access anything without being granted access and authenticated first. From there, access has to be earned through continuous authentication. This prevents a malicious actor from getting access to an end device and then spreading through the network in search of a more valuable target.

Why is Zero Trust security needed today?

Accelerated digital transformation has pushed everything out the edge of the network. Modern applications are no longer monolithic stacks in a single data center. They’re now split up into thousands of microservices spread out across multiple cloud infrastructures. This improves application experience and enables business agility, but it has essentially broken traditional security strategies that were built for the hub and spoke model where security is attached to static infrastructure. The new, modern way of working needs a modern security approach–and Zero Trust is ideal for securing users, devices, applications and data in the multi-cloud world.

Secondly, the threat landscape has evolved and grown tremendously over the past several years. Enterprises are sending usernames, passwords and multifactor authentication tokens all around the Internet, providing more opportunity for an attacker to intercept and steal those credentials. Enterprises are also sharing resources with the general public, and, therefore, malicious actors. The CEO of a Fortune 50 company likely has a Microsoft 365, Google Productivity Suite or Box account. So, too, does every hacker. It’s fairly easy to spin up a legitimate-looking email communication to trick a user into giving way credentials. Zero Trust stops lateral movement and safeguards other applications inside the network.

How do you implement Zero Trust security?

It’s important to note that Zero Trust is not a solution. It’s not a product. It’s not something you can turn on and off. Zero Trust is a mindset that needs to be implemented throughout the organization from the management team to the IT team to individual users. It requires a complete re architect of your network.

What are the core principles of Zero Trust Security?

Catalog your resources

The first step for implementing Zero Trust is to know what resources you have and who needs to connect to them. This catalog serves as a trusty road map for granting authentications. What applications do you have? Who needs access? How do you request and get access? What kind of access does each user need? Read only? Read/write? What behaviors are allowed and what should be blocked? Knowing the answers to these questions allows you to build rules around Zero Trust security that can be implemented effectively.

Clientless by default

A clientless approach that goes through the browser allows you to extend control to devices that you don’t manage – including personal devices, partners, customers and other third parties. Some applications will continue to require an agent–and that’s fine. But starting with a clientless by default approach to Zero Trust eliminates these gaps and allows you to offload a lot of bandwidth off your VPN onto the public Internet – which improves performance and lowers networking costs.

Secure the entire IT ecosystem

Zero Trust isn’t just about the user and their device. It’s about application to application connectivity. It’s about data. It’s about IoT devices. It’s about external collaborators, All these entities need to be who they say they are and have a legitimate reason for connecting to each other and the network.

Continuous authentication

Today’s applications – whether they are Microsoft 365 or Salesforce – require continuous connectivity to enable real-time collaboration. Someone makes an update to a customer record or edits a shared document, every users’ view is reflected in real time. As you make the shift to Zero Trust, you need to put in place a system of continuous analysis of everything that’s happening.

You might see that an end user connects in and they start behaving strangely. They start downloading a whole lot more than they did. Normally that might be a red flag, and you might want to do something about that.

You might see that the application at the other end is actually connected to something different than it was before. Maybe there’s one other entity or maybe another app connected into that app that didn’t exist there before. That might be a sign that there’s something suspicious or potentially malicious going on with the application.

And then finally, you would want to be able to look at data coming through. Because again, if we’re not going to trust the user and their device, we’re not going to trust the application. We’re not going to trust the data. We need to make sure that the data coming down from those applications to the end user is also not malicious.

Isolation at the core of your security stack

Without a doubt, an approach that places isolation technology at the core of the security stack is the most effective and efficient Zero Trust strategy. Isolation is the secret sauce that pulls everything together, acting as a central technology framework through which all security services can be delivered safely and securely in the cloud.

Isolation works by creating a protective layer around users as they navigate the web and applications, blocking not only known and existing threats but unknown and future threats as well. Isolation needs to be applied consistently across the organization, not disrupt user productivity, give the security team complete visibility and control over web-based traffic and scale instantly to any user in any location around the globe.

When done right, isolation makes security invisible, happening behind the scenes where it can’t inhibit productivity for today’s remote workforce. Email clients and web browsers should continue to work as intended. There should be no clients to install or hardware to ship, and common browsing functionality such as shortcuts, cutting, pasting and printing work needs to be preserved. The right isolation solution makes sure employees access the Internet with all of the features and functionality they’ve come to expect. No pixelated screens or read-only web pages. Everything should work for your users as intended no matter where business takes them.

Why is Menlo Security in a good position to deliver on the promise of Zero Trust Security?

Menlo Security starts with a clientless first approach, making it easier and more elegant for the IT staff to implement and manage. Menlo provides a single place to create and manage those Zero Trust policies–allowing you to set once and apply globally. Menlo is also built on an Isolation Core™. Everything goes through this abstracted layer in the cloud, giving administrators unparalleled visibility and control into security without impacting the native user experience.