Zero Trust Architecture: Key Principles and Components

Within your network, who can you trust? No one, according to the zero-trust paradigm. According to the zero trust approach to cybersecurity, access should be allowed only after a user has been validated and only to the extent necessary to complete a task.
Forrester analysts used the phrase “zero trust” to describe a new security architecture in which individuals and devices are no longer divided into trusted and untrusted groups. The main principle behind this strategy is to only give access to those who have been vetted and authorised.

In network security, there are various different interpretations of zero trust models. Zero trust was characterised by cybersecurity specialists at Idaptive in 2018 as a three-step process:
• Verify the identification of a user.

• Validate your gadgets

• Privilege access should be limited.

Microsoft made their implementation of the zero trust security concept public in 2019. According to them, in order to create an optimal zero-trust environment, you must:

• Verify a user’s identity through authentication

• Validate device health via a device management system

• Apply the principle of least privilege

The fourth component, service health, is notable in that it is more of a theoretical concept that Microsoft has identified as a future aim.

What is a zero trust architecture?

The National Institute of Standards and Technology gave the most extensive description of zero trust to date in 2020. (NIST). NIST discusses the areas to focus on when constructing a zero trust architecture (ZTA) and the concepts on which such an architecture should be built in Special Publication (SP) 800-207.

Organizations can create a ZTA in a variety of ways, according to NIST:

• By focusing on user access privileges and context-based identity verification

• By splitting the network into separate segments protected with different policies and access rules

• By using software-defined perimeter approaches

In any event, the heart of a zero trust architecture is made up of three elements:

 

• A policy engine grants, revokes, or denies a particular user access to requested enterprise resources

.•A policy enforcement point (PEP) enables, terminates, and monitors connections between a user and enterprise resources.

• A policy administrator sends commands to a PEP based on the decision of the policy engine to allow or deny a user’s connection to a requested resource.
These parts don’t have to be independent, standalone systems. An company may opt to deploy a single asset that performs the functions of all three components, depending on their needs. Alternatively, an organisation may implement a single component by combining various tools and systems.

Building a zero trust architecture: NIST perspective
The National Institute of Standards and Technology (NIST) recommends that businesses create a zero-trust architecture based on seven pillars:
1. Resources – An organization’s data, computing services, and gadgets should all be treated as valuable assets that must be safeguarded. Personal gadgets that allow network users to access an organization’s resources may be classified as enterprise resources.
2. Communication – All communication, both inside and outside the network, must be treated equally and secured in the most secure way possible.
3. Per-session access – Each connection to a crucial resource or organisation should be made only for the duration of that session.
4. Dynamic policy – Access to an organization’s resources should be allowed in accordance with the policy rules and the dynamic least privilege concept. A policy like this should define the organization’s resources, users, and their access entitlements.
5. Monitoring – Organizations should monitor corporate resources and all actions made with them to ensure proper data protection and security.
6. Authentication and authorization – An organisation should use dynamic authentication and authorization before allowing access to any corporate resource.
7. Continuous improvement — To improve the network’s security posture, an organisation should acquire information on the present state of network assets, infrastructure, and connections.

It’s worth noting that companies don’t have to implement all of these zero trust architecture design concepts at the same time. You can focus your efforts on a few key ideas that best suit your needs.
Creating a zero-trust architecture is a time-consuming and ongoing task. Organizations do not, however, have to use all of the zero trust principles at the same time. Start by defining and classifying all of your organization’s resources, establishing adequate user verification procedures, and granting your users only the privileges they genuinely require at the time.
To know more about zero trust architecture contact info@vafion.com 

Similar Posts:

No similar blogs