What is Zero Trust Security? Principles of the Zero Trust Model

Multi-Cloud Security and Application Delivery

We’re All Against Cybercrime. The Question Is, What Are We All For?

Cybercrime can feel like a nameless, faceless menace. But it’s not. It’s about IT pros who are too stressed to sleep. It’s about shoppers who got burned by that e-commerce site with great deals, but lousy security. It’s about business, sure. But really, it’s about people.

Cyber Security Fairevent

Mehrschichtige Gefahrenabwehr im Netzwerk

Basis des anhaltenden Erfolgs von WatchGuard ist die zielgerichtete Verbindung der besten im Markt verfügbaren Sicherheitsdienste zum Netzwerkschutz – die Palette umfasst dabei grundlegende Bausteine wie Intrusion Prevention Service (IPS), GatewayAntivirus, Anwendungskontrolle, Spam-Blocker oder URL-Filter ebenso wie hochmoderne Dienste, die selbst ausgefeilter Malware, Ransomware und dem Verlust sensibler Daten gezielt entgegenwirken. Das eigens entwickelte Betriebssystem Fireware stellt sicher, dass alle nach Bedarf kombinierbaren Scanmodule perfekt zusammenspielen – bei maximaler Gesamtperformance.

Sicheres WLAN ohne Einschränkungen

Die gesamte Sicherheitsfunktionalität kann mithilfe der Access Points von WatchGuard jederzeit auf WLAN-Umgebungen übertragen werden, wobei vor allem die WatchGuard Wi-Fi Cloud klare Vorteile hinsichtlich Adminstration und Visualisierung bringt. Zudem profitieren Anwender von detaillierten Analysen der WLAN-Vorkommnisse. So ist das kabellose Netz nicht nur rund um die Uhr vor allen relevanten Bedrohungen geschützt. Auch potenziellen Performance-Engpässen lässt sich wirkungsvoll vorbeugen.

Multifaktor-Authentifizierung als zusätzliche Abwehrlinie

Da es Angreifer immer öfter auf den Diebstahl von Anmeldeinformationen abgesehen haben, um unbemerkt in Netzwerke einzudringen, ist Multifaktor-Authentifizierung ein weiteres wichtiges Puzzleteil beim Aufbau ganzheitlicher Security-Konzepte. Mit AuthPoint ermöglicht WatchGuard die schnelle und effiziente Einführung dieser zusätzlichen Sicherheitsebene. Die Lösung basiert auf einer Smartphone-App, über die sich Benutzer via Push-Meldung, QR-Code oder Einmalpasswort (OTP) auf Basis der einzigartigen, klar zuordenbaren Gerätedaten identifizieren und authentifizieren können.

Endpoint Security der nächsten Generation

Gerade durch die neue Realität des Arbeitens in Zeiten der Pandemie rücken Mitarbeiter und ihre Endgeräte an die vorderste Front der Verteidigung. Hier schließt WatchGuard mit der Lösung Endpoint Protection, Detection & Response (EPDR) eine wichtige Lücke. Von Virenschutz der nächsten Generation, Endpoint Detection and Response (EDR), Patch-Management, Inhaltsfiltern und E-Mail-Sicherheit bis hin zu Datenträgerverschlüsselung ist viel geboten. Die ausgefeilte Methodik zur Gefahrenerkennung und -abwehr am Endpunkt unter Einbeziehung von KI und Machine Learning bei gleichzeitiger Benutzerfreundlichkeit der Management-Konsole reiht sich perfekt ins WatchGuard-Portfolio ein.

What is Zero Trust Security? Principles of the Zero Trust Model

What is Zero Trust?

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

Zero Trust is a framework for securing infrastructure and data for today’s modern digital transformation. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. While many vendors have tried to create their own definitions of Zero Trust, there are a number of standards from recognized organizations that can help you align Zero Trust with your organization.

Zero Trust and NIST 800-207

At CrowdStrike, we align to the NIST 800-207 standard for Zero Trust. This is the most vendor neutral, comprehensive standards, not just for government entities, but for any organization. It also encompasses other elements from organizations like Forrester’s ZTX and Gartner’s CARTA. Finally, the NIST standard ensures compatibility and protection against modern attacks for a cloud-first, work from anywhere model most enterprise need to achieve.

As a response to the increasing number of high profile security breaches, in May 2021 the Biden administration issued an executive order mandating U.S. Federal Agencies adhere to NIST 800-207 as a required step for Zero Trust implementation. As a result, the standard has gone through heavy validation and inputs from a range of commercial customers, vendors, and government agencies stakeholders – which is why many private organizations view it as the defacto standard for private enterprises as well.

Zero Trust seeks to address the following key principles based on the NIST guidelines:

Continuous verification. Always verify access, all the time, for all resources. Limit the “blast radius.” Minimize impact if an external or insider breach does occur. Automate context collection and response. Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate response.

How Zero Trust Works

Execution of this framework combines advanced technologies such as risk based multi-factor authentication, identity protection, next-generation endpoint security, and robust cloud workload technology to verify a user or systems identity, consideration of access at that moment in time, and the maintenance of system security. Zero Trust also requires consideration of encryption of data, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.

Zero Trust is a significant departure from traditional network security which followed the “trust but verify” method. The traditional approach automatically trusted users and endpoints within the organization’s perimeter, putting the organization at risk from malicious internal actors and legitimate credentials taken over by malicious actors, allowing unauthorized and compromised accounts wide-reaching access once inside. This model became obsolete with the cloud migration of business transformation initiatives and the acceleration of a distributed work environment due to the pandemic that started in 2020.

Zero Trust architecture therefore requires organizations to continuously monitor and validate that a user and their device has the right privileges and attributes. It also requires enforcement of policy that incorporates risk of the user and device, along with compliance or other requirements to consider prior to permitting the transaction. It requires that the organization know all of their service and privileged accounts, and can establish controls about what and where they connect. One-time validation simply won’t suffice, because threats and user attributes are all subject to change

As a result, organizations must ensure that all access requests are continuously vetted prior to allowing access to any of your enterprise or cloud assets. That’s why enforcement of Zero Trust policies rely on real-time visibility into 100’s of user and application identity attributes such as:

User identity and type of credential (human, programmatic)

Credential privileges on each device

Normal connections for the credential and device (behavior patterns)

Endpoint hardware type and function

Geo location

Firmware versions

Authentication protocol and risk

Operating system versions and patch levels

Applications installed on endpoint

Security or incident detections including suspicious activity and attack recognition

The use of analytics must be tied to trillions of events, broad enterprise telemetry, and threat intelligence to ensure better algorithmic AI/ML model training for hyper accurate policy response. Organizations should thoroughly assess their IT infrastructure and potential attack paths to contain attacks and minimize the impact if a breach should occur. This can include segmentation by device types, identity, or group functions. For example, suspicious protocols such as RDP or RPC to the domain controller should always be challenged or restricted to specific credentials.

More than 80% of all attacks involve credentials use or misuse in the network. With constant new attacks against credentials and identity stores, additional protections for credentials and data extend to email security and secure web gateway (CASB) providers. This helps ensure greater password security, integrity of accounts, adherence to organizational rules, and avoidance of high-risk shadow IT services.

The Complete Guide to Frictionless Zero Trust Download the white paper to learn about frictionless zero trust and the key principles of the NIST 800-207 framework. Download Now

Expert Tip The term “Zero Trust” was coined by Forrester Research analyst and thought-leader John Kindervag, and follows the motto, “never trust, always verify.” His ground-breaking point of view was based on the assumption that risk is an inherent factor both inside and outside the network.

Zero Trust Use Cases

Zero Trust, while described as a standard for many years, has increasingly been formalized as a response to securing digital transformation and a range of complex, devastating threats seen in the past year.

While any organization can benefit from Zero Trust, your organization can benefit from Zero Trust immediately if:

You are required to protect an infrastructure deployment model that includes:

Multi-cloud, hybrid, multi-identity

Unmanaged devices

Legacy systems

SaaS apps

You need to address key threat use cases including:

Your organization has these considerations:

SOC/analyst expertise challenges

User experience impact considerations (especially when using MFA)

Industry or compliance requirements (eg. financial sector or US government Zero Trust Mandate)

Concern in retaining cyber insurance (due to the rapidly changing insurance market as a result of ransomware)

Every organization has unique challenges due to their business, digital transformation maturity, and current security strategy. Zero Trust, if implemented properly, can adjust to meet specific needs and still ensure a ROI on your security strategy.

The Next Sunburst Attack Example

The 2021 software supply chain attack Sunburst demonstrates the importance of why organizations can’t drop their guard with even standard service accounts and previously trusted tools. All networks have automated updates within their technology stack, from web applications to network monitoring and security. Automating patches is imperative to good network hygiene. However, even for mandatory and automated updates, Zero Trust means preventing potential malicious actions.

The technical analysis of the Sunburst attack illustrates how any tool, especially one commonly used in a network, can be taken over from the vendor/update mechanism – and how Zero Trust architecture principles should be applied to mitigate these threats.

Zero Trust and the principle of least privilege mandate strict policies and permissions for all accounts, including programmatic credentials like service accounts. Service accounts in general should have known behaviors and limited connection privileges. In the case of Sunburst, an overly permissioned service account enabled lateral movement for attackers. They should never directly attempt to access a domain controller or authentication system like ADFS, and any behavior anomalies should be quickly identified and escalated as they happen.

Expert Tip With so many different interpretations of zero trust, it can be intimidating when trying to identify the solution that fits your organization’s needs. To lend a hand, we’ve put together 7 key questions to better assess solutions and services.7 Questions to Ask Zero Trust Vendors

What are the Core Principles of the Zero Trust Model?

The Zero Trust model (based on NIST 800-207) includes the following core principles:

Continuous verification. Always verify access, all the time, for all resources.

Always verify access, all the time, for all resources. Limit the “blast radius.” Minimize impact if an external or insider breach occurs.

Minimize impact if an external or insider breach occurs. Automate context collection and response. Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate

1. Continuous Verification

Continuous verification means no trusted zones, credentials, or devices at any time. Hence the common expression “Never Trust, Always Verify.” Verification that must be applied to such a broad set of assets continuously means that several key elements must be in place for this to work effectively:

Risk based conditional access. This ensures the workflow is only interrupted when risk levels change, allowing continual verification, without sacrificing user experience.

Rapid and scalable dynamic policy model deployment. Since workloads, data, and users can move often, the policy must not only account for risk, but also include compliance and IT requirements for policy. Zero Trust does not alleviate organizations from compliance and organizational specific requirements.

2. Limit the Blast Radius

If a breach does occur, minimizing the impact of the breach is critical. Zero Trust limits the scope of credentials or access paths for an attacker, giving time for systems and people to respond and mitigate the attack.

Limiting the radius means:

Using identity based segmentation. Traditional network based segmentation can be challenging to maintain operationally as workloads, users, data, and credentials change often.

Traditional network based segmentation can be challenging to maintain operationally as workloads, users, data, and credentials change often. Least privilege principle. Whenever credentials are used, including for non-human accounts (such as service accounts), it is critical these credentials are given access to the minimum capability required to perform the task. As tasks change, so should the scope. Many attacks leverage over privileged service accounts, as they are typically not monitored and are often overly permissioned.

3. Automate Context Collection And Response

To make the most effective and accurate decisions, more data helps so long as it can be processed and acted on in real-time. NIST provides guidance on using information from the following sources:

User credentials – human and non-human (service accounts, non-privileged accounts, privileged accounts – including SSO credentials)

Workloads – including VMs, containers, and ones deployed in hybrid deployments

Endpoint – any device being used to access data

Network

Data

Other sources (typically via APIs): SIEM SSO Identity providers (like AD) Threat Intelligence

Stages of Implementing Zero Trust

Although each organization’s needs are unique, CrowdStrike offers the following stages to implement a mature Zero Trust model:

Stage 1:Visualize – understand all of the resources, their access points, and visualize risks involved

– understand all of the resources, their access points, and visualize risks involved Stage 2: Mitigate – detect and stop threats or mitigate impact of the breach in case a threat cannot be immediately stopped

– detect and stop threats or mitigate impact of the breach in case a threat cannot be immediately stopped Stage 3: Optimize – extend protection to every aspect of the IT infrastructure and all resources regardless of location while optimizing the user experience for end-users, IT, and security teams

For a detailed breakdown of each stage, including goals and best practices, read our article on How to Implement Zero Trust in 3 Stages.

Expert Tip When you invest in a Zero Trust solution, can that solution reduce security complexity, save money, and reduce time to identify and remediate breaches? The answer is a resounding ‘YES’! Watch this webcast to explore real-life use cases for Zero Trust that affect your profit margin and overhead to support the whole program.How to Maximize ROI with Frictionless Zero Trust

Why CrowdStrike for Zero Trust

CrowdStrike’s Zero Trust solution has the industry’s only frictionless approach to Zero Trust through:

Security for the most critical areas of enterprise risk to stop breaches in real-time for any endpoint and cloud workload, identity, and data. CrowdStrike’s Zero Trust solution adheres to the NIST 800-207 standards and maximizes Zero Trust coverage across your hybrid enterprise to secure and enable people, processes, and technologies that drive modern enterprise security with built-in protection for high-risk areas such as identity and data.

to stop breaches in real-time for any endpoint and cloud workload, identity, and data. CrowdStrike’s Zero Trust solution adheres to the NIST 800-207 standards and maximizes Zero Trust coverage across your hybrid enterprise to secure and enable people, processes, and technologies that drive modern enterprise security with built-in protection for high-risk areas such as identity and data. Hyper-accurate detections and automated protection ensuring a FRICTIONLESS ZERO TRUST journey for organizations of any size. Deploy Zero Trust faster and in phases, with just two components – the single lightweight-agent sensor and the administrative dashboard. Reduce the load on security operations center (SOC) analysts with automated protection and remediation and enhance user experience with adaptive conditional access.

ensuring a FRICTIONLESS ZERO TRUST journey for organizations of any size. Deploy Zero Trust faster and in phases, with just two components – the single lightweight-agent sensor and the administrative dashboard. Reduce the load on security operations center (SOC) analysts with automated protection and remediation and enhance user experience with adaptive conditional access. The world’s most advanced cloud-native platform that empowers security teams to achieve superior Zero Trust protection and performance without the overhead of managing TBs of data, threat feeds, hardware/software, and ongoing personnel costs resulting in REDUCED SECURITY COMPLEXITY AND COSTS. All these benefits are achieved through the CrowdStrike Security Cloud which correlates trillions of security events per day with indicators of attack, the industry’s leading threat intelligence and enterprise telemetry from across customer endpoints, workloads, identities, DevOps, IT assets and configurations.

Tracey is the Contributing Editor for Foodies100, Tots100, Hibs100 and Trips100. She also blogs at PackThePJs. Tracey writes mainly about family travel; from days out to road trips with her pet dogs, to cruises and long-haul tropical destinations. Her family consists of her husband Huw, a medical writer, Millie-Mae (14), Toby (12) and Izzy and Jack the spaniels