5 Tips for Incorporating Zero Trust Principles Into Networking
By: Alan Seal on August 28, 2019
The expansion of cloud computing and “always on” Internet of Things (IoT) devices has fundamentally changed the way organizations look at network security architecture. Not only could cyberattacks come from anywhere at any time, but the potential for insider threat is also greater than ever due to the distributed nature of networks and the lack of education among many employees regarding security risks. Given these dangers, it’s hardly a surprise that Zero Trust security framework has become a mainstay of many networking solutions and colocation data center security standards.
What is Zero Trust Architecture?
Developed by Forrester Research to address the core vulnerabilities of conventional software security architecture, the Zero Trust model begins with the baseline assumption that just because something is inside the network perimeter doesn’t mean it should be trusted to access whatever it wants. Identity must always be verified before any access is granted, which helps to create multiple layers of security within a network environment. As more organizations implement edge computing frameworks and expand the number of devices present in their networks, Zero Trust networking will help them to maintain security even as the potential number of attack vectors expands.
5 Tips for Incorporating Zero Trust Principles Into Networking
1. Authentication-Focused Data Center Security Standards
While Zero Trust security framework generally applies to network security architecture, the same principles can be applied to the physical access standards involved in data center security. Colocation facilities are tasked with safeguarding their customers’ critical IT assets. By implementing layered logical security protocols requiring multi-factor authentication, they can ensure that only authorized personnel can access the hardware that stores valuable data and applications. Security measures like biometric scanners and rigorously maintained access lists can help protect the infrastructure that forms the backbone of any network.
2. Verify Everyone (and Everything)
A true Zero Trust architecture takes nothing for granted. Access requests can come from any direction, both from within the network and from outside it. Keeping an up-to-date directory of enterprise identities is critical to limiting risk. Segmentation technology allows network security to populate different directories with unique accounts and end-user identities. This not only includes authorized employees, but also bots and other programs that might need to access systems as part of an automated workload. Multi-factor authentication should be in place at every level of access any time a new request is made within the system, especially when it comes to privileged access. This ensures that even if someone (or something, in the case of malware) manages to get past one layer of security, it will encounter additional roadblocks to mitigate the potential for damage.
3. Contextualize Requests
Simply providing authentication isn’t enough for many Zero Trust networks. Not only should the system verify WHO is accessing a database or application, it should also investigate WHY they are accessing it. If someone is not scheduled to perform an action or access some part of the network on a given day, any attempt to do so should send up a red flag. By requiring users to provide the context for their access request, a Zero Trust architecture can establish a more transparent record of system activity. When every action is accompanied by a contextual explanation of why it was taken, it becomes easier to isolate irregularities and limit potential security risks in the future.
4. Grant Least Privilege
One of the cornerstones of Zero Trust networking is the concept of “least privilege” access. The primary way attackers compromise a network is through lateral movement, gaining entry through one location and then moving laterally through the system until they find something they want to access or steal. “Least privilege” works on the assumption that no one user accessing the network needs to access the entire system at any one time. Rather, they receive granular, role-based access according to their current task. In order to access additional areas of the network, they must go through the authentication process, providing both their identity and contextual request for access. Once they have performed the task they’re authorized to perform, their credentials revert to “least privilege” status, requiring them to go through the process all over again if they need to access sensitive areas again. This approach to granting privilege severely limits the risk of unauthorized lateral movement.
5. Implement Adaptive Controls
Thanks to machine learning algorithms, network systems are now capable of analyzing a user’s behavior over time to identify anomalies. These irregularities could be causes for flagging access requests or denying them altogether. For instance, if an administrator generally accesses a system from their office, but tries to do so from another location, adaptive access controls could be instructed to deny their request even if they enter the proper credentials. Machine learning analytics software can scan and evaluate every session to identify unusual behavior that could pose a risk to the system. For a hyper-vigilant company, adaptive controls can even be instructed to terminate sessions, flag users for additional monitoring, or even notify security of potential wrongdoing.
By incorporating Zero Trust architecture into their network security, organizations can greatly reduce the risk of data breaches and better protect their proprietary assets. Building a Zero Trust security framework within a colocation facility that takes the same approach to its data center security standards provides an additional layer of protection, ensuring that no unauthorized visitors will be able to access valuable hardware. As the proliferation of devices and the expansion of network surfaces creates new potential vulnerabilities, Zero Trust networking will likely become the established standard for security architecture models.
About Alan Seal
Alan Seal is the VP of Engineering at vXchnge. Alan is responsible for managing teams in IT support and infrastructure, app development, QA, and ERP business systems.