Zero Trust: Best Practices for Preventing Misunderstandings and Mistakes
Zero Trust can be perplexing when it devolves into just another marketing buzzword. Let’s clarify what it really means.
There are different interpretations of Zero Trust. Many manufacturers try to sell products to their customers that are labeled as Zero Trust, but they really mean something else. We clarify what Zero Trust really means.
In recent years, the term "Zero Trust" has become one of the most important buzzwords in the field of IT security. However, different interpretations and definitions have developed. At its core, Zero Trust, according to the definition of the American National Institute of Standards and Technology (NIST), focuses on the protection of all resources in the company – and on the maxim that trust must never be tacitly granted, but needs constant review.
Perimeter security allows authenticated individuals or devices extensive access to internal resources, which is not the case with Zero Trust. Once attackers have penetrated a network, they can move laterally through the network relatively easily. Firewalls on the perimeter are intended to protect against external attacks, but they do not provide security against insider attacks. Moreover, they do no protect employees working outside the network or integrated cloud services.
A Zero Trust architecture, on the other hand, focuses on preventing unauthorized access to data and services. To do this, it needs access controls that are as granular as possible. At its core, Zero Trust is about authentication, authorization and, of course, encryption. In August 2020, NIST compiled seven principles as "Zero Trust Basics" in Special Publication 800-207, which clearly describes the Zero Trust concept:
Many other aspects that security firms offer under the Zero Trust label are either more or less meaningful additions and are not among the core components of a robust Zero Trust strategy.
NIST recommends six assumptions to be considered during implementation. They show how networks are perceived from a Zero Trust approach:
As such, Zero Trust approach includes identities, credentials, access management, processes, endpoints, hosting environments, and the network infrastructure.
Zero Trust is not a product, it is a general IT security approach that follows the principle of least privilege. Thanks to Zero Trust, users and their end devices are no longer blindly trusted. Users are only granted access to the data they need to do their work.
In the background, a Zero Trust solution checks whether each data access attempt is authorized. This limits the scope for cybercriminals, as even successful attacks would only affect a small part of the network. Should an incident nevertheless occur, the affected resource can simply be shut down and the threat neutralized. As is often the case, this does not require the entire system to be switched off.
NCP's security solutions have been based on the same principle used by Zero Trust for many years. Unlike traditional VPN products, NCP solutions offer far more than just encrypted connections to customers' servers. Instead, NCP consistently offers holistic protection. With NCP Secure Enterprise Management (SEM), administrators of a company can manage the access rights of user groups or individual users granularly according to the Zero Trust principle.
NCP’s solutions enable companies to authenticate users and their devices securely. NCP use advanced security technology such as multi-factor authentication (MFA), certificates for users and machines as well as endpoint policy checks, which ensure that virus scanners and operating systems are up to date. Only devices that have all required updates can connect to the company network. Access rights can be assigned on the basis of predefined roles or granularly. Further features include advanced firewall configuration and central application management for precisely defining which users, groups and applications are allowed to access specific resources in the network. With these measures in place, attackers won’t stand a chance of gaining unauthorized access to the network.