Why companies should consider compliance, Zero Trust and the implementation of the GDPR together and what advantages a combined approach brings.
There are different interpretations of Zero Trust. Many manufacturers try to sell products to their customers that are labeled as Zero Trust, but they really mean something else. We clarify what Zero Trust really means.
In recent years, the term "Zero Trust" has become one of the most important buzzwords in the field of IT security. However, different interpretations and definitions have developed. At its core, Zero Trust, according to the definition of the American National Institute of Standards and Technology (NIST), focuses on the protection of all resources in the company – and on the maxim that trust must never be tacitly granted, but needs constant review.
Difference between Zero Trust and perimeter security
Perimeter security allows authenticated individuals or devices extensive access to internal resources, which is not the case with Zero Trust. Once attackers have penetrated a network, they can move laterally through the network relatively easily. Firewalls on the perimeter are intended to protect against external attacks, but they do not provide security against insider attacks. Moreover, they do no protect employees working outside the network or integrated cloud services.
A Zero Trust architecture, on the other hand, focuses on preventing unauthorized access to data and services. To do this, it needs access controls that are as granular as possible. At its core, Zero Trust is about authentication, authorization and, of course, encryption. In August 2020, NIST compiled seven principles as "Zero Trust Basics" in Special Publication 800-207, which clearly describes the Zero Trust concept:
- All data and services are resources that need protection.
- All communication must be secure, no matter where and where it takes place.
- Access to individual resources is only allowed for the current session.
- Access is only granted on the basis of dynamic policies, which check the identity of the user, the resource required and the requested assets, but also take into account other situation-dependent circumstances. There are parallels to the Least Privilege principle here.
- All access attempts and assets are monitored continuously.
- Authentication and authorization are always dynamic and strictly enforced.
- As much data as possible about the current state of the assets, the network infrastructure and communication is collected and evaluated in order to increase security.
Many other aspects that security firms offer under the Zero Trust label are either more or less meaningful additions and are not among the core components of a robust Zero Trust strategy.
What networks look like from a Zero Trust perspective
NIST recommends six assumptions to be considered during implementation. They show how networks are perceived from a Zero Trust approach:
- No area of the corporate network is considered a trusted zone. Always behave as if there is already an attacker in the network. This also means that all connections must be authenticated and encrypted.
- There may be devices on the network that neither belong to the company nor can be configured the company. These include BYOD devices (Bring Your Own Device) or hardware and software from business partners that may temporarily access the network.
- No resource is trustworthy per se. Each asset must be evaluated before it gains access to or is allowed to access the network. This applies for the entire duration of each session.
- Not all of a company's resources are within the controlled infrastructure. This includes, in particular, cloud services or the home office of employees. This means that some devices need to access remote and thus insecure networks in order to connect to the company network.
- Remote networks are always used for connections but are generally also classified as insecure. Not only remote structures are considered potentially hostile. Remote traffic could be monitored and possibly altered by potential attackers.
- Assets and workflows that move from the company network to structures not controlled by the company or vice versa must maintain their defined level of security. This applies above all to internal workloads that are migrated to the cloud.
As such, Zero Trust approach includes identities, credentials, access management, processes, endpoints, hosting environments, and the network infrastructure.
Why Zero Trust is more than a specific product
Zero Trust is not a product, it is a general IT security approach that follows the principle of least privilege. Thanks to Zero Trust, users and their end devices are no longer blindly trusted. Users are only granted access to the data they need to do their work.
In the background, a Zero Trust solution checks whether each data access attempt is authorized. This limits the scope for cybercriminals, as even successful attacks would only affect a small part of the network. Should an incident nevertheless occur, the affected resource can simply be shut down and the threat neutralized. As is often the case, this does not require the entire system to be switched off.
Long-term advocate of Zero Trust principles
NCP's security solutions have been based on the same principle used by Zero Trust for many years. Unlike traditional VPN products, NCP solutions offer far more than just encrypted connections to customers' servers. Instead, NCP consistently offers holistic protection. With NCP Secure Enterprise Management (SEM), administrators of a company can manage the access rights of user groups or individual users granularly according to the Zero Trust principle.
NCP’s solutions enable companies to authenticate users and their devices securely. NCP use advanced security technology such as multi-factor authentication (MFA), certificates for users and machines as well as endpoint policy checks, which ensure that virus scanners and operating systems are up to date. Only devices that have all required updates can connect to the company network. Access rights can be assigned on the basis of predefined roles or granularly. Further features include advanced firewall configuration and central application management for precisely defining which users, groups and applications are allowed to access specific resources in the network. With these measures in place, attackers won’t stand a chance of gaining unauthorized access to the network.