Until recently, the focus of IT security has been to prevent external threats from accessing the systems and data inside the company network. In essence, the idea of “castle and moat” security was that, once a person was inside the network, they were trusted to behave in the best interests of the company.
This model has some inherent flaws. Most notably, once a network was breached, a hacker could theoretically access any of the organization’s computers and databases.
Another flaw is the idea that those individuals legitimately inside the company’s network should have access to sensitive company resources. The Association of Certified Fraud Examiners recently estimated that, in total, businesses worldwide lose more than $3.6 billion in losses every year due to internal fraud.
Therefore, in this age of on-premises, cloud, and hybrid networks and cloud-based business applications, companies are adopting a Zero Trust model to provide secure access to sensitive company assets. This model assumes that every attempt to gain access to a network, an application, or sensitive data represents a potential security breach. Zero Trust follows the principle of least privileged access, that is, an individual should only be allowed the minimum access they require to perform their job and no more.
The Zero Trust security model is becoming more and more prevalent in organizations today. In fact, the Federal government has adopted the Zero Trust model. In May 2021, the President issued an Executive Order “initiating a sweeping government-wide effort to ensure that baseline security practices are in place, to migrate the Federal Government to a zero-trust architecture, and to realize the security benefits of cloud-based infrastructure while mitigating associated risks.”
So, what is Zero Trust? In this blog, we discuss the general principles of the Zero Trust model and how Fastpath can help.
Zero Trust Architecture Principles
Zero Trust attempts to verify and limit access by focusing on the following areas:
Identity – The identity of the entities who are granted access to your network and company assets are verified. These entities include users, devices, and processes having remote access to your systems. Identity methods can include single sign-on, multifactor ID, biometrics, and strong password enforcement.
Applications – Maintaining application updates to ensure security fixes are in place is part of maintaining a secure environment. User role definitions, which provide the permissions granted to access to application data, as well as the users who are given those roles, are all part of the Zero Trust model. This also extends to software applications used by employees that are not provided by the company, but are used within the company’s network, often referred to as “Shadow IT”.
Network – The Zero Trust model also encourages more security across the company’s network. This includes:
- Segmentation – which isolates portions of the network to minimize damage to company resources should a network breach occur.
- Threat detection and deterrence – detects and defends against malicious network attacks, such as DDoS or hacking.
- Data encryption – protects sensitive company data and intellectual property by encrypting all data traffic on company networks.
Data – In addition to encryption, data access is limited using least privilege principles. Data access is monitored to identify who is accessing sensitive data and what they are doing with that data.
The National Institute of Standards and Technology (NIST) has codified the fundamental principles of the Zero Trust Architecture (NIST Special Publication 800-207) as follows:
- All data sources and computing services are considered resources.
- All communication is secure regardless of network location. Network location does not imply trust.
- Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
Benefits of Adopting the Zero Trust Model
Companies adopting a Zero Trust approach realize tangible benefits, including:
- Controlled access to sensitive data in sensitive business applications. Even if hackers gain access into the network, their access is limited by least privileged access and network segmentation.
- Visibility into user access to network components and applications along with the actions performed with that access.
- Awareness and identification of threats and changes made through unauthorized access.
- Greater assurance that corporate assets are secured from internal and external threats, including theft, ransomware, and other malicious activities.
How Fastpath Can Help
Fastpath provides tools that can help your organization enforce least privilege access to your business-critical applications. Fastpath analyzes access by user, role, and privilege, down to the lowest levels of access. Fastpath can be a valuable component of the implementation of a Zero Trust Architecture.
- Use Fastpath’s Segregation of Duties to identify SOD risks within your business-critical applications and enforce least privilege access to user roles.
- Create secure roles using Fastpath’s Security Designer to control who has access and what they can do with that access. Test the roles for SOD risks and least privilege access before implementing in production.
- Monitor transactions and create an audit trail of any changes to critical company data made by users, with before and after snapshots of the changes, with Fastpath’s Audit Trail.
- Perform periodic reviews of users who have access to your systems as well as the role definitions and the access permissions these roles provide by using Fastpath’s Access Review and Access Certification modules.
Ultimately, security can never be left to a single piece of software or network configuration. Instead, it is and always has been a combination of People, Process, and Technology that keeps your company, its network, and its data safe and secure.
Find out more. See how Fastpath can help your company create a more secure business environment. Schedule a demonstration of Fastpath today.