The fundamentals of a Zero Trust security framework

Trust no one. We examine the benefits of Zero Trust and how it helps protect your business.

This blog delves into the core principles of Zero Trust, what it is, and how it compares to conventional security principles. We also consider the balance between security and usability in adopting Zero Trust, and compare options for implementing it.  

1. What is Zero Trust?
2. Regular authentication - papers please
3. Technological solutions to implement Zero Trust 
   1. Device level control
   2. Cloud gateway control
4. Zero Trust on a budget
5. Balancing Security and Usability

1. What is Zero Trust?

Zero Trust is a security framework that operates on the principle of "never trust, always verify."

Framework is a word used a lot in IT. What it describes is a series of documented processes,  policies, and procedures around the implementation and ongoing management of a system (like information security).

Traditional security models focus on perimeter defences (like logins for user accounts and firewalls) which assume that once you are inside a network or an ecosystem you are allowed to be there. 

Zero trust assumes that threats can exist both inside and outside the network, so no user or device is trusted by default. Instead, every access request is thoroughly verified, regardless of its origin. This involves continuous authentication, strict access controls, and real-time monitoring to ensure that only authorised users and devices can access sensitive data and systems. The goal is to minimise the risk of data breaches and enhance overall security by treating every access attempt as potentially hostile.

This approach significantly reduces the risk of data breaches by ensuring that only authenticated and authorised users and devices can access resources.

2. Regular authentication - Papers please

The core principle of 'Always Verify, Never Trust' means that access is granted based on strict identity verification, ensuring that each user and device is authenticated and authorised before they can access any resources.

What this means in practice is that before anyone can access a business resource they should need to prove four things:

1. That the person is permitted - achieved through a combination of user accounts with strong passwords, biometric passkeys, and multifactor authentication and user account access (ensuring that users access is restricted by admins to only what they need to access)
2. That their device is permitted - restricting access to data to only authorised devices can be implement using many systems. This can be through the installation of an agent or by adding unique device identifiers to allow lists for accessing data and systems.
3. That the location is permitted - this is most often achieved by restricting access to specific IP addresses (usually the IP of the business premises. For home and remote workers this can be achieved through the use of VPNs or SASE solutions which can provide a fixed IP address). Restricting access in this way makes it much harder for attackers to gain access because they are not in a permitted location.
4. That the action is permitted - controls should verify that the action someone wants to take is pre-permitted. And if it isn't then it will be blocked. That action could be launching an application, visiting a website, running a script, or changing a setting; all of which a potential bad actor may want to do.

An important part of the Zero Trust framework is ensuring that all of these activities are continuously re-appraised, are logged, and are assessed for any changes in user behaviour or device status.

3. Technological solutions to implement Zero Trust 

There is no one-size-fits-all solution for Zero Trust. There are multiple ways of implementing this approach and a corresponding range of costs.

It is worth stating that there are also no magic plug-and-play solutions for implementing Zero Trust. All the solutions require substantial legwork to identify and manage who should have access to what. 

Zero Trust is predominantly implemented using a combination of device agents and cloud gateways. One controls the behaviour of applications, and the other controls access to data. Both verify identity.

Both approaches work together to provide powerful protection for your data.

a. Device level control

Threatlocker is a great example of a control that operates at the device level using an agent to restrict application installations and their operations to pre-allowed actions only.

One of the key features of ThreatLocker is its application allowlisting. This process begins with monitoring the behaviour of applications within the network and on the device. By observing which applications are used and how they interact with the system, ThreatLocker can create a comprehensive whitelist of approved software. This whitelist is then enforced, blocking any application or script that is not explicitly allowed. This approach not only prevents known threats but also mitigates the risk posed by unknown or zero-day vulnerabilities

In addition to allowlisting, ThreatLocker employs a technique they call Ringfencing. This feature adds an extra layer of security by controlling how approved applications can interact with each other and with system resources. For example, it can prevent an application from accessing the internet or interacting with other software unless explicitly permitted. This containment strategy helps to prevent the exploitation of legitimate tools by malicious actors.

b. Cloud gateway control

Cloudflare and GoodAccess are examples of Secure Access Service Edge (SASE) solutions. Unlike Threatlocker, they don't need to install an agent on each device, instead, they primarily operate from the cloud. They can be thought of as security guards that block access to cloud systems until the person is verified. They sit in front of products like Microsoft 365 or Dropbox and restrict access to them. 

They can also be used to protect internal networks before granting permissions to network resources by routing internal requests out to the cloud and back.

These services will regularly check that the user, the device, and the location are all permitted to access resources.

It is worth noting that Cloudflare, and others, do technically now offer an end-to-end Zero Trust experience with device-based apps but historically they were purely cloud-based.

Both approaches can live side by side providing very comprehensive protection. But the cost does ramp up and businesses need to consider the cost vs benefit of adopting either or both types of solutions.

6. Zero Trust on a budget

Scaled-down Zero Trust can be implemented simply through Microsoft policy management and tools like InTune. It is not as comprehensive, nor is it true Zero Trust but using policies you can restrict access to specific IP addresses, or geographic regions. You can also require users to sign in regularly and Single Sign-On (SSO) can be utilised to prove user identity. It is a step in the right direction but not a replacement for a dedicated solution.

7. Balancing Security and Usability

While Zero Trust offers enhanced security, its implementation can pose challenges, particularly in balancing security and usability. Poorly implemented Zero Trust can lead to user frustration, especially if users are required to manually validate their identity frequently.

To mitigate this, organisations should leverage modern authentication methods such as SSO, and multi-factor authentication (MFA). It's also easy to streamline Zero Trust for users by using modern, secure hardware that incorporates built-in facial recognition or fingerprint scanners.

These methods keep the user experience seamless while maintaining robust security. It's also crucial to ensure that the Zero Trust policies are flexible enough to adapt to different user roles and workflows without compromising security.

In summary

The future of Zero Trust lies in the integration of advanced technologies, creating a more secure and user-friendly environment. By continually evolving and adapting to new threats, Zero Trust will remain a cornerstone of cyber security strategies in the years to come.

Next steps...?

If you'd like to explore implementing Zero Trust in your business then get in touch with us today. Our Edinburgh based experts can help you plan and implement your solution.