Your A-Z Zero Trust Checklist

What is Zero Trust Security?

In 2010, John Kindervag created a security architecture which we now know today as Zero Trust. He realized that most vulnerabilities and threats occur when organizations are too trusting in their employees, devices and locations. The Zero Trust model makes a change to the old policy of “trust, but verify” to “never trust, always verify” for every access request. All user’s, regardless of location, are required to be authenticated and authorized before being allowed access to the network and the applications and data that resides inside.  

A simple comparison of Zero Trust is that for physical traditional security a security guard would be positioned in the lobby of an office, ensuring that only authorized personnel are gaining access to the building. But the Zero Trust model is the equivalent of having a security guard outside every single door in the building.  

By limiting every user and device’s privilege level for each component, application, and service on a network it heavily reduces the number of opportunities for someone with malicious intentions to gain access to the secure content. Regardless of how many times you’ve previously accessed the network, your identity is not trusted until it becomes verified again. Basically every user, device and server is untrusted until proven otherwise. 

The unprecedented recent rise in remote working has seen companies frantically looking to implement a Zero Trust solution to ensure that they remain secure. Firewalls, strong password policies and mandatory antivirus simply aren’t satisfactory anymore. Malicious-intentioned threats are constantly being developed and if your company isn’t aware of this and making a strong effort for prevention the consequences can be catastrophic. 

The Zero Trust Security Model, Explained

The National Institute of Standards and Technology (NIST) dictates that the goal of Zero Trust is “to prevent unauthorized access to services and data and to make access control enforcement as tight as possible.” Meaning that the lower the privilege level the better, this is accomplished by using authentication, authorization and reducing the use of implicit trust. 

 NIST created their Special Publication 800-207 in August 2020 to provide organizations with clear, structured guidelines for confirming their network security is adequate against the latest potential threats. In particular the rise of remote working. Now a large proportion of user’s are operating beyond the network perimeter, using services such as VPN, SSH and RDP.  

It is critically important that companies are focusing on minimizing the blast radius of an attack by removing default access and severely limiting access. This can be accomplished by a variety of strategies including, mandatory multi-factor authentication, network segmentation with strict rules and end-to-end encryption on every link. 

The three main principles of NIST SP 800-207: 

1. Verify Explicitly: Instead of providing access to a user account which grants anyone with the credentials access. Organizations should authenticate and authorize end users based on all available data points, including user identity, physical location, device health, data classification and anomalies. Access to all resources should be considered and reviewed regularly in a consistent and secure manner using multiple attributes, both dynamic and static, to determine confidence levels for access to resources. 
2. Least Privilege: By default user’s should be given the least amount of privilege that they require to complete their work. This can be accomplished using Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive policies, and data protection which protects data and productivity. Authenticate and explicitly authorize each to the least privilege required using dynamic security policies. 
3. Assume Breach: Companies should be defending and operating with the assumption that they’ve already been compromised and that an adversary already is present within the network. For this reason, deny by default should be in place and all user’s, devices, data and requests should be heavily scrutinized. Continuous monitoring of all configuration changes, access requests and network traffic is a necessity for increased visibility. Having these services in place can vastly help reduce the blast radius of a breach. 

Developing a Zero Trust Checklist

Fortunately, building a Zero Trust checklist is much simpler than you might think. As you’re just amending your existing infrastructure instead of a complete expensive overhaul. This allows you to develop the existing tools and services which you already have in place. But this doesn’t mean there are no negatives if not configured correctly.  

For example, if an employee changes job roles internally but their access level isn’t promptly updated they could potentially not have access to what they require, or worse have too much access. There are many paths to Zero Trust, and as long as you comply with the principles you can classify yourself as a Zero Trust organization. 

Zero Trust Checklist Considerations

• Identify and visualize: It is important that you are aware of every resource, user, access levels, data,  assets, services and applications. And not only being aware of each, but how they interact with each other. Recognizing the most critical components allows you to focus on prioritizing these first. It is also a smart idea to map the internal transaction flows, this will help you to identify how traffic moves across the network and how it should be protected. A powerful network monitoring system should be set in place.  
• Existing security stack: The last thing you want to do is break existing security policies, which are already providing good protection to the network. 
• Creating Zero Trust policies: Once you have a well documented network and are aware of how everything works together you can start creating policies. There’s a good method for defining policies, called the “Kipling Method” based on the poem “Six Serving Men” or more commonly “who, what, when, where, why and how?”. As follows; Who should have access to a resource? What application is being used to access a resource inside the network? When is the resource being accessed? Where is the packet destination? Why is the packet trying to access the network? How is the packet accessing the network via a specific application
• Monitoring & maintaining: It is vital that the infrastructure is being monitored, this includes reviewing all the logs. Both internal and external, all the way through each network layer. Inspecting and logging traffic will provide immensely valuable insights on how the network works and how to improve going forward. 

Key Security Technologies that Enable Zero Trust 

• Next Generation Firewall (NGFW): Added network protection which encrypts and decrypts traffic and can also assist with network segmentation.
• Network Access Control (NAC): Providing organizations with the ability enforce access control policies across network access layers for employees and contractors on-site in the office. 
• Zero Trust Network Access (ZTNA): Cloud services can give remote workers access to internal private apps without the complexities, bottlenecks, and risks of VPNs. 
• Data Loss Prevention (DLP): Having a DLP solution in place allows you to control what data users are able to transfer out of the network.
• Machine Learning and Artificial Intelligence: These can be used to help power your analytics and monitoring tools, and can identify risks and threats before they even take place.