The Zero Trust model (based on NIST 800-207) includes the following core principles:
· Continuous verification. Always verify access, all the time, for all resources.
· Limit the “blast radius.” Minimize impact if an external or insider breach occurs.
· Automate context collection and response. Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate
Continuous verification means no trusted zones, credentials, or devices at any time. Hence the common expression “Never Trust, Always Verify.” Verification that must be applied to such a broad set of assets continuously, means that several key elements must be in place for this to work effectively:
· Risk based conditional access. This ensures the workflow is only interrupted when risk levels change, allowing continual verification, without sacrificing user experience.
· Rapid and scalable dynamic policy model deployment. Since workloads, data, and users can move often, the policy must not only account for risk, but also include compliance and IT requirements for policy. Zero Trust does not alleviate organizations from compliance and organizational specific requirements.
If a breach does occur, minimizing the impact of the breach is critical. Zero Trust limits the scope of credentials or access paths for an attacker, giving time for systems and people to respond and
mitigate the attack.
Limiting the radius means:
· Using identity based segmentation. Traditional network based segmentation can be challenging to maintain operationally as workloads, users, data, and credentials change often.
· Least privilege principle. Whenever credentials are used, including for non-human accounts (such as service accounts), it is critical these credentials are given access to the minimum capability required to perform the task. As tasks change, so should the scope. Many attacks leverage over privileged service accounts, as they are typically not monitored and are often overly permissioned.
To make the most effective and accurate decisions, more data helps, so long as it can be processed and acted on in real-time. NIST provides guidance on using information from the following sources:
· User credentials – human and non-human (service accounts, non-privileged accounts, privileged accounts – including SSO credentials)
· Workloads – including VMs, containers, and ones deployed in hybrid deployments
· Endpoint – any device being used to access data
· Network
· Data
· Other sources (typically via APIs):
o SIEM
o SSO