Guides

Zero Trust Security

Zero Trust Security: 4 Principles and 5 Simple Implementation Steps

What is Zero Trust Security?

Zero trust is a security model that enforces strict verification for any user or device attempting to access a network and its assets. The purpose of zero trust security is to ensure the network remains protected from within. To achieve this, all entities are treated as suspicious, regardless of whether the user or device has been previously verified.

The zero trust security model was first introduced in 2010 by ​​Forrester analysts. At the time, IT security was implemented using the traditional castle-and-moat methodology, which assumes that everyone inside the network can be trusted. This model protected the network from external threats but completely trusted internal entities, exposing organizations to insider threats and compromised accounts.

During the past two decades, the IT landscape has changed dramatically—with today’s multi-cloud and hybrid-cloud environments, the IT landscape has become highly sophisticated. Networks are no longer restricted to a clear perimeter with clearly defined borders.

Today’s networks are distributed, complex, location-agnostic, and sometimes vendor-agnostic. On the one hand, these cloud environments help users access network assets from any device and any location. On the other hand, the network no longer has clear boundaries to defend and cyber criminals are taking advantage of this vulnerability, tricking users and systems into providing unauthorized access.

Zero trust security can help organizations protect their IT assets. By not granting implicit trust to anyone with access to the network, the organization can prevent insider threats of any kind—including malicious threats and careless or accidental damage—from risking the network and its assets.

There is no one zero trust technology. Rather, it is a concept that is implemented using a wide range of technologies in a flexible architecture, designed around an organization’s protected assets.

 

In this article:

 

What are the Core Principles of the Zero Trust Model?

 

1. Re-Examine Default Access Controls

A zero trust model assumes that threats exist inside as well as outside the network. This is why no one with access to the network should be trusted. Each request to access the network should be strictly authenticated, properly authorized, and also encrypted.

 

2. Use Multiple Protective Measures

Here are some preventative measures every zero trust model should employ:

  • Identity protection and device discovery – Can help keep track of which credentials exist on which devices, keep track of the network ecosystem, and establish a baseline of normal behavior. This information can help set up identity challenges and monitor for threats.
  • Multi-factor authentication (MFA) – Can help verify user identity by using more than one piece of evidence. This typically involves asking users to validate using security questions, logic-based exercises, or email or text confirmation. MFA can help ensure that a user with only one piece of obtained information cannot access the network.

The goal of implementing preventative security is to block breaches and minimize damage. In addition to the above techniques, organizations should also employ measures such as encryption, email security, and cloud access security brokers.

 

3. Use Real-Time Monitoring

In addition to implementing preventative measures, a zero trust model should also incorporate real-time monitoring capabilities, and react to threats discovered in real time. This technology can help organizations quickly detect, investigate, and remediate intrusions, ideally before intruders can move laterally across the network.

Instead of passively logging and passing events to a security information and event management (SIEM) solution, organizations should set up real-time identity challenges. Identifying suspicious authentication events in real time can help detect brute force attacks and credential spoofing, and block attacks in a timely manner.

Learn more about zero trust networks: Read our guide to microsegmentation

4. Align to Broader Security Strategies

A zero trust architecture does not replace other security measures. It provides certain aspects of security but does not cover all. This is why a zero trust model should be incorporated as part of a holistic security strategy, including a range of technologies like endpoint protection, detection and response, real-time monitoring, and more.

 

Read our O’Reilly eBook on Kubernetes Security and Observability: A Holistic Approach to Securing and Troubleshooting Cloud-Native Applications

 

Ideally, your security strategy should incorporate a wide range of models, chosen especially for the architecture of the network and the unique needs of the organization. All security tools and models should work together to ensure the network is secured. All employees, stakeholders, and third parties with access should be trained in proper security protocols.

 

Implementing Zero Trust: Five-Step Methodology

This five-step process is abbreviated from the zero trust methodology published by Palo Alto Networks.

 

1. Switch from Threat Surface to Protect Surface

The traditional concept of a threat surface is becoming less relevant in modern IT environments. Because environments are so dynamic and made up of many elements outside an organization’s control, it is impossible to address the complete threat surface. Instead, focus on the “protect surface”—the most critical assets your organization needs to defend:

  • Business-critical, private, or sensitive data
  • Mission-critical applications
  • Software services required for business operations
  • Other valuable assets

 

2. Map Transaction Flows

Identify how traffic flows within your network and other related networks. Define traffic flows that are required for business operations—these need to be protected, while other flows should be blocked or mitigated.

 

3. Architect a Zero Trust Network

There is no universal model for a zero trust network (ZTN). Your ZTN must be built around your protect surface and known transaction flows. Put a mechanism in place to enforce microsegmentation, and use microsegmentation to create a micro-perimeter around critical assets, enforce access control, and enable monitoring across all communication layers (from the network to the application layer).

 

4. Create a Zero Trust Policy

With a ZTN in place, define your zero trust policies. Use the 5 W’s method to ensure a policy answers all possible questions about network traffic—who is allowed to access resources, via what application, when they should be allowed to access it, where the location or address of the assets is, and why or for what purpose they need to access it and how (for example, which data or features they need to access).

 

5. Monitor and Maintain the Network

On an ongoing basis, review logs and identify anomalies in traffic, both at the network level (for example, traffic accessing a forbidden IP) and at the application level (for example, an application user trying to access a forbidden URL). This will give you important insights for evolving the network and its policies.

Carry out these five steps on your most critical assets first—then gradually extend to additional assets and networks to expand zero trust protection.

 

Best Practices for Zero Trust Security

The following best practices can help you implement zero trust security more effectively:

  • Verify devices – It is not enough to verify the identity of users. Verify that devices accessing your ZTN have basic security hygiene (for example, they apply security patches) and identify the device category (for example, BYOD vs. corporate device).
  • Use the Principle of Least Privilege (PLP) – Ensure that each individual or service role only has access to the minimal set of tasks and resources they need to do their job. PLP is not static—it must be adjusted dynamically, for example by giving individuals “just in time” access for specific tasks through one-time credentials. These measures can help limit damage in case of account compromise.
  • Monitor and audit – All traffic on a zero trust network must be carefully monitored and subject to regular audits. Pay more attention to privileged roles and access to critical or sensitive assets. Aim to catch suspicious activity immediately when it happens, and if you don’t, you should identify it on the next audit review.
  • Use attribute-based controls – Ensure controls are as granular as possible, taking into consideration attributes of the user, the device, the target application, and the task at hand. This will ensure policies can effectively limit access and block malicious activity.
  • Consider end users – Zero trust strategies can become the enemy of users, blocking access to systems and files they need for their day-to-day job. Work together with users to ensure you do not hurt productivity, while preventing traffic flows that are of real concern.

 

Zero Trust Security with Calico

Calico Enterprise and Calico Cloud enable a zero trust environment built on three core capabilities: encryption, least privilege access controls, and defense-in-depth.

  • Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.
  • Least privilege access controls – Calico implements least privilege access controls by denying all network traffic by default and only allowing connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster.
  • Defense-in-depth – Calico monitors and logs all changes to policies, including the version history. When a policy that implements your security controls changes, Calico alerts you to the change and shows exactly what changed and how.

 

Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!