Zero trust architecture: a crash course
As any security architect or IT manager knows, IT infrastructure is growing in complexity. It can be particularly complex for enterprises with cloud services, multiple networks, and remote workers and offices. These organizations use many applications and services that create an abundance of access requests and secrets (such as passwords or keys) that must be managed effectively to remain secure.
The National Institute of Standards and Technology (NIST) developed a security framework called zero trust architecture (ZTA) to reduce the attack surface formed by these conditions. In this post, we’ll explore the concept of ZTA and how it can help organizations improve their security posture.
Zero Trust Architecture Defined
Zero trust is an architectural model based on the assumption that trust is never permanent but must be continually evaluated. In practice, the model tightly controls access to resources and grants the minimum necessary privileges to those with access. Zero trust architecture (ZTA) differs from traditional security models that give authenticated users access to various resources. Instead, authentication takes place upon each access request.
ZTA limits attacker movement
The goal of the zero trust model is to limit internal movement by attackers during a breach. For example, should a cybercriminal gain access to an organization’s network, they will find their ability to move laterally through the system limited by the security controls established by ZTA.
To be clear, ZTA does not entail overhauling existing security infrastructure; instead, it works with cybersecurity measures already in place. ZTA is not a rigid architecture but a set of guiding principles that shape systems and workflows to make them more secure.
Zero trust principles
Zero trust architecture (ZTA) relies on a few core principles, the first being that trust is not implicit but must be continually verified. ZTA assumes an attacker is already present within an organization’s IT environment, waiting for their chance. As such, a security architect taking ZTA into account will minimize each employee’s access to resources, giving everyone enough permissions to accomplish necessary tasks, but no more.
Another fundamental tenet of ZTA is that access requests must be authenticated. An organization wishing to implement ZTA must first implement an authentication system—including credentials and secrets management or digital signing through a certificate authority.
ZTA changes the focus of security architecture away from an organization’s network and onto that organization’s users, accounts, assets, services, and resources. After all, ZTA was developed in response to emerging trends of remote users, BYOD programs, and cloud assets located externally to the organization’s network boundary.
Implementing zero trust architecture
As mentioned, zero trust architecture is less of a concrete solution and more of a set of best practices. The best way to implement it is to plan infrastructure and workflow gradually according to the principles laid out above. However, this does not suggest that organizations cannot acquire comprehensive ZTA solutions through trusted vendors like Futurex.
ZTA through Futurex
As an industry-leading supplier of hardware security modules (HSMs), key management solutions, and cloud services, Futurex offers several key technologies to help organizations implement ZTA. Futurex’s key management solutions establish public key cryptography and secure private keys, forming the basis for certificate authority (CA) and public key infrastructure (PKI). Organizations often use PKI and CA solutions to validate the identity of digital objects and network users, allowing only authenticated users to access resources.
Another key technology involved in ZTA is application encryption, particularly encrypting cloud applications at their access points to prevent unauthorized use. General-purpose encryption solutions like Futurex HSMs easily implement application encryption.
Any organization wishing to improve its security posture should consider designing and managing its workflows and IT systems according to zero trust architecture. That way, should a data breach or cyberattack occur, an authentication system will mitigate the attacker’s lateral movement within an organization’s network at every step for every resource.
You can implement ZTA gradually, starting with simple changes to an organization’s security policies and ending with a strong cryptographic solution such as PKI or application encryption.
Contact our subject matter experts to learn how Futurex can help your organization craft a robust zero trust solution.