Over the last several years, zero trust security has become a popular phrase. Countless organizations have embraced the concept, but many others still remain in the dark about what exactly it means. 
 
The idea of a zero trust framework arose in 2010 (with Forrester leading the charge) as a response to prior, inadequate approaches to security. Specifically, companies have historically granted excessive permissions and trust to their employees, enabling breaches and data leakage. This was because they treated the enterprise network as a castle that had to be defended from external threats through legacy tools (moats) like firewalls, while giving little consideration to security within the castle. In other words, this traditional approach to security lacked granularity and was overly focused on securing access to the network; once a user made it into the network, there was little in terms of protection. This meant that insider threats as well as external threats that gained access to the network could easily move laterally across internal resources and expand the damage done by their nefarious schemes. 

 

Zero Trust Security 

While the castle-and-moat style of security was inadequate even in the on-premises-only days, its shortcomings are more apparent now than ever before. With the rise of cloud, BYOD, and remote work, things have evolved far past the point where focusing on network access alone is sufficient for security. Data is now stored, accessed, and shared in more devices, apps, web destinations, and geographical locations than ever before. Organizations are still focused on their moats, but their castles have moved entirely. Consequently, zero trust is more important now than ever.

As the name implies, zero trust is a system in which users are, by default, given zero trust. Excessive permissions are avoided and access to corporate resources (whether those are files, data patterns, cloud apps, on-premises tools, or something else) is limited to an as-needed basis for only the properly authorized users (this is also known as least-privilege). Rather than relying entirely on a simplistic moat that cannot provide the needed protections, organizations leveraging zero trust frameworks deploy modern, intelligent security measures so they can granularly secure any and all corporate resources--wherever they reside and wherever they are accessed.

Identity and Access Management

Identity and access management (IAM) is a category of security tools and capabilities that allow organizations to ensure that their users are properly authenticated and that only authorized, secure access to corporate resources is granted. When it comes to zero trust, IAM capabilities are obviously key for ensuring that the principle of least-privilege is addressed. In other words, IAM is necessary for verifying that only the correct people have access to sensitive data or systems at the times they need it.

Single sign-on (SSO) is a table-stakes IAM tool that serves as a single point of user authentication for all of an organization's managed resources--from on-premises tools to cloud apps and beyond. This enables consistent identity verification and, consequently, intelligent security. For true zero trust, SSO ought to be bolstered with multi-factor authentication (MFA), whereby users are prompted for an additional method of identity verification after providing credentials; for example, through an SMS code that is sent via text or email, or a unique hardware token that is physically carried by each user. Additionally, MFA should be deployed in a step-up, real-time fashion when a user exhibits suspicious activity. This lessens the likelihood of compromised credentials leading to a breach. As a final illustration of an IAM capability, contextual access control governs access to specific resources like SaaS apps or IaaS platforms based on a user's context. For example, access can be controlled by user device type, job function, geographical location, or custom factors.

Data Loss Prevention

Data loss prevention (or data leakage prevention) describes a number of capabilities which provide varied levels of access to data in order to prevent unauthorized access and illegitimate usage. Consequently, DLP is immensely helpful for achieving zero trust security, and ought to be enforced for sensitive information in transit and at rest.

There are multiple ways DLP solutions can identify data patterns that ought to be protected. Simpler tools scan for keywords like "confidential" or "sensitive" within documents, and use basic regex to identify instances of patterns like Social Security numbers (XXX-XX-XXXX). More developed solutions provide advanced regex to scan for multiple data patterns while using logical operators (and, or, not) and mathematical operators (count). Additionally, advanced solutions can scan for file formats, fingerprints (templates), and exact data matches.

Through the above mechanisms, DLP solutions can identify sensitive or regulated files, fields, and data that need to be protected. From there, they can take a variety of actions; for example, redacting sensitive text in emails, encrypting sensitive files on download, or quarantining key documents to admin-only folders. There are also capabilities like digital rights management (DRM) which require additional authentication and provide read-only access to files via the web browser.

Secure Access Service Edge

Questions abound about the relationship between zero trust security and SASE (secure access service edge) and whether they are mutually exclusive or compatible. Fortunately, the two are highly complementary. While zero trust is a philosophy about ensuring proper authentication and as-needed access to data and systems, SASE refers to cloud-delivered platforms deployed at the edge which provide consistent and comprehensive protections wherever data goes. As integrated platforms that comprise a variety of complementary security technologies (including those mentioned above), SASE offerings are indispensable when pursuing a zero trust framework.

Through cloud access security broker (CASB) functionality, SASE platforms deliver end-to-end protection for data in sanctioned cloud resources, including IaaS platforms like AWS and Azure as well as managed SaaS like Office 365 and Salesforce. Reverse proxies provide agentless deployment modes that can safeguard access from any device, including personal and remote endpoints, which are becoming increasingly common in modern work environments.

Secure web gateway (SWG) technology is another core component of SASE offerings. SWGs offer web security in the form of URL filtering as well as real-time DLP and ATP policies which block leakage and threats like malware. They also secure shadow IT (unmanaged apps) by blocking them, rendering them read only, and coaching users to sanctioned alternatives. Where SWGs are deployed locally on users' endpoints, scalability and performance are enhanced.

Zero trust network access (ZTNA) is yet another key capability within these platforms. Unlike VPN (which sticks to the castle-and-moat style of security described above), ZTNA provides secure access to specific on-premises resources rather than everything on the network. Additionally, they can enforce granular, real-time data and threat protection policies. Where agentless deployment options are available, they can even extend secure access to personal endpoints without the need for software installations.

bottom-cta-image

Bitglass SASE

Want to see Bitglass solutions in action?

Request a FREE trial below.