What Is Zero Trust Zero Trust Security Model Explained
Implementing a zero trust architecture depends on many variables based on your current network setup. A comprehensive guide to getting started is beyond the scope of this document. But here are some key steps you can take to help you prepare.
Stage 1: Collect Relevant Data: First, identify your organization’s most critical assets — specifically what you need to protect and monitor in order of priority. Once you’ve triaged your assets, you’ll have a much better idea of where to allocate resources, and where to start ingesting data from. Because zero trust consists of many different types of technologies, there’s a good chance your organization already relies on some of these systems. This will be an important source of data for IT and security monitoring, and the very foundation of a comprehensive end-to-end zero trust program.
Stage 2: Understand and Contextualize Your Data: Contextualizing your data is key to any zero trust strategy. To understand your data, you have to implement a standard taxonomy across all data sources — otherwise you’re left with a whole lot of noise. Creating a taxonomy for your data will eliminate a lot of confusion, especially as you continue to level up on your security journey.
One example is how firewall vendors use different log formats and data structures across systems. In order to support centralized monitoring, firewall log data needs to be structured in a way that normalizes field names and values, putting them into a consistent format.
Stage 3: Expand On Your Data: More often than not, the continuous monitoring of security controls will fail to detect advanced security threats. This is why security monitoring should look at how target systems function, as well as what authorized use looks like. A holistic view of systems, data and users also needs to be established — and that includes behavioral and infrastructure monitoring. Why? Because zero trust can’t always stop fraud, insider threats or advanced attacks that occur via authorized means (e.g., a compromised user account).
But a zero trust strategy can contain an incident, and restrict the scope of any potential damage. If we’re looking in the wrong place, however, there’s a good chance this type of threat won’t be detected in time. By considering zero trust policies and how an authorized user should behave, we can gain insight into anomalies we should be monitoring, so we can better detect malicious access.
Stage 4: Enrich and Augment Your Data: Threat intelligence (TI) helps us identify indicators of compromise (IoCs) across zero trust controls and protected systems. This helps us understand the threat landscape as it relates to the systems and users we’re protecting, and to also identify known IoCs that would otherwise go undetected by zero trust security controls. Examples of this include IP addresses, URLs or file hashes associated with phishing activity, or identifying information relating to an SSL certificate known to be used for malicious purposes.
Secondly, understanding the posture of protected assets — as well as the systems used to access these resources — helps with risk scoring and security incident prioritization, as well as access authorization. For example, user systems with missing or insufficient system patches can have their access to critical systems limited, and security incidents connected to known vulnerabilities can be prioritized.
On top of all this, attack surface management solutions can help with overall security posture — specifically focusing efforts on optimizing security controls and ensuring end-to-end visibility. If we know we have gaps in our controls, we can look to mitigate or implement enhanced monitoring.