The invention of the term "zero trust" is generally credited to former Forrester analyst John Kindervag more than a decade ago. Although it's not new, the concept has received renewed interest and market traction amid 2020's widespread shift to remote work and the evolution of the cloud. As a concept, zero trust doesn't refer to a specific piece of technology; instead, it relates to the idea that users should have only the bare minimum access they need to perform their job.
Within zero-trust architecture (ZTA), users can't access areas of the network, data, and applications to which they do not specifically require access. In a way, this means that zero-trust implementation is a journey rather than a destination. A "perfect" zero-trust environment isn't something that one can quickly achieve. More realistically, organizations should strive for a lean least-privilege structure of trust. Recently, organizations, including MITRE and the National Institute of Standards and Technology (NIST), have released frameworks highlighting how technologies like deception and concealment can contribute to zero-trust implementation.
Understanding and Reframing Zero Trust
The fundamental ethos of zero trust sounds like something out of a spy movie: trust no one. In practical terms, this means that an organization should trust no entity accessing a network. Instead, the entity must continually prove that it has the necessary rights and permissions to access a given area or asset. For example, even if a user validated an account via username and password, the system doesn't automatically assume that person to be "trusted." With an effective ZTA, the network will continue to provide access only to areas for which that user has specific permissions. The right security tools can flag the user's behavior as suspicious and raise an alert if they attempt to access something outside their usual purview.
With this in mind, there are five elements to practical zero trust: device trust, user trust, transport/session trust, application trust, and data trust. Today, most zero-trust technology focuses on the user and device trust areas, which is understandable because securing individual user accounts and devices factors heavily into how most organizations think about cybersecurity. But other areas, such as application trust and data trust, are becoming increasingly important in today's world. Rather than addressing zero trust from only an identity standpoint, which most companies are actively building into their programs, security teams should add breadth to their programs by also addressing it from a controlled access standpoint.
Making Zero Trust Work
Earlier this year, NIST released a special publication on ZTA. Like the recent MITRE Shield framework, the document highlighted several areas where technology such as deception and concealment can make a significant difference for defenders. The areas of data trust and application trust stand out as particularly important to consider when expanding an organization's zero-trust programs.
First, it's helpful to consider zero trust in terms of the need for controlled access management that does not negatively affect the business. Specifically, organizations must establish a zero-trust environment that limits access to individuals with the proper authority but doesn't interfere with daily operations. One way to accomplish this is through a data-trust lens. Rather than granting blanket access to validated users, organizations should hide specific files and data from those who don't have the authorization to access them, strengthening data protection beyond user-level permissions without impacting authorized users. By hiding objects like files, folders, or mapped network and cloud shares, attackers cannot find or access the data they seek. This function can serve as a powerful defense against data theft and ransomware attacks.
Application trust likewise takes security beyond user privileges. Merely focusing on whether a query is authorized isn't enough — it's also vital to consider the application invoking that query. Doing so can prevent unauthorized access from applications such as Windows command line or PowerShell, which regular users wouldn't typically use to access data. Application trust can also help identify and deflect attackers attempting to probe open ports and services to compromise. Identifying this type of unauthorized activity allows defenders to take prompt action to expel the attacker from the network or can choose to misdirect them to a decoy environment in the interest of gathering adversary intelligence.
An Expanded Understanding of Zero Trust Is Essential
User and device trust are critical for ensuring that authorized users have secure access to conduct their business. It is, however, not enough to prevent attackers who impersonate a real user from gaining access. Adding conditional trust for applications and data is an essential element to a comprehensive zero-trust architecture. Hiding sensitive or critical assets, such as data, credentials, and Active Directory objects necessary for privilege escalation, can efficiently prevent access by attackers using unauthorized tools or resources. And because an organization can tailor these solutions to avoid interfering with daily operations, they make a valuable and frictionless addition to any zero-trust architecture.
Although zero trust isn't a new concept, our understanding of it and how we can apply it continues to evolve. Applying zero trust or, more likely, lean trust and "just enough access" principles to users and devices is a good start, but today's changing threat landscape requires expanding zero trust to more elements. Areas such as data, application, and session trust are taking on increased importance, and organizations hoping to stay one step ahead of modern cybercriminals will find that going deeper into the trust stack is critical for outwitting their adversaries.