Zero Trust Model or Zero Trust Architecture is a cybersecurity concept that no longer assumes that actors, systems, or services inside the network perimeter should be automatically trusted. Not trusting anyone is applied by default. Even users operating already inside the network need to be verified.
The phenomenon of remote working has shifted enterprise security boundaries to such an extent that securing office networks is no longer enough. Now security teams need to focus on employees’ workstations at homes, coffee shops, or any other place from which employees work. Organizations need an up-to-date security model to manage the complexity of the work-from-anywhere reality. That is why more and more companies are going for the Zero Trust model. By now, everyone knows that corporate firewalls do not guarantee safety.
Organizations that use the Zero Trust model simply assume a breach will take place and, therefore, they verify each and every single request. They no longer distinguish between trusted and untrusted networks. With Zero Trust, everyone is a suspect and needs to be verified.
The Zero Trust approach is based on three basic principles:
In the Zero Trust model, every access request needs to be authenticated, authorized, and encrypted before it can be granted. Identity authentication and authorization are based on all available data points, which include such things as user identity, data classification, location, and health of the device and application. No matter if the user connects from the office space, home office, or a coffee shop – the approach remains the same: always verify, grant least privileged access, and assume that a breach can happen at any time. Strong security policies are at the core of Zero Trust. They enable security teams to secure the workforce (no matter where the employees connect from) while maintaining productivity.
The Zero Trust model was created in 2010 by John Kindervag, at the time a principal analyst at Forrester Research Inc, but the idea was being discussed even before that. In 2003, the issue came up that cybersecurity teams were not really validating what they should be validating, and users within the company network were being given special, undue privileges. The three fundamental pillars of verifying devices and user identity were then established. As a result, applications replaced networks in the center of cybersecurity.
Traditionally, cybersecurity was based on tools such as a VPN. Whenever someone wanted to connect to a virtual private network, they had to sign in. Most companies still use VPNs as a standard, some adding an extra security layer by validating the device used to connect.
However, once the user has signed in, there is no further verification and, therefore, no more layers of control. So, if a criminal manages to infiltrate into the VPN, they can compromise company data.
Apart from securing network perimeters and validating devices used to log in, cybersecurity must consider and address many other aspects of online user activity. For example, should employees only be able to view CRM records, or should they be able to edit them as well? Should the latter only be possible with a company device? Any action can and should be permitted only when certain criteria are recognized as fulfilled. That is the basis of Zero Trust.
Zero Trust implementation takes a number of steps, but the first and most important thing to do is to validate the users. Security teams need to be sure that the people behind the screen who try to open company applications are actually who they say they are. Always double-check before granting them access. The most common form of this double verification is multi-factor authentication (MFA) or a special form of two-factor authentication (2FA).
2FA is the first step to Zero Trust. The next step is to learn about the device that the user is connecting with. Is this device personal? Is it corporate property? In the cloud apps era, there are a ton of personal devices that are not managed by the organization and that employees use to connect with company resources.
The final part of the Zero Trust puzzle is to start looking into your applications that are not on-premise. Things that work with on-premise apps do not necessarily work with the apps in the cloud, so it is necessary to be aware of that and handle both in the most efficient way.
Implementing multi-factor authentication is the first step. You can use User Access Security Broker to install MFA on a large scale across the entire organization. User Access Security Broker is different from traditional solutions for deploying multi-factor authentication, as it does not require any software development. Secfense solution can deploy MFA on any app by adding a security broker to the company infrastructure and then rerouting network traffic through this broker. To read more about User Access Security Broker, visit the Solutions section on our website.
Another simple step that brings organizations closer to adopting the Zero Trust approach is the use of microauthorizations. An admin can enable them in an application with User Access Security Broker. Microauthorizations are best defined as additional authentication requests that show up whenever users try to access specific resources within the app or want to perform an action that requires extra authentication. These authentication requests can be resolved by the users themselves (Owner scenario) or by an authorized employee (Supervisor scenario). You can read more about microauthorizations in our Solutions section.
„We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.”
Business Continuity and Computer Security Officer
BNP Paribas Bank Polska
“Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.”
Head of IT