While “zero trust” may be an emerging term, the concept is nothing new. In 2010, Forrester author John Kindervag outlined the original zero trust security architecture. The initial version focused solely on network security. Since 2010, remote work models and cloud resources have become the norm, meaning that zero trust security models have adapted as well. When exploring the zero trust security framework, companies should look at the way its data-centric approach enhances their overarching information protection controls.
The Concept of a Zero Trust Framework
A zero trust framework is less a rigid architecture and more a frame of mind. Moving toward zero trust security requires organizations to reassess the threats they face and create cybersecurity controls that mitigate risk.
In today’s cloud-enabled work, organizations need to address the dynamic, evolving nature of the threat landscape. This means that they need to:
- Continuously monitor systems for a proactive approach to threat mitigation
- Assume all requests and traffic are malicious
- Assume all files, users, devices, and infrastructure are compromised
- Reduce risk with the appropriate authentication and authorization controls
To move from concept to architecture, organizations should follow three main principles:
- Always verify, never trust: Treat all users, devices, applications/workloads, file transfers, and data flows as untrusted.
- Assume breach: Assume threat actors already established a foothold in environments, and monitor all users, devices, file transfers, data flows, and access requests for suspicious behavior.
- Verify explicitly: Establish and enforce multi-factor authentication (MFA) for access requests.
The 3 Logical Components of a Zero Trust Framework
The National Institute of Standards and Technology (NIST) set out the basic components of a zero trust framework in its Special Publication (SP) 800-207. Although the technical documentation goes into depth, the fundamental three logical components give insight into how to enhance security.
Policy Engine (PE)
The PE makes the decision about whether to grant or deny access to a resource. The PE relies on various data points to make its decision, including:
- Behavioral analytics
- Threat intelligence
- Enterprise security policy
- Regulatory requirements
- Identity and access baselines
The PE sends the data to the trust algorithm to determine whether to grant, deny, or revoke access, then the PE makes and logs the decision.
Policy Administrator (PA)
The PA is used in conjunction with the PE. The PA establishes or terminates communications between a subject and resource. Once the PE decides whether to grant, deny, or revoke access, the PA executes the decision. The PA is where the authentication and authorization happens, including MFA. The PE and PA are tightly integrated, and in some cases, the same service takes care of both parts.
Policy Enforcement Point (PEP)
This logical component sits at the data plane, enforcing adaptive access controls. When the PE authorizes access and the PA makes the connection, the PEP is the gateway through which users access the resources.
The Technology Required for a Zero Trust Security Framework
A key tenet of zero trust is using automation to streamline processes and reduce human error risks. A zero trust security framework consists of multiple technologies working together for a more holistic approach to security. Since zero trust incorporates nearly every aspect of a company’s IT infrastructure, no single technology can secure all of them at once. This is why companies need to find the right set of automated solutions to help them create a robust zero trust deployment.
Identity and access management
Since identity and access are the first point of review, organizations need technologies that enable them to use role-based access controls (RBAC) in combination with attribute-based access controls (ABAC). Additionally, MFA is fundamental to mitigate the risk that a user account has been compromised.
Treating all devices as compromised means that endpoint security is mission critical for zero trust deployments. While using antivirus detects some malware, it cannot protect against all, especially new, unknown malware. As organizations adopt zero trust, they need to prevent files containing malicious code from being downloaded to devices, including via phishing or malicious websites.
When reviewing application security technologies, organizations need to make sure that they prevent threat actors from exploiting vulnerabilities and prevent malware from being spread during file transfers.
Zero trust frameworks are a data-centric approach to security. Technologies that categorize data based on criticality and risk enable a successful implementation. Additionally, organizations should consider technologies that ensure file security like Content Disarm and Reconstruction-as-a-Service (CDRaaS). These technologies can augment traditional data security controls by preventing malware from being transmitted via file transfers, downloads, or web portals.
Building on a Zero Trust Framework with Votiro
With Votiro Cloud technology, organizations can build more robust zero trust implementations. Votiro Cloud scans for the file elements that belong rather than looking for suspicious elements. This reduces the risks associated with signature-based detections which are often inadequate because they fail to keep pace with evolving threat actor methodologies.
Our SaaS-based solution provides a security solution that requires no internal maintenance or resource updates. The agentless design means that companies can protect themselves even from traditionally difficult-to-manage devices, like smartphones, because they never need to worry about whether users installed the software.
With our API-centric solution, companies can easily integrate Votiro into their existing services, applications, and processes. This gives them a way to secure file transfer processes without impacting end-users’ productivity. To learn more, schedule a demo with our team.