Since the days of castles and moats, perimeter-based security has been a sensible approach to protecting assets from external threats. To this day, it remains — with the right upkeep — a viable means of securing closed network systems, building up a robust barrier of firewalls, intrusion detection systems and other technologies that help keep intruders at bay. The trouble is, perimeter-based defences are no longer fit for purpose given the expansion of enterprise networks. In an era of remote working, cloud computing and increasingly sophisticated cyber threats – including those being driven by AI – it is becoming increasingly challenging for businesses to maintain control and defend against attacks.
For instance, when incorporating cloud-based services into a network, the network perimeter of an organisation becomes much more difficult to keep secure, as ownership over cloud-based services are both public and private. This hybridised infrastructure makes it impossible to maintain consistent security across all areas of the network. As a result, organisations open their networks up to immense vulnerabilities that hackers can exploit to harvest critical data.
Unfortunately, the modern business’s reliance on cloud-based network services brings about certain risks, such as misconfiguration, vulnerable interfaces, and poor change control. Weaknesses like these leave confidential resources and information vulnerable to cyber attacks, leading to severe security dilemmas for organisations.
Cloud-based services pose their own threats to a network, but when combined with the traditional perimeter-based model, the risk is increased as perimeter security brings about problems of its own.
With perimeter security, all users within the network’s external barrier are inherently trusted, allowing them access to all crucial internal data. For hackers, this means they only have one line of defence to penetrate before they can acquire and harvest an organisation’s confidential data. Organisations need to take firmer measures to secure their data against malicious actors who can slip through the cracks of current defence systems.
Trust no-one
To ensure secure protection against evolving threats like quantum computing, organisations must turn to more vigorous methods. Zero trust network security has been growing in popularity over the past decade as a solution that combats the issues created by using a combination of perimeter and cloud-based security. Zero trust security functions on the basis that no entities or network spaces are inherently trusted, as opposed to perimeter-based security, where everyone is trusted once they make it inside the initial barrier.
Under a zero trust model, users and their endpoint devices must be authenticated and identified regardless of their network location. This ensures network security by protecting every point within the network, rather than solely relying on one external barrier to be the network’s entire line of defence.
The zero trust architecture (ZTA) model can be divided into five pillars: identity, networks, devices, applications and workloads, and data. Within this model it is implied that implementing zero trust is a journey of maturity across various facets of cybersecurity and network architecture design.
‘Identity’ refers to the process of ensuring who has access to data. In a zero trust network, access management is dynamic and fully integrated, using multi-factor authentication to consider elements such as the user’s knowledge of the data, biometric proof and the device they are using.
‘Networks’ in the context of zero trust are crucial communication channels that perform the function of providing encryption of data-in-transit. ‘Devices’ pertains to guaranteeing that every device connected to the network is compliant and properly verified at every step.
The ‘Workloads and applications’ pillar encompasses any of the processes, applications or groups of data within the network that require access and protection from malicious actors. Zero trust requires authorisation and verification each time a user tries to access these.
Finally, ‘data’ within zero trust deals with data-at-rest, which is encrypted in storage, and data-in-transit, which is encrypted in the network. The priority within this pillar of the model is ensuring thorough protection throughout the data process.
The model highlights the different components within any network that will need continuous verification and authentication in a ZTA security system. By highlighting the specific areas that will require continuous authentication, ZTA covers all bases of security within a network.
Best practice for ZTA
When it comes to the implementation of ZTA within an existing network, encryption keys are important to consider. As zero trust protects data by granting the minimum level of access necessary, encryption channels need to be rekeyed regularly to avoid network vulnerabilities.
Protecting the encryption keys themselves is an important factor that is often overlooked, as ZTA focuses on not only the encryption itself, but also on lifetime of the data and the length of time the encryption keys have been used for. It is crucial for organisations to make sure they are using encryption keys that are robust, based on appropriate and compliant key-agreement protocols, and that are handled safely when in use to prevent theft or unwanted exposure.
One way to better achieve zero trust is by using active forms of authentication that can be easily revoked, such as symmetric-based authentication mechanisms. For example, authentication keys that are entirely symmetric but that are ratcheted (or rotated) each time a device is authenticated greatly reduces the lifetime of the key, significantly reducing the risk of the device being impersonated to access the network’s confidential data. Each device’s keys are unique and can be centrally managed, ensuring robust security as well as effortless use.
Symmetric key agreement (SKA) with rotating authentication keys works well within the zero trust model and secures networks because the ratcheting process generates a new, random value every time a device authenticates. As a result, confidential data is protected even if a hacker is able to infiltrate the outer perimeter of a network.
It is crucial for organisations to move away from traditional perimeter-based security and towards more robust methods that can be layered, such as ZTA. Zero trust security fills the security gaps created by organisations combining modern technology with traditional perimeter security, and significantly mitigates the damage that can be done if an attacker happens to breach the perimeter.