It’s too late when the crisis happens! Only by following this zero-trust principle can we be stable enough

Enterprises need to monitor and measure the integrity and security posture of all owned and related assets

In a zero-trust model, no device or asset is inherently trusted, and every resource request should trigger a security posture assessment. This includes continuous monitoring of the state of corporate assets that have access to the environment, whether they are owned by the enterprise or another entity, whether they have access to internal resources, and rapid patching and remediation of vulnerabilities based on insights gained from continuous monitoring and reporting.

Returning to the previous example of granting access based on a session, the device posture can be checked to ensure that the device does not have high-risk vulnerabilities or is missing important security revisions and patches.

With dynamic insight and monitoring into the integrity and security posture of owned and connected assets, policies and decisions can be made around the level of access granted, if granted at all.

All resource authentication and authorization are dynamic and must be strictly enforced before access is allowed.

As discussed in the previous example, granting access and trust happens in a dynamic and ongoing manner. This means it is an ongoing cycle of scanning devices and assets, using signals to gain deeper insights, and evaluating before making trust decisions. This is an ongoing dynamic process that does not end when a user creates an account with permissions to relevant resources. It is an iterative process with many factors involved in each policy enforcement decision.

Enterprises should collect as much information as possible about the current status of assets, network infrastructure, and communications, and use this information to improve security posture

Technology environments face countless threats, and organizations must maintain a continuous monitoring capability to ensure they are aware of what is happening in their environment.

Zero Trust Architecture consists of these three core components mentioned in NIST 800-207 discussed earlier:

• PE (Policy Engine)
• PA (Policy Administrator)
• PEP (Policy Enforcement Point)

Figure 1. Several core components of zero trust

These core components use information gathered from the current state of assets, network infrastructure, and communications to improve decision making and ensure that high-risk decisions about access are not approved.

Zero Trust is a Journey

A common mistake many organizations make is thinking that Zero Trust is a destination, something that can be achieved overnight. All they do is buy the right tools and then implement Zero Trust in their environment. This is not what Zero Trust is supposed to be. Sure, tools can help organizations achieve some aspects of Zero Trust and get them closer to a Zero Trust architecture, but tools are not a panacea. Like most areas of IT and cybersecurity, Zero Trust is made up of people, process, and technology.

As outlined in the NSA publication Embracing the Zero Trust Security Model, key recommendations include looking at zero trust from a maturity perspective, including early readiness, foundational phase, intermediate phase, and advanced maturity phase.

Figure 2. Zero Trust Maturity

Having said all that, the first step is preparation. Understand where you are, where the gaps are, and how your architecture, practices, and processes align with the Zero Trust principles listed above. Then develop a plan to address these issues, and most importantly, recognize that this will take time to achieve.

Author: Chris Hughes. Chris Hughes has nearly 15 years of experience in the IT/cybersecurity industry. In addition to working as a consultant in the private sector, he has also served in the US Air Force and worked as a civil servant in the US Navy and FedRAMP (Federal Risk and Authorization Management Program) under the GSA (General Services Administration).

Original URL:

https://www.csoonline.com/article/3626432/7-tenets-of-zero-trust-explained.html