Zero Trust Security Principles

Zero Trust

Cybersecurity

Life Sciences

10 min read

Zero Trust Security Principles

The drive to find new resources for innovation and process improvement in life science companies is becoming more and more based on technologies. On this journey, they need an infallible cybersecurity system.

Modern-day enterprises need more than detailed plans, talented people, and capital funding to succeed in the long haul. They need an infallible cyber security system. Businesses don’t operate the same way they used to in the 2000s.

There are remote workers, several internal networks, and cloud services. Moreover, covid-19 pandemic allowed employees to work from home or even a vacation spot. Although these changes have helped enterprises in many ways, they also pose a threat to their overall security.

And since the perimeter of the enterprises has changed drastically, perimeter-based network security is deemed insufficient. Once an attacker finds a way into the network, there are no hindrances to further lateral movement. So, what’s the best possible cyber security option available currently? It’s Zero Trust (ZT).

Download the Zero trust security  report

Zero Trust Paradigm

There’s a saying, ‘Precaution is better than cure.’ The Zero Trust (ZT) approach works with the same focus. A ZT security model assumes that the enterprise-owned environment is no better than a non-enterprise-owned environment. An attacker can also be present in the enterprise environment; thus, ZT-based security has no implicit trust.

It constantly analyzes and evaluates the risks to the assets and business functions of the enterprise. Then it enacts protective measures to minimize risks, as it’s not possible to eliminate the uncertainties. These measures include minimizing resource access to only those users needing access and continually authenticating and authorizing each access request.

A Zero Trust Architecture (ZTA) is an enterprise cybersecurity architecture based on Zero Trust principles. It prevents data breaches and restricts internal lateral movement only to trustworthy users. ZTA is an end-to-end approach to enterprise resource and data security by granting only the minimum privileges needed to complete a task.

The main objectives are authentication, authorization, reducing implicit trust zones, and creating highly detailed access rules.

ZTA must adhere to the following principles:

  • Resources Include all data sources and computing services
  • All communication must meet the same security requirements regardless of network location
  • Monitors and measures the integrity and security posture of all owned and associated assets because no asset is inherently trusted
  • Collects vast data to improve its security posture
  • grants access to individual enterprise resources on a per session basis
  • all resource authentication and authorization are dynamic and strictly enforced before allowing access

Zero Trust Architecture Components

Core Components of ZTA:

● Policy Engine (PE): PE is the ultimate decision-maker for granting access to a resource. It uses enterprise policy and input from external sources as input to a trust algorithm for making its decision. PE works along with the Policy Administrator component.

● Policy Administrator (PA): It executes the decision after PE logs it. PA is responsible for establishing or shutting down the communication between a subject and a resource. Some implementations may treat the PA and PE as a single service.

● Policy Enforcement Point (PEP): It is responsible for enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource. PEP allows or shuts down the session after receiving the signals from PA. Beyond the PEP is the trust zone.

Enterprise uses several data sources (local and external) for implementing a ZTA in addition to the core components. These can include:

● Industry Compliance System: This ensures that the enterprise complies with all the required regulations.

● Threat Intelligence Feed(s): This provides information from internal or external sources that help the PE make access decisions.

● Network and System Activity Logs: This helps to provide real-time feedback on the security posture by aggregating asset logs, network traffic, resource access actions, and other events.

● Security Information and Event Management (SIEM) System: It collects security-centric information for later analysis. They use this data to refine policies and warn against any possible attacks against the enterprise.

Zero Trust Deployment

You may understand the ZTA deployment through the following examples:

Enterprise with Satellite Facilities: It is common to find enterprises with a single headquarter and geographically dispersed branches that are not joined by an enterprise-owned physical network connection. Their employees may still need to access enterprise resources using personally-owned or enterprise-owned devices. Thus, enterprises may grant access to some resources but deny or restrict access to more sensitive resources by hosting PE\PAs as cloud services.

Contracted Services and/or Non-employee Access: Many modern businesses employ people on a contractual basis. These temporary employees need to access the enterprise resources for a fixed duration of time. They may also need to interact with the other employees of the enterprise. Here, the ZTA infrastructure will let the employees access enterprise resources and interact with others while safeguarding sensitive resources. The enterprise may host PA\PA\PEs as a cloud service or on the LAN.

Collaboration Across Enterprise Boundaries: When two enterprises collaborate on a project, they may need to access resources located on each other’s infrastructure. In such a case, the organization with resources on its infrastructure may grant access to only some information while denying access to overall enterprise resources. They may do so by hosting PE\PAs as a cloud service without establishing a VPN or similar facility.

Zero Trust Use Cases

The following real-world examples will help you understand the growing needs of Zero Trust Architecture:

Microsoft: Microsoft’s Zero Trust framework is based on the principle, ‘never trust, always verify.’ Since no one can transition to ZT in a single step, they created a layered approach to securing both corporate and customer data. They ensure increased productivity, risk mitigation, and cloud migration.

IBM: The IBM Zero Trust strategy helps your business increase its cyber resiliency while managing the risks of a disconnected business environment. It uses context to connect the right users to the right data at the right time under the right conditions.

AWS: AWS IoT helps you build a Zero Trust Architecture based on the seven tenets of Zero Trust. It provides IoT services that enterprises can use alongside other AWS identity and networking services to provide a wholesome Zero Trust environment. They will help you incrementally move to the ZTA without eliminating traditional security approaches.

Migrating to Zero Trust Architecture

Implementing a ZTA from scratch may not be possible as organizations already have an existing network. Thus, enterprises should implement Zero Trust principles subtly. They should opt for a hybrid Zero-Trust/perimeter-based security system. Meanwhile, investing in ongoing IT modernization initiatives.

An enterprise needs a baseline of competence before migrating to a Zero Trust Architecture. This baseline encompasses assets, business processes, subjects, traffic flows, and dependency mappings identified and cataloged for the enterprise. Incompetent knowledge regarding these will lead to business process failure.

Pure Zero Trust Architecture

An organization can build a ZTA from scratch if it has to complete a new task requiring new infrastructure. It may incorporate ZT concepts to some degree. Firstly, they’ll have to identify the workflows and the components needed and then map how they interact with each other.

Hybrid ZTA and Perimeter-Based Architecture

Since no significant enterprise can shift to ZTA in a single step, an enterprise may operate in a hybrid system; with flexible common elements that can operate in both ZTA and perimeter-based architecture.

Steps to introduce ZTA to a Perimeter-based Architecture

Identify Users: PE must know enterprise subjects, including both human and possible Non-Practicing Entity

(NPEs): Users with special privileges, such as developers or administrators, may have blanket permission to access all resources. However, it may use logs and audits to identify their behavior patterns.

Identify Assets: ZTA requires the ability not only to identify and monitor all the devices that access enterprise resources, whether they are enterprise-owned or not. Since a complete census of all enterprise-owned assets is impossible, organizations should build a ZTA capable of quickly identifying new assets on enterprise-owned infrastructure.

Identify Key Processes and Evaluate Risks: Now, the enterprise should rank business processes, data flows, and their relations. Business processes should inform the circumstances under which ZTA will grant or deny access. Hence, start with low-risk business processes for the first transition.

Formulating Policies for the ZTA Candidate: Identifying a candidate service or business workflow depends on factors like its importance, the group of subjects affected, and the current state of resources. Then identify all upstream and downstream resources and entities. Administrators may need to identify criteria for the resources used in the candidate business process.

Identify Candidate Solutions: The enterprise needs to compose a list of candidate solutions. They may model an existing business process as a pilot program rather than just a replacement. The pilot program can be generally applied to several business processes or may be made specifically for one use case. Use it as a “proving ground” for ZTA before transitioning to the ZTA deployment.

Initial Deployment and Monitoring: Administrators may operate in an observation and monitoring mode at first. The new ZT business workflow may operate in the reporting-only mode for some time. Reporting-only means to grant access to most requests and compare traces of connections with the initially developed policy.

Expanding the ZTA: Enterprise enters the steady operational phase after gaining enough confidence and refining the workflow policy set. The stakeholders involved may provide feedback to improve operations. Moreover, the administrators may start planning for the next stage of ZT deployment.

Summary

In conclusion, the ZTA security system is much better suited for modern enterprises, given the circumstances under which they operate. Enterprises can establish their own policies according to which the PE\PA\PEPs will grant, deny or restrict access to enterprises’ resources. This ensures the autonomy of enterprises while safeguarding their resources.

Download the Zero trust security report

Read more on the Knowledge hub