Understanding the Zero Trust Framework

In the past, an organization’s digital data was safe behind passwords, firewalls, and physical locked doors. Today, cloud computing and remote work have rendered these traditional approaches much less effective. Threat actors can launch attacks from almost any device, almost anywhere. Usernames and passwords are widely available on the dark web. To keep sensitive data safe, organizations must understand that any account — even one with the proper credentials — could be compromised. That’s the logic behind a zero trust framework.

A zero trust framework is a cybersecurity model that assumes every login could be a potential attack until proven otherwise. Whereas traditional cybersecurity systems employ “trust but verify” principles, zero trust systems follow a “never trust, always verify” philosophy. Even with a correct username and password, zero trust frameworks can restrict or deny access based on criteria such as multi-factor authentication (MFA), location, IP address, time of day, and even behavioral patterns. Following zero trust principles often means a few extra steps for legitimate employees. But it also means that threat actors have to jump through a series of difficult — and potentially impossible — hoops if they attempt to hijack your data.

‍

Pillars of the zero trust framework

“Zero trust” refers to a set of principles and best practices, not a specific set of steps to follow. As such, there’s no single, definitive way to create a zero trust framework at your organization. While there are many resources for implementing zero trust solutions, one of the best comes from the Cybersecurity and Infrastructure Security Agency (CISA).

CISA is a United States government agency that operates within the Department of Homeland Security. In September 2021, it published the first version of its Zero Trust Maturity Model, which it describes as “one of many roadmaps that agencies can reference as they transition towards a zero trust architecture.” The organization released the Zero Trust Maturity Model Version 2.0 in April 2023.

According to CISA, a zero trust framework must protect five organizational pillars:

• Identity: A set of characteristics that defines each unique user in a system
• Devices: Hardware, software, or firmware that can connect to an organization’s network
• Networks: All internal, wireless, or cloud-based channel that hosts files or messages
• Applications and workloads: Programs and services that users can manipulate either on-premises or via the cloud
• Data: Any structured or unstructured files that users can access, whether on physical storage or in cloud environments

CISA also describes four different levels of zero trust adoption:

• Traditional: A typical perimeter-based cybersecurity approach, with static policies, manual responses from an IT team, and few dependencies between pillars 
• Initial: Some cross-pillar dependencies, least-privilege policies, and incident response automation
• Advanced: Situational access policies based on continuously updated device risks, as well as many cross-pillar dependencies
• Optimal: Full visibility, automation, and interdependency across all five pillars, along with continuous monitoring and dynamic access policies 

In other words, organizations that rely on usernames, passwords, VPNs, local area networks, and limited analytics are using a Traditional — and probably outdated — approach. Organizations with multi-factor authentication, least privilege access policies, automated incident response strategies, and sophisticated analytics are using an Advanced or Optimal approach. 

‍

Zero trust framework strategies

Continuous authentication

Threat actors have myriad ways to steal usernames and passwords, from data breaches and credential stuffing to phishing and other types of social engineering. That’s why a zero trust framework makes users prove their identity on a regular basis, rather than staying logged in for days (or weeks) at a time.

MFA is an important part of a continuous authentication strategy, as these codes are valid for only a few minutes at a time. Even if an attacker manages to hijack a single MFA code, they probably can’t do so multiple times per hour. This limits the amount of damage they could do in a single session.

Similarly, suppose a threat actor steals an employee’s device. They won’t be able to do much if the system requires a username, password, and MFA code every time the device wakes up.

Least privilege access

Least privilege access, or the principle of least privilege, allows employees to access the data they need to do their jobs — and nothing else. An intern at a graphic design company, for example, might be able to install a list of preselected programs and edit files only with explicit permission from an owner. An accountant at the same company, though, would have access to sensitive financial data, while an IT administrator could theoretically manipulate any file or program in the system. Since most employees have access to compartmentalized, limited sets of data, a compromised account might not necessarily amount to a massive data breach.

Microsegmentation

Traditionally, networks transmitted large quantities of data between a client and a central server. However, a threat actor could subvert this system by exploiting a vulnerability in a firewall or hijacking a VPN. Instead, organizations can employ a technique called microsegmentation. Using microsegmentation, administrators can split networks into smaller, discrete zones, each one of which follows different security policies. You could cluster application data together in one segment, for example, and user directories in another.

Microsegmentation can stop threat actors from compromising entire networks, as gaining access to one zone does not guarantee access to another. This technique also makes it more difficult for malware to spread, as a vulnerability in one part of the network may not exist in another.

Advanced monitoring

If any login could be a dangerous one, then simply monitoring to keep threat actors out of your system isn’t enough. Zero trust frameworks usually employ advanced monitoring techniques to determine whether users are behaving normally. User and entity behavior analytics (UEBA), for example, is a particularly potent tool for cloud environments. Using artificial intelligence (AI) and machine learning (ML) algorithms, UEBA can track anomalous behavior and assess individual device risks. From there, IT administrators can restrict, warn, or oust users as needed.

‍

Challenges of zero trust adoption

There are two main issues you’re likely to encounter when transitioning your organization to a zero trust framework. The first is that there are dozens of ways to implement zero trust solutions rather than a single “right” way. There are dozens of different MFA methods, security software suites, network configurations, and monitoring techniques that you can choose from, to say nothing of the policies and education you devise for your own staff. Remember that it’s better to have some zero trust principles than none. You can start with smaller initiatives and adapt your strategies over time.

The second issue is pushback from employees and management. Zero trust solutions often add an extra layer of inconvenience and expense. Employees may not want to log in constantly, while management may not want to invest in new cybersecurity tools (and abandon the old ones, which they’ve already paid for). The best thing you can do is remind your staff that data breaches have happened at some of the world’s biggest and best-protected companies. Modernizing your cybersecurity strategy is your best defense against a similar attack on your organization.

‍

Implement zero trust security in your organization

Building a zero trust framework can help protect your employees and secure your sensitive data. Moreover, it may be your best defense against a data breach. If you’re ready to modernize your organization’s cybersecurity, learn how you can implement zero trust security with Lookout. Our zero trust solutions include least privilege access, continuous verification, and mobile device monitoring, all of which can stop threat actors from getting a foothold in your network.