Digital Forensics
An Introduction To The Zero Trust Framework
August 13, 2021
Introduction
The COVID-19 pandemic has gripped the world to extremes never seen before and there are a number of key Cybersecurity lessons that have been learned from it. First, the notion of a 99% Remote Workforce was a concept that many thought would take years to come to fruition.
Instead, it has happened in a timespan of just three short months. Also, the gravity of Identity Access Management (IAM) has now come front and center, with many businesses in corporate America now realizing just how vulnerable their confidential information and data really is.
This where the Zero Trust Framework comes in and is the focal point of this blog.
What Exactly Is Zero Trust?
In the traditional IAM models, even though strong levels of authentication are more or less required, there is still an implicit level of trust that is often taken for granted. For example, employees that have been around the longest in a business could bypass certain authentication mechanisms without being questioned at all.
With the Zero Trust Framework, it takes this principle to another extreme in which nobody is trusted in both the internal and external environments to your company. In other words, it is not just end-users, but even devices, and the higher-ranking members of both the C-Suite and the Board of Directors that cannot be trusted at all. In order to gain access to what is needed, all of these entities must be fully vetted and authenticated to the maximum level possible.
In this regard, even using Two Factor Authentication (2FA) is simply not enough. The use of Multifactor Authentication (MFA) is required, in which at least three layers, preferably more, are used to 100% fully verify the device or end-user in question.
In fact, a key distinction of the Zero Trust Framework is that it is not typically used for just enhancing the primary lines of defense for the business. Rather, this new way of thinking in Cybersecurity is further extended to protect each and every server, workstation, and any other assets that reside within the IT infrastructure. This is also known as “micro segmentation”, and is illustrated in the diagram below:
(SOURCE: 1).
In other words, the concept of Perimeter Security, in which there is only main line of circumferential security defending the internal environment of the business from external forces is no longer plausible.
Other items can be used to fully enforce the Zero Trust Framework, which are as follows:
- Implementing stronger levels of Endpoint Security;
- Breaking up your entire network infrastructure into smaller segments which are known as “subnets;”
- Employing Identity and Access Management (IAM);
- Enacting Role-Based Access Control (RBAC);
- Deploying very high levels of Encryption;
- Using Logging and Analytic Tools;
- Making use of Policy Enforcement and Orchestration Engines.
How To Implement the Zero Trust Framework
It is important to keep in mind that deploying Zero Trust is not something that happens in just one fell swoop; rather, it is implemented in stages, using a phased-in approach. The following are key areas that you need to keep in mind as you deploy it:
1. Understand and completely define what needs to be protected:
With Zero Trust, you don’t assume that your most vulnerable digital assets are at risk. Rather, you take the position that everything is prone to a security breach, no matter how minimal it might be to your company. In this regard, you are taking a much more holistic view, in that you are not simply protecting what you think the different potential attack planes could be, but you are viewing this as an entire surface that needs 100% protection, on a 24 x 7 x 365 basis. You and your IT Security team need to take a careful inventory of everything digital that your company has, and from there, map out how each of those items will be protected. Rather than the mindset of one overarching line of defense for your business, you are now creating many different “micro perimeters” for each individual asset.
2. Determine the interconnections:
In today’s environment, your digital assets are not just isolated to themselves. For example, your primary database will be connected with others, as well as to other servers, which are both physical and virtual in nature. Because of this, you need to ascertain how these linkages work with another, and from there, determine the types of controls that can be implemented in between these digital assets so they can be protected.
3. Crafting the Zero Trust Framework:
Keep in mind instituting this is not a “one size fits all” approach. Meaning, what may work for one company may not work for your business. Your organization has its own unique set of security requirements and the protection surface (as defined in step #1) and the linkages that you have determined (defined in step #2) will also be unique to you as well. Therefore, you need to create your framework based on what your needs are at that moment in time, while at the same time considering projected future needs as well.
4. Determine how the Zero Trust Framework will be monitored:
Once you have accomplished steps #1 - #3, the final goal is to determine how it will be monitored on a real-time basis. In this particular instance, you will want to make use of what is known as a Security Information and Event Management (SIEM) software package. This is an easy to deploy tool that collect all of the logging and activity information, as well as all of the warnings and alerts and put them into one central view. The main advantage of this is that your IT Security Team will be able to triage and act upon those threat variants almost instantaneously.
Conclusions
Overall, this blog has examined what the Zero Trust Framework is, and some key steps that need to be taken into consideration before it is fully implemented in your organization. As you’re thinking about adding in processes and the infrastructure to support Zero Trust, you might also consider adding in technology that will help your organization conduct HR and compliance investigations as well as post-breach analysis should the need occur; because despite best efforts, no solution is fool proof. The AccessData API integrates seamlessly with your cybersecurity platform to kick off a post-breach investigation from the first moments after an intrusion has been detected, initiating the immediate preservation of electronic evidence in an investigation. And, with our latest release, AD Enterprise is the first forensic solution to offer in-network collection, superior Mac Collection, off-network collection and cloud data source collection—all in one product! Contact us to learn more or request a demo.
In a future blog, we will examine the key advantages and disadvantages of a Zero Trust Framework.
Sources
https://searchsecurity.techtarget.com/definition/zero-trust-model-zero-trust-network