Three Key Technologies Behind Zero Trust Architecture
On May 12, 2021, US President Joe Biden signed an Executive Order on Improving the Nation’s Cybersecurity, calling for “bold changes” to the country’s cybersecurity measures to improve both IT and OT (operational technology) security. The executive order repeatedly emphasized on modernizing the current approach to cybersecurity by advancing towards zero trust architecture.
Zero trust architecture, or zero trust security model, is an approach towards the design and implementation of IT networks and systems that is based on the notion of never trusting any user, either within or without the organization. This means that identity verification should be performed every time and everywhere, even if the user is already in the internal network. Note that zero trust does not mean “distrust”, in that it simply removes the definition of “trust” from the IT ecosystem altogether, because trust is an emotional construct that cannot be defined and interpreted accurately by machines.
Despite its introduction in the 1990s, zero trust architecture was only popularized in recent years. Prior to Biden’s executive order, the UK National Cyber Security Centre (NCSC) also recommended network architects to use a zero trust approach when establishing new IT environments. In September 2021, the NCSC said that zero trust had become a “very fashionable term”. Singapore also published the Singapore Cybersecurity Strategy 2021, demanding a shift from traditional perimeter defence towards a zero trust security model, becoming the first Asia Pacific government to adopt zero trust architecture.
What Technologies Are Needed to Establish Zero Trust Architecture?
To establish a foundation for zero trust security, the network architecture should be designed with a zero trust governance policy. Yet, to put the policy into practice, the architecture must be supported by various existing security technologies. Here we look at three key technologies behind zero trust architecture.
1. Authentication and Authorization
The most crucial component of zero trust security is identity management, or in technical terms, authentication. Every time a user or device requests access to protected data, an authentication process must be in place to verify that they are truly who they claim to be. In recent years, multi-factor authentication (MFA) has become the standard practice for businesses, requiring account holders to use more than one authentication method to prove their identity. Methods can range from security questions, one-time passwords (OTP), security keys, and biometric authentication like fingerprint scanning and facial recognition. Despite seeming complicated, Penta Security’s FIDO2-compliant MFA appliance iSIGN+ enables single sign-on (SSO) across multiple accounts, making identity management secure and easy.
After verifying the identity of the user, an authorization process is usually performed simultaneously to grant the user access based on their assigned privilege. Take an online shop for example, an end-user outside the organization should only be allowed to retrieve their own account data and must be restricted from pulling other users’ contact information and purchase history, while an employee can do so on a one-by-one basis under request for customer support. Both the customer and the employee went through the same authentication step, but the authorization process assigns them different privileges.
Lastly, regardless of the identity of the user, nobody should ever have the privilege to view the complete personal data stored in the database. These data should not only be protected by identity management, but also be safely encrypted.
2. Encryption
Data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) mandate appropriate security measures for protecting the personally identifiable information (PII) of customers. This implies that all sensitive data must be stored in a password-protected database and encrypted. Under zero trust security guidelines, businesses should also encrypt their corporate legal documents, trade secrets, network maps, system and software information, or any other information that could guide hackers into the networks of suppliers and clients, especially if they are government or public organizations.
Encryption is where many businesses struggle with because even the most experienced developers can find it difficult to encrypt data at the database level without deteriorating the speed and performance of the web application. Moreover, key management can be tricky since no single person should have the complete decryption key. As such, instead of working on an encryption process in-house, it is recommended to use a comprehensive enterprise encryption solution like D’Amo to keep data encrypted at the desired level, including user application encryption, business application encryption, DBMS application encryption, DBMS package encryption, DBMS engine encryption, kernel encryption, and security gateway encryption.
3. Security Analytics
Security analytics has now become an important building block of the zero trust architecture, involving the use of real-time and logged data to analyze and detect threats. This can be done for a variety of purposes. Take the third generation web application firewall (WAF) for example, historical data on web attack patterns and intrusion methods are utilized for machine learning, which then creates logic-based rules for more effective detection. As such, a 3rd-gen WAF like WAPPLES is exceptionally effective at blocking new attack patterns and even zero-day exploits, as well as maintaining a near-zero false positive rate.
Security analytics is also commonly used in self-diagnostics, as well as continuous monitoring and reporting. Based on the preset thresholds, real-time alerts from computers, servers, databases, network devices, and all types of endpoints can be sent to the system administrator immediately. Other usages of security analytics include forensics, a useful way of studying and understanding past or ongoing attacks, helping organizations fill their security gaps promptly.
Adopting Zero Trust Security
Moving towards zero trust architecture is not a one-step process. Not only does it involve a transformation of network infrastructure and systems, but also requires continuous monitoring and updates to maintain. Prior to the transformation, it is important to set out a plan to prioritize the areas that need immediate changes, perhaps starting with identity and access management.
To cope with today’s sophisticated social engineering techniques and web intrusion methods, zero trust security should be a standard not only for those under regulation, but for all organizations. To maintain trust in an open society, zero trust security is essential.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Car, Energy, Factory, City Solutions: Penta IoT Security