Resource background image


What is Zero Trust Security in Cybersecurity: A Comprehensive Guide

Zero Trust is a much bandied-about IT term, but how much do you really know about this concept? Read on, and we are confident you will gain plenty of knowledge to share with your team.

What Does Zero Trust Mean in Cybersecurity?

Fittingly, Zero Trust means that the only way to as closely protect EVERYTHING in your IT infrastructure as possible is to trust NOTHING. This entails a step-by-step process to better secure almost all aspects of your IT environment.

Zero Trust is different from networks used to implement cybersecurity practices. In the past, IT had areas of their network they felt were safe, such as those behind firewalls and other forms of perimeter security. That meant there were trusted networks with trusted users and the external network which had untrusted users.

In some cases, IT would set up a DMZ to serve as a security zone between the so-called safe network and the dangerous world outside the perimeter. There are two problems with this: Hackers can indeed infiltrate the perimeter and insiders cannot always be trusted. Therefore, there is no safe or truly trusted network.

So, What is Zero Trust?

In response to the revelation that networks inside the perimeter are not truly trusted, the concept of Zero Trust emerged. “Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to ‘never trust, always verify.’ Every access request is fully authenticated, authorized and encrypted before granting access. Micro segmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real-time,” Microsoft explained. “By implementing Zero Trust, Microsoft takes a layered approach to secure corporate and customer data. Microsoft’s phased implementation of Zero Trust centers on strong user identity, device health verification, validation of application health and secure, least-privilege access to corporate resources and services.”

According to NIST, in a 2020 paper on Zero Trust Architecture, “Zero Trust is the term for an evolving set of cybersecurity paradigms that move defenses from status, network-based perimeters to focus on users, assets and resources. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned).”

Meanwhile, the US Department of Defense (DoD) argued that “The foundational tenet of the Zero Trust model is that no actor, system, network or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.”

So, while it may sound counterintuitive, the only way to truly trust in your security is to have Zero Trust—trust nothing and defend and verify everything.

How the Zero Trust Model Works

Because failure to comply with security and compliance policies can have drastic consequences resulting in loss of data, trust and revenue, Zero Trust is the security model of choice for large enterprises and government organizations today. With Zero Trust, organizations can gain insight into users and devices connected to the network, identify threats and maintain control across the entire diverse IT ecosystem. This helps organizations run continuous verification, maintain visibility and detect vulnerabilities faster, often before an intrusion occurs. Zero Trust models also allow organizations to implement personalized rule engines that can be automatically updated based on identified risks. Designing Zero Trust capabilities within business processes, services and systems allows security policies to cover multiple environments (physical, virtual, cloud, containers), monitor security postures continuously and proactively reduce breaches.

Implementing a Zero Trust security approach means doing away with legacy infrastructure and workflows that prevent the implementation of more modern security strategies. Traditional approaches relied on “trust but verify” models of security. These put the organizations at risk from security vulnerabilities like unauthorized access, compromised accounts, misuse of credentials, etc. With Zero Trust, organizations are required to continuously monitor and validate users and devices for privileges and attributes.

With Zero Trust, IT permits access between IT entities that absolutely must communicate with each other. This does away with the old concept of a trusted user or even a trusted piece of infrastructure such as a server. With Zero Trust, IT secures all communications channels and removes generic access to any asset. Access has to be specifically granted, it must have a purpose and it cannot be inherited.

Why Zero Trust is so Important

The cloud, along with the move to remote work and mobile access, are all driving the need for Zero Trust. “Cloud-based services and mobile computing have changed the technology landscape for the modern enterprise. Today’s workforce often requires access to applications and resources outside traditional corporate network boundaries, rendering security architectures that rely on firewalls and virtual private networks (VPNs) insufficient. Changes brought about by cloud migration and a more mobile workforce have led to the development of an access architecture called Zero Trust,” Microsoft explained. “Implementing a true Zero Trust model requires that all components—user identity, device, network and applications—be validated and proven trustworthy. Zero Trust verifies identity and device health prior to granting access to corporate resources. When access is granted, applying the principle of least privilege limits user access to only those resources that are explicitly authorized for each user, thus reducing the risk of lateral movement within the environment,” Microsoft concluded.

Here are four elements critical to establishing Zero Trust, according to Microsoft:

  • “Strong identity authentication everywhere (user verification via authentication)
  • Devices are enrolled in device management and their health is validated
  • Least-privilege user rights (access is limited to only what is needed)
  • The health of services is verified (future goal)”

Zero Trust advantages include:

  • Reduced business risk due to continuous visibility and monitoring
  • Increased control over multiple environments – cloud, containers, virtual machines, etc.
  • Reduced risk of data breach due to reassessment of privileges and authorizations based on changing context
  • Enhanced compliance reporting
  • Reduced overall capital expenditure

What is Zero Trust Network Access?

Zero Trust Network Access is a way of creating boundaries around your network assets to protect the data and applications from compromise, invasion or data leakage. “Zero trust network access (ZTNA) is a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities,” explained the Gartner Zero Trust Network Access glossary page. “The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.”

Access control is critical. With ZTNA:

  • Authentication is performed continuously
  • Authorization is done continuously
  • Access control is done at more than one point
  • Devices are now subject to authentication, authorization and access
  • One slow authentication or authorization server can severely degrade the customer experience

Strong access control requires extensive network rework. As explained in our previous blog post about ZTNA and how it promotes a positive customer experience, “What works today with your existing authentication and authorization solution cannot support Zero Trust without significant reengineering for performance and resilience. Access control, authentication and authorization must occur before a user is granted access to any information.”

With Zero Trust and ZTNA, IT infrastructure switches from the old perimeter-based security model to a distributed security model. Now security decisions, such as when to provide access to resources and what authentication is required, are made across the entire architecture.

Core Principles of Zero Trust

Zero Trust has a number of core principles, but here are two more important pillars:

  • Assume that the outside (and inside environment) are both hostile, seeking to attack your systems in myriad ways. Further assume that all your infrastructure and users are not to be trusted (unless your organization has adopted Zero Trust, of course!).
  • Don’t trust, always verify. Since components of your IT infrastructure are not trusted, you must make them safe through verification. This includes blocking access by default and only allowing access through rigorous and regular authentication—and only to those explicitly given those privileges. Use least privilege access to grant permissions to only those who truly need it.

Macro-Segmentation and Micro-Segmentation

Zero Trust means your network is no longer wide open but is instead broken down into more secure segments. This means devices can’t access the entire network and these same devices are preserved like a cocoon within the segment.

“Device compliance is critical in the Zero Trust model and this can be addressed by applying micro-segmentation and macro-segmentation to your network environment. This means now having perhaps each and every subnet across your network (or even perhaps smaller components than that) be separately contained and require access decisions to go from one segment to another segment of your network,” the What is Zero Trust Network Access (ZTNA) and How Does it Promote a Positive Customer Experience? blog explained. “These segments (both logical and physical) are isolated and controlled via granular access and policy restrictions. As your perimeter becomes granular through macro-segmentation, micro-segmentation provides greater protections and controls over the Data/Assets/Applications/ Services (DAAS). This is vital if you are to control privileged access, manage internal and external data flows and prevent lateral movement.”

Zero Trust and Identity and Access Management (IAM)

With the growing plethora of enterprise applications and services, maintaining user accounts, access permissions, authentication methods and password policies across all these platforms is time-consuming, error-prone and a source of unending security gaps, if not handled properly.

Identity and Access Management (IAM) is part of the solution. “An IAM solution is an effective way to improve security and access by limiting who has access and how much access they have to appropriate systems. The ideal way to deliver these increased Identity and Access Management practices is to set up a role-based access control (RBAC) strategy based upon how environments are set up,” the Identity and Access Management page explained.

The Benefits of Encryption in Zero Trust

Unencrypted data is a hacker’s dream come true. Fortunately, strong encryption is a key Zero Trust mantra. “The Zero Trust Security model protects the data by encrypting data-at-rest and data-in-transit before moving to cloud storage devices or any other devices. If a data breach occurs, even with limited access to data, no one can read the data except the intended person,” argued Encryption Consulting.

Progress Chef and Zero Trust Security

A top goal with Progress Chef is to simplify the complex. Zero Trust may sound complex at first, but it becomes simple when embracing the DevSecOps model. Chef Desktop allows organizations to extend the capabilities of Zero Trust from a practice to a more meaningful application of security and compliance policies through the Rule Engine. Chef Desktop automates Configuration Management by allowing codification of Infrastructure Configurations through policy files. This makes applying and maintaining configuration changes across a large fleet of machines faster and provides visibility into their real-time status. Besides automating configurations, Chef Desktop uses compliance as code principles to automate security and compliance checks for endpoints to help detect and remediate issues.

Through Chef Desktop, your Zero Trust Rules Engine now has significantly more security insights about system hardening status and device compliance to make decisions regarding the accessibility of various resources to different nodes or users. Customizable templates allow flexibility to add and modify configurations to accommodate the unique requirements of specific users, endpoints or apps. A unified dashboard to track nodes' status in configuration, health and compliance makes it easier to track security and configuration management data across the entire IT resource fleet.

Watch our on-demand webinar and learn how to use DevOps principles and a Zero Trust approach to automate security and better detect and resolve security issues. 

Learn more by reading the blog post, Chef What is Zero Trust and Why Should We Care?

Chef Zero Trust Solutions

Chef is designed to incorporate the principles of Zero Trust and enable organizations to implement a more robust security and compliance strategy. Chef allows teams to configure security and compliance policies based on organizational needs and apply those policies consistently across devices in the fleet irrespective of operating system or environment. Chef infrastructure management and compliance automation capabilities collect insightful data from endpoints regarding system hardening status and compliance postures within the fleet.

These insights can then be used to define flows in the Rules Engine and make better decisions about user/device authorizations and privileges, based on attributes such as device compliance health, user data, device context, infrastructure attributes, etc. The Chef built-in dashboard tracks the status of configuration, compliance, device health and other attributes, and offers continuous visibility into the state of devices within the fleet. Continuous audits help identify vulnerabilities and automated remediation confirms if devices are maintaining compliance with standard benchmarks such as CIS and DISA STIGs.

Learn more about Chef Zero Trust Security Solutions.