3.2 KiB
Course
Zero Trust is an approach that secures access and limits impact with adaptive controls and continuous verification.
Every request is seen as a potential breach and must be verified as though it originates from an open network.
never trust, always verify.
The three basic tenets of zero trust are:
- verify explicitly: use every available data point (like user identity, the application’s hosting environment, location, device health, service, workload, data classification, and anomalies) to verify a request and prevent a breach.
- least privileged access. For example, using Just-in-Time and Just Enough Access (JIT/JEA).
- Assume breach. Minimize the blast radius to prevent lateral movement, using segmentation policies, and analytics to detect and respond quickly.
Six coverage areas
Six coverage areas to create a defense-in-depth strategy: identity, infrastructure, network access, applications, endpoints, and data.
Identity User and device access must be rules-based and conditional, determining the potential risk of a user or login request. Rules-based access requires properly planning for roles and permissions, using the least privilege principles, and time-based administrative access with proper approvals and auditing. Conditional access means evaluating conditions like user location, devices, and user integrity, to determine the risk level the requested access (to sensitive information) creates for the company, and if additional verification is needed.
Infrastructure Infrastructure, both cloud and on-premise, must be protected by limiting access through management ports of virtual machines and containers. Administrative access should be by request, time-bound, and auditable.
Network access Public and private networks must be separated; on-premise through physical or isolation (VLANs), in the cloud with virtual networks (VNETs) in Azure or virtual private clouds (VPCs) in AWS. Network access through the infrastructure can be controlled with network access control lists, network security groups, and access policies.
Applications Public-facing cloud applications introduce the challenge of balancing customer expectations and enforcing Zero Trust. Adequate segmentation of public-facing applications and private backend databases is important. Using a cloud access security broker (CASB) to govern and manage access to cloud applications is important, as is the avoidance of shadow IT.
Endpoints Endpoints can be anything, like a virtual server, windows device, or smartphone. The company should have a level of endpoint protection and governance over those devices to enforce Zero Trust.
Mobile device management (MDM) can be used on company-owned devices to enforce configuration and compliance policies, and access to applications and data can be denied on devices that are not managed with MDM.
For personal devices this can me done through mobile application management (MAM), which creates virtual separation from personal and business applications and data without taking full control of the device.
Data Confidentiality and integrity of data must be protected by encryption and key management. This requires data asset inventarisation and classification.