What is a Zero Trust Security Strategy?

Recently, the National Security Agency (NSA) released guidance to help organizations to adopt a Zero Trust approach to cybersecurity. Zero Trust is a security strategy that assumes that a data breach is either inevitable, or that a breach has already happened and an intruder is already inside an organization’s network. The details of a zero trust security strategy are discussed below.

What is a Zero Trust Security Strategy? How Does the Strategy Work?

The National Security Agency (NSA) has recently released new guidance to help organizations adopt a Zero Trust approach to cybersecurity to better defend against increasingly sophisticated cyber threats.

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

According to the NSA, “Zero Trust” is a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. 

Zero Trust Security

In other words, a zero trust security strategy assumes a breach either will happen at some point, or has likely already occurred. The zero trust security model therefore continuously limits access to only what access is required. The zero trust security model also continuously looks for signs of anomalous or malicious activity. A key principle of the zero trust strategy is that credentials and devices are assumed to be malicious, until proven otherwise.

In other words, a zero trust security strategy assumes a breach either will happen at some point, or has likely already occurred. The zero trust security model therefore continuously limits access to only what access is required. The zero trust security model also continuously looks for signs of anomalous or malicious activity. A key principle of the zero trust strategy is that credentials and devices are assumed to be malicious, until proven otherwise.

A zero trust security model uses the following:

  • Comprehensive security monitoring;
  • Risk-based access controls; and
  • Security system automation in a coordinated manner throughout all aspects of an IT infrastructure.

The goal of a zero trust security model is to focus on protecting critical assets (data), in real time, within a constantly-changing threat environment.

Zero Trust Security Strategy and the Least-Privileged Access Principle

The zero trust security strategy is grounded in the least-privileged access principle. The principle of least privilege (PoLP) is an information security concept, in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions. Under a system of least privilege enforcement, a user is given the requisite access needed, and nothing more. 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

Examples of Zero Trust in Use

The fundamental purpose of “Zero Trust” is to understand and control how users, processes, and devices engage with data. The combination of the user, device, and any other information relevant to security (e.g., location, time of day, previous logged behavior of the user or device) to be used to make an access decision is called a tuple. The Zero Trust decision engine examines the tuple in an access request, compares it to the security policy for the data or resource being requested, and then makes a risk-informed decision on whether to allow access. This process is conducted for each individual access request to each sensitive resource, and can be repeated periodically during extended access to a resource.

Two prominent examples of when Zero Trust implementation can detect malicious activity better than a traditional architecture include compromised user credentials, and remote exploitation or insider threats.

Compromised user credentials.

Here, a cyberattacker compromises a legitimate user’s credentials, and attempts to access system resources. The cyberattacker is using an unauthorized device – either through remote access, or, with an outside device that joins the organization’s wireless LAN. In a traditional network setting, user credentials (user ID and password) alone are often sufficient to gain access. However, in a Zero Trust environment, the device is not known. It is treated as a potential “invader.” This means that the device will fail authentication and authorization checks. Therefore, access will be denied, and the system will record the access attempt as malicious activity. In a Zero Trust environment, strong multi-factor authentication (MFA) is recommended. Using strong MFA makes stealing the user’s credentials more difficult in the first instance.

Remote exploitation or insider threat.

Here, a cyberattacker attempts to compromise a user’s device through an Internet-based mobile code exploit. An exploit is a piece of software, a chunk of data, or a sequence of commands. In each case, the exploit takes advantage of a vulnerability to cause disruptive behavior to occur on software or hardware. In an environment that is non-Zero trust, the attacker uses user credentials and privileges to move through the network, ultimately to compromise data. However, in a Zero Trust network, both the user’s credentials and the device are assumed to be malicious until proven otherwise. The network will act to limit access based on security policy, user role, and user and device attributes. 

HIPAA Trust Badge

HIPAA Protects You

Protect your business from expensive breaches and fines!