What is Zero Trust Security?

Posted September 14, 2021

The threat landscape is evolving and has greatly expanded over the past ten to fifteen years. IT environments used to traditionally consist of an office where all employees, servers, and maybe even a DMZ were centrally located. Due to advancements in connectivity, the typical office has changed. Through cloud applications, VPNs, mobile networks, and Wi-fi, it is now expected that the office is anywhere. Recently, this evolution in work has accelerated due to the pandemic. We now have a widespread hybrid workforce where you’re no longer just in the office or just out of the office, you’re potentially going in and out depending on the day. Users and devices may be inside the network or outside on any given day and there are also many more devices to secure. Employees are using mobile phones, connecting remotely via laptops, or connecting via desktops from inside the network. Some devices may be more secure than others, depending on what endpoint protection can run on them. Basically, what this boils down to is we can no longer rely on a strong, secure internal network to protect us. We need to be protected everywhere.

Corey Nachreiner, Chief Security Officer at WatchGuard, relates the traditional security model to a Tootsie pop. There is a hard candy shell that contains all your protection. But once you break through the shell, you can go anywhere in the soft candy center. So, a bad guy just has to get past that hard candy shell. In today’s environment, that hard candy shell can’t exist solely “at the office.” It must exist everywhere but that still isn’t enough because hard shells can be broken through. Even before the hybrid work environment was adopted, security should have been based on a zero-trust model. Networks can no longer allow users privilege just because they got past the door or broke through the shell. Security models today need to allow the least amount of privilege possible to do what is necessary.

Zero-trust security is taking a cynical approach to users and permissions. Basically, it is assuming that every user is a bad actor. That could be a hostile actor intentionally targeting your systems or an employee connecting a compromised device. Zero trust grants only the permissions necessary and doesn’t allow lateral movement through a network — breaking through the shell doesn’t give a user access to the whole soft candy center. Zero trust implements a hard shell throughout the network like a hard lollipop and eliminates the soft-candy center. Or as Corey would say, turn your network security into a Jawbreaker.

Zero trust also goes beyond simple authentication level access. If you turn your network into a zero-trust Jawbreaker, you can now separate that Jawbreaker into individual tiny pieces, and most users won’t even know what pieces exist. Only users who need access to a certain piece of the Jawbreaker (think applications, network storage, systems) get visibility and access. The Microsoft Exchange server hack from March of this year was exactly this type of exploit. The bad actors didn’t need a username, password, or MFA token. They just needed network-level access and could exploit a server-level request. The recent Kaseya hack was also this type of authentication bypass attack. Zero-trust security boils down to also protecting applications against these types of attacks. Authentication is still a very important part of zero-trust security, but network segmentation, including establishing micro perimeters is equally as important.

Zero trust starts with authentication and identity controls. You need to know who the person is, and what the device is before you can make a decision on whether it should have access or not. Until you’ve established that this is someone you know, or not, you can’t figure out how much access to give them.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.