Share this
What Is Zero Trust Security?
by Brett Daniel on Jun 1, 2021 10:20:51 AM
Graphic: We're hearing more and more about zero trust security, but why?
Table of Contents
- What is zero trust?
- How does zero trust work?
- How do you achieve zero trust?
- Why do we need zero trust?
- Is adopting zero trust unrealistic?
- Why is a zero trust architecture ultimately more effective for security?
- Trenton Systems: Developing Zero Trust Computing Solutions
BUZZ! BUZZ! BUZZ! The intrusive buzzing of the latest cybersecurity buzzword, zero trust, is palpable.
It’s evident why. The COVID-19 pandemic, with its surge in remote work, has pushed the implementation of zero trust architectures to the top of many enterprise priority lists.
As early as 10 years ago, most enterprise endpoints – users, devices, and applications - were restricted to the confines of the enterprise. Once these endpoints were in and verified as secure, they were granted access to network resources and henceforth assumed to be secure.
But now, with the advent of cloud computing, edge computing, and the Internet of Things (IoT), and with more and more employees accessing sensitive enterprise data not only from home but from cafés, different countries, and other far-flung locations – enterprise endpoints are virtually everywhere, and cyberattackers, like sleazy swindlers searching for the weaknesses of unsuspecting innocents, are eager to identify the perfect opportunity to execute.
“Okay, so how are we supposed to protect our sensitive data, then?”
It’s quite simple, reader.
Trust no one.
Photo: Zero trust is all about securing both internal and external endpoints, assuming they've been breached, and constantly verifying endpoint identity and trustworthiness.
What is zero trust?
Zero trust is a network cybersecurity approach that assumes data breaches are being perpetrated by untrusted sources originating both inside and outside an enterprise.
Zero trust security involves constantly verifying the identity and trustworthiness of every user, device, and application within a given enterprise network. It rejects the traditional assumption that users, devices, and applications are trustworthy merely because they’ve been verified as secure, and granted network access in the past.
This is an important point, as traditional perimeter-based cybersecurity models, also known as castle-and-moat models, accept the assumption that prior security verification and network internality are equivalent to trustworthiness.
Cybersecurity experts frequently refer to these older models using a castle-and-moat analogy because those who need internal access to network resources must pass a security check – the corporate firewall - to be granted such access, like crossing a heavily guarded drawbridge or even having it lowered in the first place. In essence, the belief is “trust, but verify,” and your enterprise data is safe.
Although marvels of a time before the era of digital nomadism and remote computation, these outdated models alone are now widely regarded as not only ineffective but also obsolete, given the modern proliferation of enterprise users, devices, and applications operating outside enterprise perimeters as well, whether in the cloud, a home office, a hammock on the beach, a manufacturing facility, a military outpost, and so on.
How does zero trust work?
The modern proliferation of enterprise users, devices, and applications external to enterprise networks creates an increased attack surface for independent and state-sponsored hackers.
Zero trust architectures address this problem by adopting a “trust-no-one” cybersecurity model, authenticating enterprise user, device, and application trustworthiness both before and after granting access to network resources.
Unlike the older castle-and-moat model’s “trust, but verify” concept, the frequently touted adage for zero trust security is “never trust, always verify.”
In a nutshell, a zero trust architecture works by adopting a “trust-no-one” cybersecurity model that modern enterprises use to better safeguard their internally and externally accessed data.
Zero trust even has the approval of the federal government. The NSA, a major proponent of zero trust, strongly recommends that National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks adhere to a zero trust security model to secure their sensitive data.
Graphic: Tools used to achieve zero trust include network segmentation, multifactor authentication, and least-privilege access restrictions.
How do you achieve zero trust?
A zero trust architecture is achieved through the implementation of comprehensive security monitoring, risk-based access controls, and enterprise-wide system security automation.
This data-centric security model allows the concept of least-privilege access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.
- National Security Agency (NSA), Embracing a Zero Trust Security Model
The concept of least-privilege access ensures that enterprise users, devices, and applications have only the access and permissions necessary to complete the tasks specific to their job, function, or purpose. This helps minimize the possibility of lateral movement throughout a network.
For example, a program manager doesn’t need to install software updates, and cybersecurity directors don’t need access to confidential program documents. The underlying purpose is the minimization of privilege: if a hacker were to compromise the program manager’s account, they could access confidential program documents but not install software updates. Conversely, a compromised cybersecurity director’s account would allow the hacker to install software updates but not access confidential program documents, at least not immediately.
Least-privilege access is a zero trust concept in nature since it inherently assumes that users, devices, and applications cannot be trusted to securely access and engage with enterprise data beyond the scopes of their purposes.
Although least-privilege access is a start to achieving a zero trust architecture, it's not perfect, as the issue of devices, users, and applications being compromised by hackers remains, which is why prevention is essential.
Enter macro-segmentation, micro-segmentation, and multi-factor authentication (MFA). Macro- and micro-segmentation allows cybersecurity architects to create network zones that segregate workloads and secure them independently. MFA is the practice of asking users to provide two or more verification factors to confirm their identity before they're allowed access to network resources. When paired with access management, network monitoring and analytics, and other tracking tools, a potent concoction for warding off cybercriminals is created.
As mentioned, the primary goal of zero trust is to control access and engagement with enterprise data, so to achieve a zero trust architecture, the who, what, when, where, and how of every enterprise user, device, and application must constantly be questioned to verify their trustworthiness in accessing and using enterprise data.
Since devices, users, and applications frequently make access requests, these access requests must be repeatedly authorized and secured using authentication and encryption technologies before the user, device, or application, whether internal or external to the network, is granted access to network resources.
In summarizing these contextual factors, the NSA lists seven preventive principles and system design concepts necessary to achieving a zero trust architecture:
- Never trust, always verify.
- Assume breach.
- Verify explicitly.
- Define mission outcomes.
- Architect from the inside out.
- Determine who or what needs access to critical data, assets, applications, or services (DAAS).
- Inspect and log all traffic before acting.
Graphic: Cybersecurity has surpassed the internal enterprise. Endpoints are everywhere now, and they must be secure from hackers.
Why do we need zero trust?
Enterprises need zero trust architectures to address newer and more sophisticated attack vectors associated with today’s cloud computing, edge computing, and Internet of Things (IoT) infrastructures.
John Mullin, director of information technology at Trenton Systems, says zero trust is essential to securing the diffused data of modern enterprises, especially in light of the COVID-19 pandemic.
With all these new endpoints – different desktop devices, different users, different smartphones – heading outside the perimeter, castle-and-moat cybersecurity alone is no longer acceptable. The COVID-19 pandemic really brought everything to a head. It’s the main reason zero trust, which has actually been around for more than a decade, is experiencing a renaissance right now. Not only are enterprises extending their private networks to their employees’ work-from-home endpoints, but work-from-home employees are oftentimes accessing these networks from their potentially insecure personal computers, so the question becomes, ‘How do you secure those computers in addition to the servers and workstations that comprise your enterprise infrastructure?’ Well, with zero trust, you assume all computers have already been hacked, and you implement security measures accordingly. As you can imagine, securing internal and external endpoints holistically has been a struggle for cybersecurity professionals everywhere.
At Trenton, we have a hybridized cybersecurity framework that utilizes both perimeter-based and zero trust principles. We are continuing to implement a zero trust framework that focuses on least-privilege access, multifactor authentication, macro-segmentation, tracking of logs, and network monitoring.
John Mullin, Director of Information Technology, Trenton Systems
Photo: Some argue that adopting zero trust is unrealistic because of legacy infrastructure, expenses, and other existing issues.
Is adopting zero trust unrealistic?
Some cybersecurity experts argue that pushing for the widespread adoption of zero trust security models imposes impractical and unrealistic expectations on many enterprises.
Morey Haber, chief technology officer and chief information security officer for BeyondTrust, lists four reasons why zero trust networks are not only unrealistic but impractical:
- Technical debt
- Legacy systems
- Peer-to-peer (P2P) technologies
- Digital transformation
Haber’s technical debt obstacle asks: How will enterprises creating custom applications introduce zero trust security parameters into their software? Haber argues that many enterprises in this space are neither financially nor administratively equipped to accomplish such a feat.
Haber’s legacy systems obstacle maintains that old and outdated systems are not zero trust capable mainly because of incompatibility with current zero trust technologies.
Haber’s peer-to-peer (P2P) technologies obstacle highlights enterprises’ general ignorance of any active P2P technologies operating within their networks, which he says could pose a major risk of lateral movement.
And finally, Haber’s digital transformation obstacle asserts that cloud computing, DevOps, and the IoT do not inherently support zero trust and require additional, potentially cost-prohibitive technologies to achieve it.
There is some merit to the argument that it's currently unrealistic for some enterprises to adopt a zero trust architecture, but adopting zero trust is not an overnight process. You have to grow and expand to zero trust. It's a gradual process that will take time for all enterprises.
John Mullin, Director of Information Technology, Trenton Systems
What are your thoughts? Is zero trust unrealistic or impractical? Why or why not? Leave us a comment down below.
Graphic: How and where we access and engage with enterprise data is changing, and so, too, are the attack vectors used to steal or alter that data; therefore, cybersecurity must change, too. Adopting a zero trust security model is a start.
Why is a zero trust architecture ultimately more effective for security?
Zero trust architectures are ultimately more effective for security because they address modern attack vectors by securing an enterprise’s internal and external network endpoints comprehensively.
The devices, users, and applications associated with cloud computing, edge computing, and IoT systems are often distributed or located outside the enterprise perimeter. This increases attack surface and poses new avenues through which independent and state-sponsored cybercriminals can gain access to enterprise data.
It’s easy for hackers now. They have an endless supply of insecure endpoints they can exploit. Cybersecurity professionals are tasked with securing these endpoints and keeping them secure. It’s quite a feat to keep up with the increasing number of endpoints, and thus, the increasing number of security vulnerabilities. Gone are the days of securing a finite number of endpoints in a central location. Endpoints accessing enterprise data are everywhere now, and they must be secured.
John Mullin, Director of Information Technology, Trenton Systems
Castle-and-moat security models neither account for this increase in attack surface nor effectively obstruct the new avenues that today's hackers are exploiting.
Zero trust security models, however, do.
Photo: At Trenton Systems, we're embracing the turning tides of cybersecurity by adhering to zero trust principles internally and creating servers and workstations with zero trust architectures in mind.
Trenton Systems: Developing Zero Trust Computing Solutions
Trenton Systems embraces a zero trust security model by adhering to and continuously implementing zero trust principles internally. We align our efforts with the zero trust adage of "never trust, always verify," improving our least-privilege access restrictions, macro-segmentation, multi-factor authentication, and network monitoring and analytics processes daily.
At the product level as well, we've got our security-conscious customers covered. Introduced during the launch of our 3U BAM Server, our system security stack equipped with Intel SGX, Intel PFR, and Intel TME is the ideal computing solution for military and industrial programs, applications, and enterprises adhering to a zero trust architecture.
Our security stack takes a holistic approach to cybersecurity, protecting hardware, firmware, and software with technologies and protections baked into the CPU, BIOS source code, and other layers of the system stack. In addition, our Counterfeit Protection Program (CPP), our comprehensive supply chain security processes and strict revision control procedures, and our made-in-USA promise help ensure that your Trenton server or workstation is protected at the hardware level.
The cybersecurity landscape, given the continuous growth and proliferation of various endpoints of varying levels of security, is changing.
Here at Trenton, we're changing with it - never trusting, always verifying.
For more information about our zero trust efforts or to procure a cybersecure, made-in-USA computing solution ready for integration with your infrastructure, drop us a line.
Share this
- High-performance computers (42)
- Military computers (38)
- Rugged computers (32)
- Cybersecurity (25)
- Industrial computers (25)
- Military servers (24)
- MIL-SPEC (20)
- Rugged servers (19)
- Press Release (17)
- Industrial servers (16)
- MIL-STD-810 (16)
- 5G Technology (14)
- Intel (13)
- Rack mount servers (12)
- processing (12)
- Computer hardware (11)
- Edge computing (11)
- Rugged workstations (11)
- Made in USA (10)
- Partnerships (9)
- Rugged computing (9)
- Sales, Marketing, and Business Development (9)
- Trenton Systems (9)
- networking (9)
- Peripheral Component Interconnect Express (PCIe) (7)
- Encryption (6)
- Federal Information Processing Standards (FIPS) (6)
- GPUs (6)
- IPU (6)
- Joint All-Domain Command and Control (JADC2) (6)
- Server motherboards (6)
- artificial intelligence (6)
- Computer stress tests (5)
- Cross domain solutions (5)
- Mission-critical servers (5)
- Rugged mini PCs (5)
- AI (4)
- BIOS (4)
- CPU (4)
- Defense (4)
- Military primes (4)
- Mission-critical systems (4)
- Platform Firmware Resilience (PFR) (4)
- Rugged blade servers (4)
- containerization (4)
- data protection (4)
- virtualization (4)
- Counterfeit electronic parts (3)
- DO-160 (3)
- Edge servers (3)
- Firmware (3)
- HPC (3)
- Just a Bunch of Disks (JBOD) (3)
- Leadership (3)
- Navy (3)
- O-RAN (3)
- RAID (3)
- RAM (3)
- Revision control (3)
- Ruggedization (3)
- SATCOM (3)
- Storage servers (3)
- Supply chain (3)
- Tactical Advanced Computer (TAC) (3)
- Wide-temp computers (3)
- computers made in the USA (3)
- data transfer (3)
- deep learning (3)
- embedded computers (3)
- embedded systems (3)
- firmware security (3)
- machine learning (3)
- Automatic test equipment (ATE) (2)
- C6ISR (2)
- COTS (2)
- COVID-19 (2)
- Compliance (2)
- Compute Express Link (CXL) (2)
- Computer networking (2)
- Controlled Unclassified Information (CUI) (2)
- DDR (2)
- DDR4 (2)
- DPU (2)
- Dual CPU motherboards (2)
- EW (2)
- I/O (2)
- Military standards (2)
- NVIDIA (2)
- NVMe SSDs (2)
- PCIe (2)
- PCIe 4.0 (2)
- PCIe 5.0 (2)
- RAN (2)
- SIGINT (2)
- SWaP-C (2)
- Software Guard Extensions (SGX) (2)
- Submarines (2)
- Supply chain security (2)
- TAA compliance (2)
- airborne (2)
- as9100d (2)
- chassis (2)
- data diode (2)
- end-to-end solution (2)
- hardware security (2)
- hardware virtualization (2)
- integrated combat system (2)
- manufacturing reps (2)
- memory (2)
- mission computers (2)
- private 5G (2)
- protection (2)
- secure by design (2)
- small form factor (2)
- software security (2)
- vRAN (2)
- zero trust (2)
- zero trust architecture (2)
- 3U BAM Server (1)
- 4G (1)
- 4U (1)
- 5G Frequencies (1)
- 5G Frequency Bands (1)
- AI/ML/DL (1)
- Access CDS (1)
- Aegis Combat System (1)
- Armed Forces (1)
- Asymmetric encryption (1)
- C-RAN (1)
- COMINT (1)
- CPUs (1)
- Cloud-based CDS (1)
- Coast Guard (1)
- Compliance testing (1)
- Computer life cycle (1)
- Containers (1)
- D-RAN (1)
- DART (1)
- DDR5 (1)
- DMEA (1)
- Data Plane Development Kit (DPDK) (1)
- Defense Advanced Research Projects (DARP) (1)
- ELINT (1)
- EMI (1)
- EO/IR (1)
- Electromagnetic Interference (1)
- Electronic Warfare (EW) (1)
- FIPS 140-2 (1)
- FIPS 140-3 (1)
- Field Programmable Gate Array (FPGA) (1)
- Ground Control Stations (GCS) (1)
- Hardware-based CDS (1)
- Hybrid CDS (1)
- IES.5G (1)
- ION Mini PC (1)
- IP Ratings (1)
- IPMI (1)
- Industrial Internet of Things (IIoT) (1)
- Industry news (1)
- Integrated Base Defense (IBD) (1)
- LAN ports (1)
- LTE (1)
- Life cycle management (1)
- Lockheed Martin (1)
- MIL-S-901 (1)
- MIL-STD-167-1 (1)
- MIL-STD-461 (1)
- MIL-STD-464 (1)
- MOSA (1)
- Multi-Access Edge Computing (1)
- NASA (1)
- NIC (1)
- NIC Card (1)
- NVMe (1)
- O-RAN compliant (1)
- Oil and Gas (1)
- OpenRAN (1)
- P4 (1)
- PCIe card (1)
- PCIe lane (1)
- PCIe slot (1)
- Precision timestamping (1)
- Product life cycle (1)
- ROM (1)
- Raytheon (1)
- Remotely piloted aircraft (RPA) (1)
- Rugged computing glossary (1)
- SEDs (1)
- SIM Card (1)
- Secure boot (1)
- Sensor Open Systems Architecture (SOSA) (1)
- Small form-factor pluggable (SFP) (1)
- Smart Edge (1)
- Smart NIC (1)
- SmartNIC (1)
- Software-based CDS (1)
- Symmetric encryption (1)
- System hardening (1)
- System hardening best practices (1)
- TME (1)
- Tech Partners (1)
- Total Memory Encryption (TME) (1)
- Transfer CDS (1)
- USB ports (1)
- VMEbus International Trade Association (VITA) (1)
- Vertical Lift Consortium (VLC) (1)
- Virtual machines (1)
- What are embedded systems? (1)
- Wired access backhaul (1)
- Wireless access backhaul (1)
- accredidation (1)
- aerospace (1)
- air gaps (1)
- airborne computers (1)
- asteroid (1)
- authentication (1)
- autonomous (1)
- certification (1)
- cognitive software-defined radios (CDRS) (1)
- command and control (C2) (1)
- communications (1)
- cores (1)
- custom (1)
- customer service (1)
- customer support (1)
- data linking (1)
- data recording (1)
- ethernet (1)
- full disk encryption (1)
- hardware monitoring (1)
- heat sink (1)
- hypervisor (1)
- in-house technical support (1)
- input (1)
- integrated edge solution (1)
- international business (1)
- licensed spectrum (1)
- liquid cooling (1)
- mCOTS (1)
- microelectronics (1)
- missile defense (1)
- mixed criticality (1)
- moving (1)
- multi-factor authentication (1)
- network slicing (1)
- neural networks (1)
- new headquarters (1)
- next generation interceptor (1)
- non-volatile memory (1)
- operating system (1)
- output (1)
- outsourced technical support (1)
- post-boot (1)
- pre-boot (1)
- private networks (1)
- public networks (1)
- radio access network (RAN) (1)
- reconnaissance (1)
- secure flash (1)
- security (1)
- self-encrypting drives (SEDs) (1)
- sff (1)
- software (1)
- software-defined radios (SDRs) (1)
- speeds and feeds (1)
- standalone (1)
- storage (1)
- systems (1)
- tactical wide area networks (1)
- technical support (1)
- technology (1)
- third-party motherboards (1)
- troposcatter communication (1)
- unlicensed spectrum (1)
- volatile memory (1)
- vpx (1)
- zero trust network (1)
- October 2024 (1)
- August 2024 (1)
- July 2024 (1)
- May 2024 (1)
- April 2024 (3)
- February 2024 (1)
- November 2023 (1)
- October 2023 (1)
- July 2023 (1)
- June 2023 (3)
- May 2023 (7)
- April 2023 (5)
- March 2023 (7)
- December 2022 (2)
- November 2022 (6)
- October 2022 (7)
- September 2022 (8)
- August 2022 (3)
- July 2022 (4)
- June 2022 (13)
- May 2022 (10)
- April 2022 (4)
- March 2022 (11)
- February 2022 (4)
- January 2022 (4)
- December 2021 (1)
- November 2021 (4)
- September 2021 (2)
- August 2021 (1)
- July 2021 (2)
- June 2021 (3)
- May 2021 (4)
- April 2021 (3)
- March 2021 (3)
- February 2021 (8)
- January 2021 (4)
- December 2020 (5)
- November 2020 (5)
- October 2020 (4)
- September 2020 (4)
- August 2020 (6)
- July 2020 (9)
- June 2020 (11)
- May 2020 (13)
- April 2020 (8)
- February 2020 (1)
- January 2020 (1)
- October 2019 (1)
- August 2019 (2)
- July 2019 (2)
- March 2019 (1)
- January 2019 (2)
- December 2018 (1)
- November 2018 (2)
- October 2018 (5)
- September 2018 (3)
- July 2018 (1)
- April 2018 (2)
- March 2018 (1)
- February 2018 (9)
- January 2018 (27)
- December 2017 (1)
- November 2017 (2)
- October 2017 (3)
No Comments Yet
Let us know what you think