#

Back to Blog

What is Zero Trust Access and How to Employ It

Jan 13, 2022 | Blog

The world has changed and along with it the strategic role of information security

Now more than ever the Boardroom, Chief Executive Officer and Chief Information Officer have Information Security front of mind and keeping them awake. Every day a new attack, incident or vulnerability is announced that has a significant impact on reputation, compliance, cost or service delivery. The pandemic has brought digital investment forward to introduce work from home environments, including collaboration platforms such as Teams, Slack and O365 and we are producing data and content at a prolific rate. Enterprise data is now everywhere, both inside and outside the enterprise perimeter. CIO’s cannot tell you where the data is, whether it is sensitive, how they are controlling it or who has access to it.

All this is occurring at a time when legislation is increasingly holding Directors and Executives more accountable for securing organizational and personnel data. A number of Governments are now considering voluntary or mandatory governance standards to focus cyber security as a corporate risk, as well as the risk to national and economic security.

Finally, the threat of a cyber incident is only increasing. According to the Australian Cyber Security Centre’s Annual Cyber Threat Report 2020-21, over 67,500 cybercrimes were reported, an increase of nearly 13 percent. That is one report every 8 minutes compared to one every 10 minutes last year.

The role of information security has irrevocably changed in this environment. More importantly users will no longer tolerate security controls impeding functionality and productivity in a digital world that is accelerating past geographic and enterprises boundaries.

Chief Information Security Officers despite increasing budgets must now adapt to this environment and lead their organizations on a new Information Security paradigm to both protect and enable their data whenever and wherever it is required in a cost effective, risk managed way.

Zero trust has quickly become the model of choice. Learn how a Zero Trust Access model centers its controls directly around the data vs the systems and applications that it sits behind.

What’s all the fuss about Zero Trust?

While it’s been around for a few years, the concept of “Zero Trust” (ZT) is quickly gaining steam as the preferred security methodology. Zero Trust boils down to a relatively simple concept: verify and validate each and every action, every time, and in context.

The idea is that dynamic systems can explicitly verify everything needed, while minimizing assumptions so that decisions are made within an organization’s risk appetite.

This approach is considered so critical, that in 2021 the U.S. Presidential Cybersecurity Executive Order for Cybersecurity  mandates that all US Federal agencies must transition to a Zero Trust Architecture (ZTA).

NIST Special Publication 800-207 describes ZTA, and many industry analysts have covered the concepts, including Forrester with their Zero Trust eXtended (ZTX) model, as well as Gartner’s Lean Trust and Continuous Adaptive Risk and Trust Assessment (CARTA) model.

There’s a lot of information on Zero Trust, and a lot of sometimes conflicting and competing perspectives so it’s easy to see why such a broadly applicable concept can be misunderstood, misapplied, or simply over-complicated.

While the concept of Zero Trust is important, and the principles behind are solid, it does need careful consideration to minimize targeting the wrong areas when executing the methodology.

In a new study by Microsoft and Forrester, customers implementing a Zero Trust security strategy realized the following benefits:

  • A 92 percent return on investment (ROI) within three-years with a payback period of fewer than six months.
  • Lowered the chance of a data breach by 50 percent with the ability to detect abnormal user behavior, identify potentially compromised accounts, monitor native and open authentication (OAuth) apps, and detect and remediate attempted malware attacks.
  • Security process efficiency gains of 50 percent or more.

What if you could base your data security approach on Zero Trust using a few core principles, in a model that builds strong foundations of comprehensive, dynamic security of your most critical asset, capped by a layer of verification and validation that meets your needs, in your context?

What is Zero Trust Access?

A Zero Trust Access model uses the same principles but centers its controls directly around the data vs the systems and applications that it sits behind.

Principle 1: Data-Centric Security

When we focus on placing the controls on critical data assets, versus the perimeter or user permissions, this is referred to as data-centric security. At its most simplistic, it is making sure that security and controls are on the data itself have the right level of protections relevant to the sensitivity of the information.

Next, we hit another key consideration for protecting your data assets; how do we know what is “relevant”?

The answer is that it almost always depends on the context, and it can change over time and as the content and context change.

For example, a document may start out being non-sensitive but say someone adds confidential information on an M&A deal that only a small team should know about – thus the sensitivity and audience has changes. Now think about under what conditions should someone access this data. Should they have the same access in a coffee shop that they would when they are in the office?

Principle 2: Context is critical, it drives relevance

For data and its security to be relevant, the context is critically important in defining what, where, and how access is needed. It can also be flexible, applicable to almost anything, and in any combination.

Many organizations have mandatory information security and privacy requirements, including the type of information they can capture, hold, and use and how it must be handled. These legal obligations become both major constraints and significant value drivers, and meeting these expectations is not optional.

Numerous compliance obligations may apply and interact regarding data security and handling requirements, including, but not limited to:

If the context and the need for security to address it changes, then how can you adapt to the changing requirements?

Security needs the ability to be adaptable and dynamic, to deal with continuously shifting needs.

Principle 3: Attribute Based Access Control (ABAC)

You may be familiar with the idea of “If you can’t measure it, you can’t manage it”. For information technology systems to make a Zero Trust Data Access approach effective we need a means to measure or detect the context of the request, the requestor, and other contextual elements.

Attributes are the characteristics or values of a component that can provide this context. They can contain almost any value (either manually defined or automatically system-assessed) so that we are able to measure and define each key/value pair, such as “company=archTIS”, or “country=Australia”, which allows a system to “uniquely” identify that attribute in the correct context and relevance.

Using these attributes to decide who can access data and under what conditions is the concept of attribute-based access control or ABAC.

Principle 4: Dynamic Policy Enforcement

Once we have the attributes, we then have to decide what to do with the request. Is it authorized? What is the correct response, Permit/Deny? Provide anonymized or tokenized subset of information? Refer to another party for approval?

The terms and conditions of access (whether described as rules, policies, controls, or otherwise) need to become adaptable and enforceable wherever they go, and however they’re applicable. This is the concept of “Dynamic Policy Enforcement”, and it becomes the means with which to achieve that contextual security.

Bringing it All Together

Zero Trust Access comes down to verifying and validating each step, each action, and each element needed in order to satisfy the underlying needs – whatever they are.

Using a data-centric zero trust security approach enforced by ABAC ensures appropriate checks and balances are enforced, and that they are relevant to the sensitivity of the data – in the context of whatever the access or sharing scenario is.

This is critical when considering security in modern information systems, as the context is continually shifting.

Identity + context + request + rules + dynamic decision = enforced contextual security

The Zero Trust Access Model

 

Implementing Zero Trust Access

If you’re sold on implementing zero trust, consider archTIS solutions.

archTIS products apply and enforce dynamic, policy-driven access controls that leverage both user and data attributes to ensure your users and partners access, share and collaborate on sensitive and classified information — securely.

Whether you need to manage sensitive data securely within your Microsoft 365 applications (SharePoint, Teams, OneDrive, Exchange), SharePoint Server or Windows file shares or need managing access and sharing of classified information stored with high levels of assurance – archTIS can assist. archTIS puts you on the path to zero trust access and protection with immediate benefit and return on investment, while enabling your big picture goals.

Contact us to learn more.

 

 

Share This