DEV Community

mattiethomass
mattiethomass

Posted on

What is Zero Trust Access?

The topic of data security in companies and enterprises has always been an important one, and it was also sidelined quite frequently and underfunded. Unfortunately, the world itself changed quite a lot, and now you can hear about a new cyber attack or vulnerability discovered pretty much on a daily basis. 

The situation with data security got even worse when the pandemic forced the entire world to initiate a shift to work from home, with the help of many collaboration platforms – be it O365, Teams, Slack, or any other alternative. The combination of extensive collaboration, massive amounts of data produced on a regular basis, and the overall lackluster attention to data security as a whole is the main reason why so many companies become the victims of cybercrimes.

This also coincided with a more serious push from various legislative departments to hold companies accountable for data security. The number of government standards (both voluntary and mandatory) that set standards for cybersecurity for organizations has increased quite a lot in the last few years, and many are also tying this into the overall threat of economic and/or national security, if the threat is big enough.

It is now up to the companies themselves, and to their CISO (Chief Information Security Officers) to lead organizations into the new age of information security, where data security is as important as it gets, and you have to have a way to protect it at any point in time and in any location.

This is where the whole concept of Zero Trust (ZT) model comes in, with the plan to center all of the data security efforts towards the data itself, rather than the system as a whole. While not something completely brand-new, the Zero Trust model is a great choice for the current situation in cybersecurity all over the world. It can be slimmed down to one single idea – to validate and/or verify every action made at all times with the help of the context.

It is also worth mentioning that the Zero Trust approach is extremely popular all over the world, with the United States explicitly ordering US Federal agents to transition to Zero Trust Architecture. Other examples of a similar fashion are NIST Special Publication 800-207 that talks about ZTA, and many industry-known analysts covering the topic, including Forrester, Gartner, and so on.

The idea of Zero Trust as a concept uses several important principles that are necessary for the entire model to work in the first place. Here are these four principles:

Data-centric security. 
While this is one of the core themes for the Zero Trust as a concept, it is also quite an important model for data security as a whole. In the modern world, the concept of a security perimeter around the entire organization is not as effective as it was ten years ago – since most of the restrictions can be bypassed by using insider info, like stolen credentials. Once you’ve passed such a perimeter – you have no restrictions on interacting with the content inside at all, which makes for a disastrous problem for any organization.

This is where data-centric security comes in, offering to create a security system that protects the data itself on a granular basis, and not the entire system. Of course, it is way harder than the original perimeter security, but the results are still worth it, since the perimeter model is pretty much no longer effective on its own, anyway.

Context. 
One major problem for data-centric security and for the Zero Trust model remains the matter of providing context to data to figure out how important it is and what security level it needs to be assigned. The problem gets worse with the fact that information inside of an organization is always changing, and the security levels have to adapt to each and every change.

Of course, changing information itself is not the only way to change the security level of a single data piece – we also cannot forget about compliance regulations. A lot of these regulations demand for some specific data type to be given the highest security level possible (PII for GDPR, PHI for HIPAA, anything that is related to the Australian Defense Industry – for DISP, and so on), and failing to do that is grounds for a massive fee for the entire organization.

Attribute-based Access Controls. 
Attribute-based Access Control (ABAC) is one of the ways to work with the requirement of context for the entirety of your data. For the Zero Trust model to work as intended, a lot of contextual elements must be taken into account, such as company name, country, user name, and so on. Without a proper way to assign attributes to files and documents you pretty much cannot control these files in the way that the Zero Trust approach intends.

Dynamic enforcement of policies. 
After we’re done assigning attributes inside of the system, we now have to have some way of making a choice for each request – should it be permitted or not, should it be approved by a third party or not, and so on. All of this, with the addition of other contextual elements of information, should be able to adapt to various circumstances and enforce necessary policies no matter where the file in question is located. This pretty much sums up the entire process of contextual security.

Top comments (0)