0% found this document useful (0 votes)
16 views15 pages

Zero Trust Technology

Uploaded by

Reem Essam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
16 views15 pages

Zero Trust Technology

Uploaded by

Reem Essam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Zero trust policies

By: Reem Essam Dosoky


Table of content:
1. Introduction.

2. Zero trust policies vs traditional security


perimeter policies.

3. Why should we adopt zero trust


technologies in our network.
Introduction
• The traditional network security model is described as a castle-and-moat approach.
It relies on strong perimeter defenses like firewalls to protect resources within the
network. This model worked well when organizations operated on-premises and
had clear network boundaries. However, this trust-based model has shown
vulnerabilities with the advent of cloud computing, mobile workforces, and BYOD
(Bring Your Own Device) policies.
• Zero Trust is designed to protect modern digital environments by leveraging
network segmentation, preventing lateral movement, providing Layer 7 threat
prevention, and simplifying granular user-access control. In this presentation, we’ll
explore how Zero Trust policies redefine security by enforcing strict verification at
every level, offering a more robust approach than traditional models for modern
networks.
• This image effectively contrasts a
traditional network setup with a zero-
trust approach:
• Traditional Network: A firewall protects
all resources, with users granted broad
access once inside the network
perimeter. This model assumes trust for
any traffic within the network, leading to
potential vulnerabilities if an attacker
gains internal access.
• Zero Trust: Emphasizes segmented

Zero trust policies access with individual checkpoints for


each resource. Access to each resource
vs traditional (e.g., email, applications) is verified
independently, and unauthorized access
policies attempts are blocked, as shown by the
"X" mark on the application.
Authentication and authorization
traditional approach:
In traditional networks, security focuses heavily on perimeter defenses, like firewalls and intrusion
detection systems (IDS), designed to protect the network from external threats. Internal traffic,
once inside, is generally trusted, allowing free access within the network. authentication occur only
once, often at the network boundary (e.g., VPNs or firewalls). Once users or devices are
authenticated, they are generally trusted throughout the internal network, relying on the notion that
everything inside the network is safe. This approach leaves networks vulnerable if an attacker
manages to bypass the perimeter defenses or obtain internal credentials.

Technologies used:
• two-factor authentication with username and password only.

• Virtual private networks (VPNs): are used to authenticate and secure remote access by
creating an encrypted tunnel.
Zero-trust approach:
Zero Trust operates under the assumption that threats can exist both externally and internally.
Every request, even within the network, requires verification and authorization. This means continual
authentication for every user and device. enforces authentication at multiple points and
continuously verifies identity. Every access request, regardless of location, undergoes stringent
checks. Zero Trust assumes that no one, whether inside or outside the network, should be
inherently trusted. This approach mitigates the risk of lateral movement by attackers, as each new
access attempt requires re-authentication.

Technologies used:
• Multi-factor authentication (MFA) at every access point, even for users inside the network.
• Identity and Access Management (IAM) with Dynamic Policies: IAM solutions in Zero Trust
apply dynamic policies, using Attribute-Based Access Control (ABAC). Users are granted access
based only on specific roles, devices, and real-time conditions.
• Biometrics and Behavioral Analytics: Zero Trust may include advanced biometrics (e.g.,
fingerprint, facial recognition) and behavioral analytics to continuously monitor user behavior
patterns. Any deviation from normal patterns triggers re-authentication or additional verification.
• Radius server: RADIUS verifies the identity of users or devices trying to access a network. This can
involve checking credentials (username and password) against a database or directory service
(e.g., Active Directory, LDAP).
• Zero-trust network access (ZTNA): it replaces the traditional VPN. provide secure remote access
to applications and services based on a zero-trust security model.
Resources access policy
Traditional approach:
Access control is generally broad, with users often granted more access than necessary, based on
department or role. This approach increases the risk of insider threats and lateral movement. For
instance, employees in a department may all have the same level of access to resources within that
department, regardless of their specific tasks or needs. Permissions often remain static and do not
adjust dynamically based on the context or sensitivity of the resource. Access control policies may
restrict access to certain applications or databases, but lateral movement within the network is
easier once inside.

Technologies used:
• Firewall Access Control Lists (ACLs): to control incoming and outgoing network traffic based
on IP addresses, protocols, and port numbers.
• Virtual Private Network (VPN): to create secure, encrypted tunnels for remote access to an
organization's network.
• Static Policies: Access policies are typically static and based on user identity and group
membership.
Zero-trust approach:
Emphasizes least privilege, allowing users only the minimum access required for their roles.
Dynamic and Contextual Permissions, Zero Trust enforces least privilege dynamically to grant
access based on specific attributes (like device security, location, or user behavior). This ensures
that users only have access to the resources they need at that particular time, reducing the risk of
over-permissioned accounts.

Technologies used:
• role-based access control (RBAC): assigns permissions to users based on their roles within an
organization.

• Attribute-Based Access Control (ABAC): grants access based on attributes (characteristics) of


users, resources, and the environment.
• Micro-segmentation and Granular Controls: Zero Trust divides the network into smaller
segments and enforces strict access controls on each segment.
Segmentation and network
isolation policies
Traditional approach:
Traditional networks often rely on broad segmentation. Internal resources are grouped, with a
firewall separating them from the outside. This can create vulnerable zones if attackers breach the
perimeter. Traditional approach rely mainly on macro-segmentation using virtual local area network
(VLANs) to segment networks into smaller, isolated subnetworks. Macro-segmentation creates
broader, high-level segments within a network based on general categories like departments, user
roles, or service types.

Zero-trust approach:
Implements micro-segmentation, creating isolated segments around individual resources. Each
segment enforces access controls and limits lateral movement, so that breaches can’t easily spread.
Micro-segmentation takes segmentation further by creating fine-grained access controls down to
the individual application, user, or service level.
Data protection policies
Traditional approach:
Reliance on firewalls, intrusion detection systems (IDS), and antivirus software to protect the Data.
Encryption practices may be limited to specific types of sensitive data or during data transmission.

Zero-trust approach:
Data encryption is enforced for data at rest, in transit, and during processing, ensuring
comprehensive protection regardless of the data’s state. So, data loss prevention (DLP) solutions
are integrated with continuous monitoring to identify and prevent unauthorized data transfers
dynamically.
Endpoint security policies
Traditional approach:
Focused primarily on perimeter defenses without continuous checks on endpoint security.
Device security posture checks are often minimal, allowing potentially compromised devices to
access sensitive data.

Zero-trust approach:
Enforces device compliance policies that verify device health, such as patch status, encryption,
and security software, before granting access. Continuous checks ensure that only secure
devices access resources. Devices must meet security standards continuously, not just at initial
login. This includes up-to-date software, active endpoint protection, and configurations that
match the organization’s security policy. Devices are dynamically quarantined or restricted from
resources if they fall out of compliance. Zero Trust models integrate tools like endpoint detection
and response (EDR) to enforce policies, requiring devices to remain compliant with ongoing
security policies and patches.
Monitoring and logging policies
Traditional approach:
Primarily monitors network traffic at the perimeter (e.g., firewalls, intrusion detection/prevention
systems). Logs may include firewall logs, VPN access, and other high-level events. Monitoring is
generally focused on ingress and egress points, with limited visibility into internal user behavior or
device health. Primarily relies on known signatures for detecting threats (e.g., antivirus signatures,
firewall rules).

Zero-trust approach:
Monitoring encompasses all user activities, device states, data access, and application
interactions, both on-premises and in the cloud. Monitors the context of user and device actions,
such as device health, location, time of access, and user roles. Records detailed logs of every user
action and transaction, enabling forensic analysis and incident investigation. Utilizes behavioral
analysis and machine learning to identify anomalies and deviations from established baselines in
real time. We use Security information and event management tools as wazuh or elastic stack.
Why organizations should adopt zero
trust network technology?
• Organizations like healthcare systems, financial enterprises or Banks should apply zero trust
policies even if not for the whole network but part of it to secure various technologies,
applications, and sensitive data.

Zero trust policies may play a vital role if your company have:

• employee working from home as Remote work expands the network perimeter, making it harder
to monitor and secure devices outside the corporate network. Employees working remotely may
pose insider threats, either intentionally or unintentionally. Remote workers often access
sensitive data from various locations and devices, increasing the risk of data breaches.
• IoT and OT Environments as have limited security capabilities, making them vulnerable to
attacks. Many organizations struggle with visibility into their IoT and OT networks, making it
challenging to detect and respond to threats. If a single IoT or OT device is compromised,
attackers can move laterally across the network to access critical systems and data.

• Enterprise Applications and Databases where Applications handling critical data, such as ERP
and CRM systems, must have restricted access.
• Data centers are vulnerable as they host critical infrastructure and sensitive data.

• Cloud Environments as they often expose more assets to potential attacks than traditional on-
premises infrastructure. Data breaches in the cloud can have severe consequences, including
financial loss and reputational damage.

Resources:
• https://www.sans.org/blog/what-is-zero-trust-architecture/

• https://www.crowdstrike.com/en-us/cybersecurity-101/zero-trust-security/
• https://www.catonetworks.com/zero-trust-network-access/

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy