Zero Trust Security is a data security model proposed1 in 2010 by Forrester Research, which can be summarized by the motto “never trust, always verify.” Under this model, there are no trusted or untrusted interfaces, networks, devices, or users in your IT infrastructure, and everyone is suspect until proven otherwise.
Any and all access to a system must be constantly validated, users and workloads must have only the minimum privileges necessary to complete a task, and micro-segmentation must be used to limit access to resources.
In summary, “Trust is not a concept that should be applied to users, packets, network traffic, or data,” says Forrester Research in its introduction to the concept.
The focus on continuous authentication makes zero trust commonly mistaken for a type of firewall. That’s understandable since firewalls have been, for more than 30 years, the main tool available to security professionals to protect their networks.
But access control is only one of the many faces of Zero Trust Security. The concept goes beyond the networks and can (and should) be applied to other aspects of your operation, such as data, users, devices, workloads, and more. Among these, data control is one of the most important, as data is increasingly targeted by cybercriminals.
How Much is Your Data Worth?
A data breach can harm your organization in many ways. First, there is damage to the company’s public image: customers, partners, and suppliers trust that your company will use its best efforts to protect shared information. A leak represents a breach on this trust, which can lead to loss of customers, cancellation of contracts, and dismantling of partnerships.
Furthermore, operational data such as business plans, marketing strategies, or customer lists can be used as a bargaining chip for extortion. User data can also be used in a variety of ways: information such as credit card numbers can be used to make fraudulent purchases. Even seemingly innocuous data such as names, dates of birth, and email addresses are valuable as they can be cross-referenced with information found in other leaks to build a dangerously complete profile of a user, which can lead to more serious attacks, such as identity theft.
Every data breach comes at a cost, which includes operational expenses for analyzing and repairing the flaw that originated it, impact mitigation, and redressing affected users, among other factors. And with the enactment of legislation aimed at data protection and privacy, such as the GPDR in Europe and the LGPD in Brazil, this cost is increasing.
IBM’s Cost of a Data Breach Report2, from 2022, estimated that the average cost of a data breach was $164 per Personally Identifiable Information (PII) record. Of course, when a leak occurs, it doesn’t just encompass a few dozen or hundreds of records.
To give you an idea of the scale, in August 2021, a data leak at US telephone operator T-Mobile exposed3 data from 76.6 million customers. This resulted in a payment of US$350 million in restitution to victims, plus expenses of US$150 million for improvements in data protection measures. Still, in January 2023, the company was the victim of a new leak4, this time exposing data from 37 million customers.
How Zero Trust Protects Your Data
Micro-segmentation and access privilege restriction are some of the zero trust features that help prevent data leaks, as they block what is known as “lateral movement” during an attack.
On a non-segmented network, an attacker could use a vulnerable device of low importance, such as a printer or a teleconferencing system, as a gateway for an attack. Once inside the network, they can find ways to “jump” to other devices with greater access privileges until it reaches its target.
Therefore, many companies already employ network segmentation. For example, isolating critical systems, such as those that contain customer credit card data or process payroll, from those that handle inventory. Still, there are risks. If an attacker gains access to the area where the critical systems are, all of them and their data will be within reach.
Micro-segmentation takes the concept of partitioning further to the level of hosts and tasks, and also applies to access permissions. For example, instead of a blanket “database access” permission to every application that may need that, a client may be allowed to access and write records to a database server only under a set of specific conditions.
Another good example is that device fingerprinting techniques may be used to allow access only if the request comes from a specific device, or network lists based on IP addresses, ASN, and user geolocation can be used to filter access. In our previous example, if a criminal tries to access the database using the wrong device, or from a non-approved location, access will be denied.
This approach helps reduce the attack surface, quickly contain breaches, protect critical applications, and even improve compliance since separating sensitive data (like personal identifiable information) from the rest is an essential requirement in all security standards.
Conclusion
The zero trust model is a modern approach to managing increasingly complex security requirements of corporate networks. It is not a product, but a process. To learn more about how Azion can harden your infrastructure and help you get started implementing a Zero Trust Security model, contact our experts.
References
1 No More Chewy Centers: The Zero Trust Model Of Information Security
2 Cost of a data breach 2022
3 Deadline Passes on T-Mobile’s $350 Million Settlement Days After Another Data Breach
4 T-Mobile data breach exposes about 37 mln accounts