In February 2023, a 21-year-old Massachusetts Air National Guard member accessed and posted hundreds of classified documents on voice over Internet Protocol (VoIP) and instant messaging platform Discord. The impacts were far-reaching. Not only is the Air Force working to understand how top secret information could be leaked so easily, but the base where the leak happened has been stripped of its current intelligence mission.
However, according to Don Yekse, the Navy’s chief technology officer (CTO), implementing a zero trust approach could have improved both detection and response times, reducing the severity of the attack.
To help public and private organizations better manage their zero trust deployments, the Cybersecurity and Infrastructure Security Agency (CISA) released version 2.0 of its Zero Trust Maturity Model (ZTMM). Efforts are also underway to develop and implement what’s known as zero trust network access (ZTNA) version 2.0, which focuses on a more granular approach to ZTNA.
In this piece, we’ll cover the current state of zero trust security, why it matters to organizations, and how RedSeal can help companies navigate the shift to ZTNA 2.0.
Zero Trust Security: Why It Matters, How It Helps, and Where It’s Used
The core principle of zero trust security is simple: Never trust, always verify. No matter the user, no matter the device, and no matter the request, zero trust asks for verification.
Consider a team manager logging in to the same admin portal at the same time every day, using the same device as they have for the past few years. Under a zero trust model, history doesn’t guarantee access. Instead, verification is required, which might take the form of two-factor authentication such as a one-time text code or identity verification via email confirmation.
Why Zero Trust Matters
Zero trust makes it more difficult for unauthorized users to gain network access. Implemented effectively, zero trust can improve cybersecurity without increasing complexity for authorized users. For example, the integration of mobile authentication tools can boost security while minimizing friction.
Statistics showcase the growing impact of zero trust. Consider that 80% of organizations now have plans to implement zero trust, and 96% of security decision-makers say that zero trust is “critical” to business success. Given that attacks such as ransomware have been on a steady rise — the volume of attacks increased 17% from 2021 to 2022 — zero trust is more critical than ever to help companies identify potential threats before they compromise key systems.
Benefits of Zero Trust
Zero trust offers multiple benefits for businesses.
First is reduced security risk. By replacing trust with verification, companies can reduce the risk of potential breaches. Even if attackers manage to steal user credentials, additional verification can frustrate their efforts.
ZTNA also provides greater control over security policies. For example, companies may leverage automated controls that lock out users after a certain number of failed attempts or that shunt traffic to a designated location for further evaluation. Perhaps one of the biggest benefits of zero trust, however, is visibility. Because zero trust requires continuous monitoring of devices and networks, implementing ZTNA naturally boosts overall visibility.
Common Zero Trust Use Cases
One common zero trust use case is reducing third-party risk. Given the increasing number of third-party applications used by companies and third-party providers that may have access to company networks, implementing zero trust can limit the risk of compromise from an unexpected source.
Other use cases include the security of Internet of Things (IoT) and legacy devices on business networks. In the case of IoT, ZTNA can help provide consistent security practices across both local and cloud networks. For legacy devices such as industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems, zero trust can help limit the chance of unauthorized insider access.
Zero Trust 2.0
Zero trust isn’t static. As a result, efforts are underway to supplement existing ZTNA solutions with “Zero Trust 2.0.” There are three primary differences between ZTNA 1.0 and 2.0.
1. Granular Controls
ZTNA 2.0 replaces the coarse controls of version 1.0 with more granular options. For example, under the 1.0 model, access is all or nothing. Users could either access all app services or none. In ZTNA 2.0, access can be restricted on a per-function basis.
2. Continuous Inspection
Many ZTNA 1.0 deployments use what’s known as the “allow and ignore” model. This means once users are verified and access is granted, this access remains in place indefinitely, ignoring any changes. ZTNA 2.0 reconfirms identity each time.
3. Comprehensive Protection
ZTNA 2.0 continuously verifies trust and inspects security to detect potential problems. This creates a dynamic security environment capable of responding as issues emerge.
The Zero Trust Maturity Model
CISA has now released ZTMM version 2.0. The five pillars remain unchanged. Management of identity, devices, networks, applications, workloads, and data is required for effective ZTNA deployments. Where the model expands is maturity.
Under ZTMM 2.0, companies at the “Traditional” level still have manually configured lifecycles and static security policies. “Initial” maturity includes limited automation and increased visibility, while “Advanced” delivers on centralized visibility and identity control. Finally, companies at the “Optimal” level of maturity use fully automated processes that self-report and are underpinned by dynamic policies.
How RedSeal Can Help Advance Your Zero Trust Strategy
Identity and information are key components of zero trust. Companies often think in terms of who is trying to access IT environments and what they’re trying to access.
But these aren’t the only considerations in creating an effective zero trust environment. Organizations also need to consider how and where. Where are critical assets located on local systems? In cloud networks? And how can these assets be accessed? It’s critical to create an inventory of IT environments including devices, ports, and protocols. In addition, companies need to understand external connectivity — what potential access routes exist and what risks do they pose?
At a small scale, the process of identifying who, what, where, and how is straightforward. Once companies move into the cloud, however, challenges emerge. With most organizations now using at least two and likely more cloud providers in addition to on-site storage and compute, complexity rapidly ramps up. Consider that service providers often have their own terminology for similar processes. For example, while both Google and AWS offer virtual private clouds (VPCs), they’re not the same. Each has its own set of features, functions, and vernacular.
In other words, different services speak different languages, making zero trust 2.0 implementation challenging. RedSeal makes it possible to create an IT lingua franca — a consistent translation that allows companies to automate and orchestrate key tasks across multiple environments.
RedSeal solutions also help with inventory and segmentation. By mapping and discovering all connections and endpoints across both cloud and on-site networks, companies can create complete inventories of all solutions and services, then create segmentation policies that reduce total risk in the event of an attack.
Taking on ZTNA 2.0
Effectively implementing zero trust 2.0 requires complete network knowledge. While who and what are the starting points, they’re not enough without where and how. RedSeal helps companies consolidate the pieces by creating a comprehensive inventory and asset map backed by a common defensive language.
Ready to take on ZTNA 2.0 and master the maturity model? See how RedSeal can help.