Zero Trust Architecture

Zero Trust Architecture (ZTA) is a security model that assumes that no user, device, or network can be fully trusted, and aims to provide security by verifying the identity of users and devices before granting access to resources.

There are three key principles associated to Zero Trust Architecture.

Principle 1

All entities are untrusted by default. Access to an organization’s resources shouldn’t be based off implicit trust. Trust needs to be explicitly defined and continuously reviewed and informed by context around every access session. Every decision must be assessed based on transactional risk. Often these pieces of context can be the posture of a device, type of workload, attributes around an identity, and more.

Principle 2

Least privilege access is enforced. Users, applications, and other computing infrastructure must utilize the bare minimum amount of access needed to perform their function. If highly privileged access needs to be utilized, it needs to be assigned for that transaction and reverted to minimal privileges once used.

Principle 3

Comprehensive security monitoring is implemented. Shine a spotlight into the dark crevices of your organization to illuminate threats and adversaries trying to hide. Understand how users operate and assets communicate. Pair this visibility with the tools, processes, and controls required to stop, remediate, and surgically remove or isolate detected threats.

When Seagen analyzes these principles, we look at the key aspects of ZTA. The key aspects of ZTA include:

  • Identity and Access Management (IAM): Zero Trust Architecture relies on strong identity and access management to ensure that only authorized users and devices can access resources. This typically includes multi-factor authentication, device trust, and role-based access controls.

  • Segmentation: Zero Trust Architecture relies on network segmentation to create a “defense in depth” strategy that limits the attack surface and makes it harder for attackers to move laterally within the network.

  • Micro-segmentation: Zero Trust Architecture relies on micro-segmentation to restrict access to specific resources only to authorized users and devices.

  • Continuous monitoring and response: Zero Trust Architecture relies on continuous monitoring and response to detect and respond to security breaches in real-time. This also evaluates time zones and business hours.

  • Data protection: Zero Trust Architecture relies on data protection to ensure that sensitive data is encrypted and access to it is restricted to authorized users and devices.

  • Device security: Zero Trust Architecture relies on device security to ensure that all devices accessing the network are secure and comply with security policies.

  • Network security: Zero Trust Architecture relies on network security to ensure that all network traffic is secure and that no unauthorized connections can be established.

  • Cloud security: Zero Trust Architecture relies on cloud security to ensure that all resources hosted in the cloud are secure and that access to them is restricted to authorized users and devices.

  • Location: Zero Trust Architecture relies on inspecting locations and consistency to determine if a resource or service is being accessed from various geographic locations. This could point to a gap in our architecture design.

These key aspects of ZTA work together to create a comprehensive security model that ensures that no user, device, or network can be fully trusted, and that all access to resources is restricted to authorized users and devices.


How is ZTA Measured?

Compliance with Zero Trust Architecture (ZTA) is typically measured by evaluating the implementation and effectiveness of the various security controls and practices that make up the ZTA model. This can include assessing the following areas:

  • Identity and access management: This includes evaluating the strength and effectiveness of multi-factor authentication, device trust, and role-based access controls.

  • Segmentation and micro-segmentation: This includes evaluating the effectiveness of network segmentation and micro-segmentation in isolating and protecting sensitive resources.

  • Continuous monitoring and response: This includes evaluating the effectiveness of real-time monitoring and incident response capabilities, such as security information and event management (SIEM) systems and threat intelligence feeds.

  • Data protection: This includes evaluating the effectiveness of data encryption and access controls to protect sensitive data.

  • Device security: This includes evaluating the security of all devices accessing the network, including endpoint protection, mobile device management (MDM), and device-based conditional access controls.

  • Network security: This includes evaluating the security of network connections and the protection against unauthorized connections.

  • Cloud security: This includes evaluating the security of resources hosted in the cloud, including the use of cloud access security brokers (CASBs) and other security solutions.

  • Compliance with industry standards: This includes evaluating the compliance with relevant industry standards and regulatory requirements, such as SOC 2, PCI-DSS, HIPAA, and more.

  • Threat Modeling: This includes using the Microsoft Threat modeling tool with Azure services to ensure we are identifying, scoping, and remediating any known issues. However, there are issues that we are unaware of or won’t address. This is typically created before development so remediation and testing can be done simultaneously.

  • IT Training: This typically includes linters, code helpers, LinkedIn Learning, YouTube, etc.

These evaluations can be performed through a combination of automated tools, manual assessments, and third-party audits. Additionally, security teams can use various security frameworks and standards, such as NIST SP 800-207, to guide their assessment and measurement of Zero Trust Architecture compliance.


What is the Value of ZTA

Zero Trust Architecture (ZTA) is a security model that aims to provide security by verifying the identity of users and devices before granting access to resources. The value of ZTA is that it can help organizations to protect against a wide range of security threats, including:

  • Advanced Persistent Threats (APTs): ZTA can help to detect and prevent APTs by continuously monitoring and verifying the identity of users and devices, and by implementing micro-segmentation to limit the attack surface.

  • Data breaches: ZTA can help to protect against data breaches by encrypting sensitive data and implementing strict access controls.

  • Insider threats: ZTA can help to detect and prevent insider threats by implementing role-based access controls and by continuously monitoring user activity.

  • Compliance: ZTA can help organizations to comply with various security regulations and standards, such as SOC 2, PCI-DSS, HIPAA, and more.

  • Cloud security: ZTA can help to secure resources hosted in the cloud by implementing secure network connections, access controls, and monitoring.

  • Mobile security: ZTA can help to secure mobile devices by implementing device-based conditional access controls, mobile device management (MDM), and endpoint protection.

  • Remote work security: ZTA can help to secure remote work by implementing secure network connections, access controls, and monitoring.

  • Cost reduction: ZTA can help to reduce costs by automating security processes and reducing the need for manual intervention.

By implementing ZTA, Seagen can improve the overall security of its systems, data, and networks, and gain a better understanding of the security posture of our environment. This can help to protect against a wide range of security threats and ensure compliance with industry standards and regulations.


What IT Teams are Involved in ZTA?

In a Zero Trust Architecture, various IT teams may be involved, including:

  • Network security team: responsible for securing the network infrastructure and implementing security controls such as firewalls and VPNs.

  • Identity and access management team: responsible for managing user identities and controlling access to resources.

  • Cloud security team: responsible for securing resources hosted in the cloud. GAP

  • Compliance and auditing team: responsible for ensuring that the organization’s security practices meet regulatory * requirements and for conducting security audits.

  • Incident response team: responsible for responding to security incidents and conducting investigations.

  • Endpoint security team: responsible for securing endpoint devices such as laptops and smartphones. GAP

  • Application security team: responsible for securing applications and ensuring that they are free from vulnerabilities.

  • Data security team: responsible for protecting sensitive data and ensuring that it is properly encrypted and securely * stored. GAP

These teams may work together to design, implement, and maintain a Zero Trust Architecture.


What are the Risks of not Implementing Zero Trust Architecture?

The following Risks are categorized based on most severe ramifications to least though there are many factors that contribute to the risk.

  • Data breaches: Without proper security controls and access controls in place, an attacker may be able to gain unauthorized access to sensitive data, leading to a data breach.

  • Business disruption: A security incident that results in a data breach or unauthorized access to sensitive resources can lead to a disruption of business operations.

  • Reputation damage: A security incident can result in damage to an organization’s reputation and loss of customer trust.

  • High costs: The cost of a security incident, such as a data breach, can be very high, including the costs of responding to the incident, potential legal liabilities, and the loss of business.

  • Compliance violations: Organizations that are required to comply with regulations such as HIPAA, PCI-DSS, and GDPR may be at risk of non-compliance if they do not implement a ZTA.

  • Unauthorized access: Without proper authentication and authorization controls, attackers or malicious insiders may be able to gain unauthorized access to sensitive resources and data.

  • Lack of visibility: Without proper logging and monitoring, it can be difficult for an organization to detect and respond to security incidents.

  • Legal liabilities: Organizations may face legal liabilities if they fail to meet regulatory compliance requirements or if they are found to be negligent in protecting sensitive data.

Implementing a ZTA can help an organization to mitigate these risks by providing proper security controls, visibility, and incident response capabilities, and by ensuring compliance with regulatory requirements.


References

NIST Zero Trust Architecture (Authority)

The Definition of Modern Zero Trust