What does Zero Trust stand for? Why is this concept becoming increasingly important? What needs to be considered when implementing it? And does system hardening play a role here? This guide clarifies this and more.
Definition: What does Zero Trust mean?
Zero Trust is a cybersecurity paradigm that is becoming increasingly important. It is used for the holistic defense of IT infrastructures and individual resources. The term “Zero Trust” means “zero confidence.” In IT, it is extended to stand for “Never trust, check everything!”.
Reasons: Why is Zero Trust so important?
“Everything is safe behind the firewall”. The Zero Trust concept abandons this old and static way of looking at things. Because even if a system is protected by technical measures and is thus considered “secure”, massive compromises still sometimes occur.
IT managers must always be aware that security breaches happen. These come from outside, for example through attacks by cyber criminals. Likewise, there are threats from within, for example from employee misconduct. Trends such as “remote work,” “mobile office” and “work from anywhere” increase the risk of data breaches and other IT security problems.
Companies therefore need security models and modules that effectively adapt to the complexity of modern IT environments. They also need to include mobile workers and protect devices, applications and data regardless of their location. Specifically, even a device that is dialed in via VPN is no longer automatically considered secure.
Current example: Log4j
The critical vulnerability in the widely used Java library Log4j, which is deeply embedded in the architecture of a large number of software products, currently being discussed in the media, shows how extremely sensitive and vulnerable a network infrastructure is. If successfully exploited, hackers can completely compromise a system and unfortunately often also the infrastructure connected to it.
With an implemented Zero Trust concept it is more difficult for cyber gangsters and other attackers to compromise systems.
Background: Where does the Zero Trust idea come from?
The Zero Trust idea dates back to Stephen Paul Marsh’s doctoral dissertation presented in 1994. It came into wider use with the 2018 launch of the National Institute of Standards and Technology (NIST) publication “Zero Trust Architecture”.
Since then, Zero Trust has been slowly gaining acceptance. Companies like Microsoft and security agencies like the German BSI (Bundesamt für die Sicherheit der Informationsgesellschaft ) and the UK’s NCSC (National Cyber Security Centre) are clarifying it. And it goes even further: Zero Trust as an architectural form is slowly gaining acceptance as a standard for current and future IT infrastructures.
The assumptions behind Zero Trust
To truly understand Zero Trust, the following three assumptions or principles are important:
Every device and every user must be verified. This means that no device or user is trusted because, for example, a dial-up through a VPN is successful or a network cable was plugged into the office building. These issues no longer play a role with Zero Trust.
Minimal access rights
With the implementation of the Least Privileged Access model, each user and device is given only the exact rights that are relevant and necessary for that role at that particular time. “Permanent administrator rights”, preferably still on all systems, must not and will not exist after a successful implementation of Zero Trust.
Implementing this assumption certainly requires the most rethinking. In the Zero Trust approach, it is assumed that a breach (at least a partial one ) has already successfully taken place. This leads to the need to secure every endpoint device. Common practices and ways of thinking such as “We’re in the backend, nothing will happen there!” are thus brutally called into question. By definition, there is no longer a “secure backend” in the Zero Trust approach.
Implementation: What does Zero Trust management have to consider?
IT managers working according to Zero Trust must orchestrate various operational requirements using suitable technical and organizational measures. These include, in particular, securely establishing the identity of people and services and securing IT systems and end devices.
Zero Trust management, for example, provides those responsible and users with documents and guides with clear instructions for action. Only secure endpoints of devices such as smartphones, tablets, notebooks or IoT components are allowed. And in networks, attackers are prevented from moving around in them unhindered.
System hardening: is that still important with Zero Trust?
Yes, definitely! System hardening is a very efficient and effective way to reduce the attack surface of IT systems.
For example, system hardening disables unnecessary and critical functions and services and enforces strong passwords. Hardening based on standardized recommendations is considered critical for operating systems (e.g. for Windows 10 and Windows Server) and frequently used applications (Microsoft Office, browsers, etc.).
System hardening in a Zero Trust environment: How does it work?
System hardening is only reliable and secure if it is performed continuously. This is because new security vulnerabilities and attack methods make it imperative to always be “up to date”.
The best way to do this is through automated system hardening. This should also be checked regularly and ensure an independent correction of the managed / controlled IT systems – embedded in a monitoring solution that can actively notify in case of deviations (“non compliance”).
This automated system hardening can be performed with the Enforce Administrator for individual systems as well as for complex IT landscapes with thousands of systems.
Need help with system hardening?
Our experts are available to advise and support you in auditing and hardening your IT systems to the latest standards and specifications.