The zero-trust security model is essential for a modern internet-connected company — a company that has employees working from home, from branch offices and from the road, all accessing the same corporate network that the main office uses. It's especially important for organizations that have databases, apps, workloads, and other assets in the cloud.
But can you just go out and buy a zero-trust platform off the shelf? Not really. The zero-trust security model is a framework, not a packaged solution. You can't just set it up and forget about it. You have to re-orient your entire security mindset from the older perimeter-based network-defense model to the zero-trust model, and you will probably need to purchase some new tools to achieve it.
There is something called zero trust network access (ZTNA), which is a very specific type of solution that controls user access to in-house applications. ZTNA is an essential component of the secure access service edge (SASE) and security service edge (SSE) cloud-security models. Implementing ZTNA will put you on the road to zero trust, but it's not a prepackaged zero-trust model.
"If you talk about zero trust network access, there's actually a product category, and you can compare products that do zero trust network access," Aviv Abramovitch, head of security services product management at Check Point, told us in a recent conversation. "Sometimes I go to customers and talk about zero trust, and they're thinking zero trust network access. And sometimes the other way around."
Asked if any company offers a real off-the-shelf zero-trust full implementation, Abramovich replied, "I don't think so. And I think everybody who would say that they do. I would challenge that claim."
It's perfectly fine to select best-of-breed vendors of the various zero-trust oriented tools that you might need, Abramovich explained, even if multiple tools come from the same vendor.
"There are companies that are very good at managing identities," he said. "You would use them as an identity [provider]. And you would use, let's say, Check Point for network security. You might use a third-party SIEM tool for consolidating and monitoring everything."
However, he added, there are companies that have pretty good coverage on multiple elements you might need -- not just network security, but mobile security, phone security, and cloud security. Definitely what we see is there are companies now, like Check Point, building a platform."
What does the zero-trust security model involve?
The zero-trust security model consists of several parts:
Strong identity management and verification. The core of zero trust is to treat each user, whether a new staffer, an automated process or the CEO of the company, as a potential threat. Each user must verify their identity upon every access. Context-aware multi-factor authentication (MFA) that takes into account a user's location, device and time zone is especially important. And users may be asked to re-verify their identities several times throughout the day.
"The fact that I trusted you two minutes ago doesn't mean I trust you now," Abramovich explained. "Maybe you, in those two minutes, managed to get malware on your laptop, or wherever you're accessing, and now I have to take that trust away."
There are many vendors that supply robust identity and access management (IAM) systems that can serve as the bedrock of zero trust, and we have a guide to evaluating them.
The principle of least privilege. Each user should be granted no more system privileges than they need to perform their task. Access to assets should be based upon identity, not network location. Privileges that are not necessary should be revoked. This applies to all staffers and users, and longtime network administrators might be resistant to having existing privileges revoked.
Micro-segmentation of networks. Once granted access, no users should get free rein throughout an entire network. Instead, each user must re-verify their identity and privileges when jumping from part of the network to another. The more segments you create, the less room an attacker has to move laterally.
Visibility, monitoring and logging of the entire network. Each user must be tracked and verified as they move from one asset to another, and there should be no blind spots.
"Being able to understand who has access, who has trust, to where, what, where did they log on to and how they logged on to it," Abramovich said.
Automation. Unless you have a very small staff, monitoring and verifying all those users and their movements will be beyond human capability. Strong IAM and network-management solutions are heavily automated so that the grunt work will be done automatically and in a split second.
What do I need to implement a zero-trust security model?
The most important company to evaluate when comparing zero-trust solutions is your own. Start by inventorying all your assets — endpoints, network appliances, cloud instances, applications, APIs, databases, servers, etc., and individual staffers as well — and rank them in order of importance.
Then perform a risk assessment on each asset. How well is that asset protected? How important is it? What would be the impact if it were compromised, and how likely is that compromise? What would be the cost of properly protecting that asset?
Once you've done that, you'll know which assets need securing the most, and you can design your zero-trust implementation accordingly.
Next, see whether you have existing security or network tools that can be repurposed or upscaled to become part of your zero-trust security model. For example, you may already be using an IAM solution that works quite well with zero trust.
You will probably need to implement several new tools, however. Select tools that provide the components listed above, and then slowly implement zero-trust pilot programs to selected parts of your company. For more on this topic, read our recent white paper, "The zero-trust dilemma," and stream the sessions from our recent virtual summit, "Navigating the zero trust landscape."
How can I evaluate vendors of zero-trust components?
Once you've assessed which components you need to purchase or license to implement zero trust, then you can investigate various vendors according to common-sense criteria that apply in most cybersecurity comparisons. These are questions you can ask of the vendor, and also of other companies that use that vendor.
- How scalable is the vendor's solution? Online companies, especially e-commerce ones, can see traffic rapidly rise and fall, and small organizations can quickly grow into big ones. Can the vendor's solution grow (or shrink) as quickly?
- What is the vendor's reputation? Can the vendor provide a list of clients that you can contact?
- Does the vendor have a product road map? What kind of new features might be coming up in the short term? How about the next five years?
- Is the vendor's product cloud-native? How well does it work with a cloud access security broker (CASB) and other cloud-native security tools?
- How well does the potential product work with your existing security tools?
- Does the vendor's product use artificial intelligence (AI), or will it use AI in the near future?
- Finally, how much risk mitigation does each potential zero-trust component bring? How much safer does it make your organization?
"Ultimately, what you want to compare is the level of threat mitigation or de-risking that these different solutions or different offerings can do for you," Abramovich said. "You can ask yourself, 'What is my risk before and after, and which one of them will help me mitigate the risk better?'"
Read more about Check Point’s zero-trust solutions and how they stack up in Miercom’s most recent assessments, and take Check Point’s zero-trust security checkup.