Zero Trust. Everyone’s talking about it, but what does it truly mean, and how can you prove that your organization is using a Zero Trust model effectively?
Where did Zero Trust come from? For the security veterans among us, we remember the old network security adage: inside the network was trusted, and outside of the network was untrusted. Think of the old castle-and-moat image commonly used to describe a network. This perimeter-based approach doesn’t work in today’s modern and agile threat landscape. Additionally, the implicit trust assumed with “inside” the network invokes risk. Hackers no longer hack in – they log in. Your Zero Trust framework goes out the door when an attacker gets in and creates their own trust.
Modern workplaces have evolved. Gone are the days when everyone walks into a brick-and-mortar building for work. To get the best talent and the most flexibility in today’s evolving business world, remote work has become ubiquitous, and that means you’ve got personnel requesting access to your network from everywhere. You can’t build a moat big enough to protect a network that varied.
The core tenants of Zero Trust are pretty clear: no one receives automatic trust from your network; if you’re going to grant access, grant only the access required and no more; verify that person’s identity before granting access; and do not assume that once the person (or device) is verified, they are always who they say they are – constantly re-verify to be safe.
How does this framework align with autonomous pentesting?
Let’s start with some baseline understanding. Rather than implying trust because of the user’s network location, Zero Trust believes that network location or IP addresses do not imply trust – it instead looks at identity and context. To put it simply: no one is trusted inside or outside the network without having their identity verified. Remember the old castle and moat analogy? Once you were on the right side of the moat (to the network), you were trusted. But with Zero Trust, identity authentication, not location, is how organizations keep their data safe.
The name “Zero Trust” is borne from the “default deny” posture. If a user or device wants access to anything, they must be verified or that access is denied. And when we accept that hackers don’t hack in, they log in, your credentials and authentication are that much more valuable to your business, and an attacker. If attackers are looking for credentials to get the keys to get to your crown jewels, ensuring usernames and passwords are being used by who they should be, and only so, is top priority.
The next tenant of Zero Trust: least privilege. If a user requests access to a document, application, folder, or so on, they are granted access to that resource and nothing more. It’s not unlike locking down a building – not every employee needs a skeleton key to every room in your headquarters. If they lose that passkey and it falls into the wrong hands, a dangerous stranger could be weaving in and out of your entire property. The same principle applies here.
The trust that is given is ephemeral (time-bound) and continually reevaluated. That user or device is re-verified with new requests to ensure they are who they say they are before further access is granted. Identities are verified through measures like multi-factor authentication, endpoint verification, or even physical keys provided by the organization linked to the user’s identity.
Who, what, and where
Zero Trust focuses on more than user identity; it also involves knowing what devices are on your network. With the explosion of cloud services and proliferation of work-from-home users, a company’s attack surface has dramatically changed, and will continue to. Clearly, this is one more reason why the attraction of Zero Trust frameworks are resonating. For example, home users are often criticized for leaving default passwords or factory settings on Internet of Things (IoT) devices like baby monitors or home security cameras, but businesses have adopted that risk, knowingly or willingly or not! With the number of devices that can be tied to a business’s network (including employee home networks), the professional world is as much, if not more, at risk and it’s up to security practitioners at these organizations to know every asset– hosts and people (credentials)–which is on their network. Understanding your environment is key to a Zero Trust framework.
How NodeZero can help
At Horizon3.ai, our core mission is: continuously verify your security posture. NodeZero does this and does it fast, identifying assets that are reachable, vulnerable, and exploitable. It looks for usernames and weak passwords that would allow hackers to log in easily. It also chains vulnerabilities, misconfigurations, or dangerous default settings and credentials, just like an attacker would in order to delve deeper and persist longer in your network.
The hardest part in cybersecurity is deciding what not to do. Horizon3.ai understands that no one has enough time to do everything they need to do – new risks, vulnerabilities, and threats emerge all the time. Prioritization so you can fix what matters most is a dire need for the best of security professionals. NodeZero context-scores every weakness, host, and credential, based on your environment and what impact that compromised asset led to. NodeZero provides the path with proof, so you know exactly how your “crown jewels” were discovered, and even provides fix actions so you know how to remediate the attack paths immediately.
And similar to Zero Trust access, our philosophy is always verify. NodeZero can be re-run immediately – and as often as you need to – in order to make sure the fix actions you have taken are in effect. Don’t wait for an annual pentest or an actual data breach to find out you missed a misconfiguration or if a patch wasn’t completed.
Zero Trust isn’t a single tool – it’s a philosophy and a framework. And that means for many organizations, Zero Trust is cobbled together using various tools, policies, and practices. A cobbled-together system, no matter how well thought out or considered, will have blind spots and weak links as tools run up against each other that are not designed to work well together. NodeZero’s find, fix, verify loop can find chinks in the armor of an organization’s Zero Trust plan to ensure those gaps are identified, repaired, and in working order. Introduced a new tool or process? NodeZero can act fast to ensure no new risks have been introduced before someone else finds them.
Everyone has blind spots – we’re human. NodeZero’s autonomous pentesting is a force multiplier for identifying those blind spots so you can shine a light on them and secure them before a bad actor can make use of them.
Want to learn more about NodeZero? Set up a demo today.