Nine23’s Chief Technology Officer and Chief Information Security Officer, Adam Gwinnett has outlined the 12 Dimensions of a Zero Trust Solution.
Zero Trust Fundamentals
Zero Trust is a design ethos for data access. It seeks to remove assumed trust and establish verification at each stage of the data access journey. Its fundamental basis is in establishing policy-based access to assets describing the acceptable conditions for their use and revoking access to protect the information if any of those conditions fail to be met.
12 Dimensions
A Zero Trust access model is typically going to consider all of the following dimensions:
The User (Person)
Identity
Device
Network / Connectivity
Host
Application
Data
Monitoring
Session / State
Location
Time
Policy
A Zero Trust solution may not consider all of these dimensions, but the policies and mechanisms surrounding it will typically be considering these. The exclusion of any dimension will typically reduce the effectiveness and granularity of control achievable but can also reduce the volume of datapoints being stored and processed and reduce the complexity of the implementation. All of these considerations should be balanced when deciding upon a solution.
The User
The majority of access control models are based around allowing a known individual with a right to access information to be provided with it, based upon their role, organisation and needs. Mechanisms such as identity verification help reinforce this space, but outside of biometric access (which is growing in popularity for this very reason) there are notable limitations on linking system access to whomever has “hands on keys”.
Identity
One of the maxims for Zero Trust is that “identity is the perimeter”. The majority of access control solutions start at the identity record (and the credentials and permissions associated with it), which is a collection of roles, permissions and memberships to provide access to organisation controlled assets. Individuals can have multiple identity records associated with them (common where a user has administrative or privileged access for sensitive assets, for example) but access is fundamentally controlled at an identity level, even where several records may relate to the same physical person.
Device
Access to organisation-controlled data is enabled via a device. This typically refers to laptops, smartphones, tablets and other End User Devices (EUD) but in the age of Internet of Things (IoT) devices there are increasingly assets that have inherent rights to access data networks, be that a GPS device, an IP-enabled camera, sensors, kiosks or other smart devices. Zero Trust typically looks for the association between a user (person), identity and device. Devices can also be controlled via things like device certificates to help identify corporate issued (or approved assets) and controls such as MDM platforms (For example, Intune).
Network / Connectivity
Many Zero Trust have focused around Zero Trust Network Access (ZTNA) as the initial (and sometimes only) factor of control. This provides a model for applying policies at the point that access to a resource is attempted, but once established is seldom further inspected or interrupted. The Connectivity dimension will look at the network over which a device seeks to connect (such as the Internet or a corporate WAN), the mode of access (from known office Wi-Fi, coffee-shop Wi-Fi or over a mobile connection, for example) and whether connections are secured (such as via a VPN) or “in the clear”.
Host
Services all reside upon a host, be it a server, network node, container, or other runtime. A Zero Trust solution should understand the rules for accessing a host, the resource groups it is within and the tiering of solutions to ensure that access is only following approved paths and does not allow enumeration of hosts by allowing unauthenticated or inappropriate access to them.
Application
The majority of sensitive information resides within applications, be this a CRM system or an information management platform such as SharePoint. The application typically handles fine-grained access to functions and records within it and so provides a fundamental point of control in the Zero Trust access journey. Be it through the application itself or via an API, conditions for access and identification of suspicious queries and activities must be enforced. Models such as Zero Trust Application Gateways (ZTAG) or Secure Access Service Edge (SASE) solutions can augment application controls in this space.
Data
Aside from the systems and services themselves, the primary interest for Zero trust access is in the information that the model seeks to protect. Even within single applications there are typically information sets of varying sensitivity and of multiple types, some of which may be far more significant than others. Being able to apply controls and access granularly across these datasets offers significant value and this is where approaches such as data tokenization tend to come into play.
Monitoring
Most Zero Trust controls operate at the point of initial connection. It is essential to achieve a true Zero Trust solution to monitor not only the status and effectiveness of the controls themselves but also the ongoing status of the activity within the systems so that changes in activity and more subtle indicators of compromise can be identified and responded to.
Session / State
Zero Trust solutions will look for changes in behavior and conditions during sessions to look for unusual patterns of activity that may suggest a compromised account or malicious user behavior. By managing the session, the Zero Trust solution can interrupt or revoke sessions to revoke access to an application or service and thereby protect the information from further exposure.
Location
Zero Trust solutions can utilize the device location (network or GPS depending on need) to impose geofencing of access (limiting access to approved locations) and to match to usual working patterns. This model also allows for detection of multiple logons, miracle travel and other indicators of potential compromise.
Time
Zero Trust access control models will consider time as a potential factor for establishing legitimacy of access – Does the request fall within normal working hours for the user? Does the device timezone match the usual pattern of access or acceptable usage? Are request patterns in line with human patterns of behavior?
Policy
At the fundamental base layer of any Zero Trust solution is policy. Policy defines the “rules of play” and provides the framework of rules and conditions that access, and services must meet in order for secure access to be granted. Policy Enforcement Points (PEPs) are the enforcers of this model and should be deployed at key points in the architecture to allow for the effective operation of decision-making, risk-based access and enforcement.
This website uses cookies to enhance your browsing experience. By clicking "Accept All", you consent to our use of cookies. Accept AllRejectRead More
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
1 year 1 month 4 days
Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*
1 year 1 month 4 days
Google Analytics sets this cookie to store and count page views.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
