Zero Trust Security: The What, Why, and How
If you've been researching API security, you've likely seen the term "Zero Trust." And you may already know that organizations can use Zero Trust to help protect their APIs from attacks. What you may not know is that Zero Trust is one of the best models for API security. According to Microsoft, "96 percent of security decision-makers state that Zero Trust is critical to their organization's success." But what is Zero Trust exactly? And is it really worth implementing for your organization? Today we'll take a look at this security model, explore its principles, and discuss the benefits your organization could reap if you adopt it.
What is Zero Trust Security?
The premise of Zero Trust security is exactly what it sounds like: "trust no one" (that is, until and as long as they prove themselves trustworthy). This means that only users that have been authenticated, authorized, and verified on an ongoing basis can gain access to your network.
In the early days of internet security, organizations often ran on an on-premise network. Incoming traffic from within that network was assumed trustworthy, and security focused on preventing attacks from outside the network. But this security framework is flawed for several reasons:
- Attacks can come from within. If you assume that users internal to your network are not a threat, you leave yourself exposed to attacks from within the network. These can come from disgruntled employees, former employees whose access has not been revoked, and unauthorized individuals who get access to a logged-in machine.
- It doesn't work for cloud-based access. More and more organizations are doing business in the cloud, and users are accessing data from a myriad of devices and remote locations. The old model just doesn't account for the way modern users access data.
As the needs of organizations changed, the Zero Trust security framework emerged. Security stopped being about inside vs outside the network, and instead focused on each user's trustworthiness. Zero Trust was introduced by John Kindervag of Forrester Research in 2010. The premise was that every connection- every call to your API, each endpoint, every login attempt, etc- should be treated as a threat, regardless of its origin.
What is Zero Trust Network Access (ZTNA)?
If your company adopts a Zero Trust security model, your Zero Trust Network Access (ZTNA) solution would be a foundational tool for making the model a reality. ZTNA technologies authenticate users (proving they are who they say they are). Then, they use access control policies to ensure that users can access the right resources. Some examples of ZTNA solutions are Google BeyondCorp, Microsoft Azure AD Conditional Access, and Okta Access Gateway.
What are the main principles behind Zero Trust?
Now that we've reviewed the basics of the Zero Trust framework, let's examine the principles that govern this security model. All of these principles contribute to one or both of the focal areas of Zero Trust: controlling access and minimizing risk.
Zero Trust security means adhering to the following principles. Keep in mind that your ZTNA solution may or may not offer these features- make sure you check whether some of these need to be implemented separately.
Continuous monitoring and validation
Two ways that Zero Trust keeps tight control of access are continuous monitoring and continuous validation.
Continuous monitoring means putting software and teams in place to audit and monitor all activity for your organization's systems and devices. Continuous monitoring happens in real time and occurs on an ongoing basis, so you have a safety net if a threat is detected: you'll know about it right away. Knowing about it right away means you can act before attackers can strike, which minimizes risk.
Continuous validation means that user access is validated every time they request access- that is, not just when logging in, but for every API call. This concept posits that even when a user is already authenticated, they still can't be trusted until their access is validated again for each action. This adds another layer of security and risk minimization at every action point.
Least privilege
Another guiding principle of Zero Trust is least privilege: the concept that users should be granted only the access they absolutely need to do their job (and nothing more). By definition, least privilege is based on controlling access.
Least privilege means that fewer users have full/open access. Not all system users will need full access. By following least privilege, you reduce the pool of users that have admin privileges, which reduces the chances that these logins can be hijacked by attackers and prevents accidental changes to your data and systems. Thus, least privilege also minimizes risk.
Device access control
Just as Zero Trust controls the access for users, it also controls access across devices. With device access control, you can set the rules for what each device type (for example: desktop computer, mobile device, etc) can access in addition to rules for what each user can access. You can also set rules that only authorized devices (such as laptops that your company issues) can access your most sensitive data. As a result, a user can only access data if both their user credentials and their device are allowed access by Zero Trust.
Microsegmentation
One of the main ways that you can reduce risk is to contain it. If there's a security breach, you want that breach to stay isolated so that it can be remediated.
That's where microsegmentation comes in. Microsegmentation is a principle of Zero Trust that involves controlling access at the level of each segment, or group of resources/processes that would need to be accessed based on a given workload. Using microsegmentation you can create secure zones for each segment, with zones distributed across geographical locations, data centers, and cloud providers. These secure zones, together with policies set at the individual user level and the device level, would all need to fail in order for an attacker to gain broad access to the data. Attackers who do gain access would likely only gain entry to a single zone's data, which shrinks the risk pool for a single attack.
Preventing lateral movement
Similar to microsegmentation, preventing lateral movement is a key part of Zero Trust that relies on keeping different sections of data separate. Then, it focuses on preventing attackers from gaining entry to one part of the network and moving laterally to another area that requires similar permissions.
For example, an attacker might move laterally by gaining access to a lower security device that doesn't typically handle sensitive data, but has the credentials stored for a high security API. Through that device, they might access the sensitive data. Preventing lateral movement focuses on segmenting the network resources to ensure this type of attack won't work.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is something you're likely familiar with by now. It means that you can't log in with just a username and password; users must also follow a secondary set of steps to authenticate, such as clicking a link sent to a verified phone number, supplying a code sent to a verified email, or providing the code from an authenticator app.
MFA is an important part of risk minimization for Zero Trust because usernames and passwords can easily be stolen, shared, stored in a public machine, or brute-force cracked. MFA makes it less likely that these types of attacks can succeed because the attacker would also need access to the verified phone, email address, or authenticator app. However, today there is also an increased wariness of SMS-based MFA due to lack of encryption, SIM swapping, and SS7 vulnerabilities. This is a key reason why it is important to implement several measures (defense in depth) to ensure sound security.
What are the benefits of Zero Trust?
Now that we've reviewed the principles of Zero Trust, let's consider why you might want to use it for your organization. Here are some of the benefits of Zero Trust:
Help ensure network trust and thwart malicious attacks
First and foremost, Zero Trust gives you peace of mind with network trust and prevents lots of attacks on your API.
Network trust involves knowing that the resources on your network are secure, which can be very difficult to check manually. Zero Trust means adopting technologies that help you maintain network trust without manual intervention.
Zero Trust also makes it more difficult for attackers to succeed in many types of malicious attacks, including injection attacks (when attackers provide malicious input into your API or application) and denial of service attacks (when attackers purposely overwhelm your system). Plus, it protects against all of the possible points of entry that we explored in the Zero Trust principles above.
Provide secure application access for employees and partners
The peace of mind from Zero Trust isn't just for those concerned about an organization's data; employees and partners get secure application access when you use Zero Trust, which means they don't have to worry about their credentials being stolen and exploited. You also strengthen your brand's reputation among partners and customers by ensuring API security.
Reduce complexity and save on IT resources
While Zero Trust may sound complicated at first, adopting it can actually simplify security processes and it can save you a good deal on IT resources. The technologies you implement to fulfill Zero Trust principles can automatically track security elements that you may currently be managing manually (such as granting permissions to groups of users), and they can also tell you about underutilized or overallocated resources, such as cloud provider buckets that cost you money but aren't being used.
And then, of course, there's the financial savings of avoiding a data breach, which can cost an organization millions of dollars.
Other compelling reasons to adopt a Zero Trust strategy
There are other reasons to adopt a Zero Trust strategy besides the ones we've already discussed. These include:
- Meet emerging regulations. More and more laws are being created requiring that organizations protect private data. Aside from the negatives of a data breach, you can proactively align yourself with these laws by implementing Zero Trust today.
- You can more easily adopt a remote or hybrid work strategy. Since Zero Trust protects access from all devices and all locations, you don't need employees to be on-prem, which opens up benefits from remote and hybrid work models
- Your teams will have more time to focus on what matters. Using technologies that enforce governance policies means that administrative security tasks are completed automatically. Your team gets that time back to do the things that can't be automated.
How to Implement a Zero Trust Architecture
If we've convinced you to implement Zero Trust, you're probably wondering how to get started. There are a few high-level steps you can take to implement Zero Trust:
- Determine the areas that you need to protect, including data, applications, devices, etc.
- Find tools to carry out the principles of Zero Trust and create a policy that fits your organization's needs.
- Put the tools in place and ensure ongoing monitoring.
But if you're looking for a first step you could take right away, we suggest that you consider enforcing MFA. There are lots of commercial off the shelf solutions that can help you put MFA in place quickly, and it brings you closer to implementing your entire Zero Trust policy.
It's time to implement Zero Trust for your organization
The Zero Trust model is a robust solution to API security concerns, and we hope that this article has made it clear how it can help you control access and mitigate risk. Zero Trust brings together monitoring, access control, and segmentation to keep your resources safe from attackers. When it comes to securing your API, Zero Trust should absolutely be part of the conversation- if not the first priority- for your organization.