Zero trust security is a modern approach to network access control. As migration to cloud services accelerates and remote work continues to evolve, a new framework for protecting digital resources is needed. Traditional approaches that implicitly trust credentialed users within a network create a significant security risk by giving intruders who have penetrated the security perimeter the ability to operate from within. Zero trust security solves this by eliminating implicit trust, replacing it with stringent identity verification and continuous user validation at each stage of the digital journey. This same process is applied to those attempting to gain network access and those already within it.
WHAT IS ZERO TRUST SECURITY?
Zero trust security is a cybersecurity strategy based on the National Institute of Standards and Technology (NIST) SP 800-207. This publication outlines how to move organizations beyond granting network access to users based on their physical or network locations or asset ownership.
Traditional network security is based on the assumption that everything within the network is implicitly trusted. Once inside, users are allowed to operate largely unchallenged, moving within the network and accessing network assets at will. Much like soldiers occupying a frontier outpost, the stockade walls are vigorously defended while anyone already inside the fort is allowed to move about freely. But this framework allows malicious actors who have gained access to a private network to sit and wait, move laterally within the network, and/or access sensitive digital assets.
Zero trust security takes a different approach to access control by requiring all users (even admins) to be verified before proceeding. Zero trust verifies every user, device, and IP address attempting to access a resource. This concept resembles how the human immune system works: Just because something has found its way inside the body doesn’t mean it belongs there or is allowed to stay. Zero trust security begins with the assumption that a user doesn’t belong and involves the authentication and authorization of both the user and the device they’re on before granting permission to proceed.
WHY ZERO TRUST IS NECESSARY
Technological and societal changes have necessitated a new approach to enterprise network security. Remote workers who use their own devices have created a new set of access control challenges. In addition, a significant increase in the use of cloud-based assets has forced security experts to rethink how to best secure their digital assets, especially when they no longer fall neatly into a set of predefined network perimeters. These shifts are reflected in zero trust’s focus on safeguarding resources such as digital assets, services, and network accounts. According to the zero trust security paradigm, network location no longer underpins the security posture of the resource.
PRINCIPLES OF ZERO TRUST
Zero trust security is based on a collection of principles that guide its implementation.
Here are six tenets that define how access is controlled.
Continuous monitoring and validation
The foundation of a zero trust network is that no device or user, inside or outside the network, is ever implicitly trusted. Every user and device attempting to access resources is monitored and must have their identity and privilege verified when attempting to access digital resources. Additionally, users must reauthenticate periodically based on login and connection time-outs, creating an additional layer of security.
Least privilege access provides users with the bare-minimum level of network access they need to accomplish required tasks. By carefully managing user permissions, the principle of least privilege creates strict need-to-know access controls that reduce opportunities for unnecessary exposure to sensitive areas of the network.
User access isn’t the only type of access control in a zero trust network. In an effort to further reduce the attack surface, zero trust places tight controls on devices, too, monitoring the number of devices seeking access, authorizing each one, and assessing them individually to verify they haven’t been compromised.
Microsegmentation divides security perimeters into smaller units, each with its own access. In a zero trust network, these smaller zones are secured individually. A large cloud network using microsegmentation could include many individual secure zones. Users who have access to one zone can’t gain access to other zones without undergoing separate authorization. Microsegmentation is equivalent to someone trying to gain access to a home where each individual room has its own key—just because you’ve made it through the front door doesn’t guarantee you’ll be able to make it past the first room you enter.
Preventing lateral movement
One of the main benefits of microsegmentation is the prevention of lateral movement. Traditional network security focused on guarding network access points. But once inside, users could move about largely unchallenged, shifting laterally from one part of the network to others. Microsegmentation prevents lateral movement by securing each zone individually. If an attacker gains access to one segment, they’re unable to move into others.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) requires that multiple pieces of evidence be provided before access is granted. Entering a password is a start, but MFA requires at least one other form of proof before a user is authenticated. If you’ve tried to log into a website only to be prompted to enter a security code sent to your email or via text to your cell phone, you’ve experienced multi-factor authentication firsthand. MFA is a network access control backstop that protects against unauthorized user access from accounts with compromised user passwords.
BENEFITS OF A ZERO TRUST SECURITY PROVIDER
Choosing cloud data providers who support a zero trust approach (such as Snowflake) will significantly improve your network security. Here are several benefits of using Snowflake with a zero trust architecture.
Ideal for the cloud
Using network policies, organizations can specify which IP addresses can connect to the cloud data platform. In addition, trusted resources can be set to come only from predefined IP addresses under the organization’s control. Snowflake supports a variety of open standards for identity management and can integrate with an organization’s identity provider to ensure federated authentication via SAML 2.0. This enables the implementation of multi-factor authentication, adding layers of trust to a user or resource.
Superior data protection
By design, microsegmentation prevents lateral movement within a network, allowing large data centers to be configured into smaller zones with each one secured individually. With data in each zone secured separately from other zones, an attacker’s ability to move within the network is constrained, reducing the potential severity of a damaging data breach.
Monitoring activity on enterprise-owned networks and SaaS applications is part of establishing a zero trust framework. For example, Snowflake’s Account Usage schema provides organizations with a powerful way to monitor Snowflake and understand what is normal activity, including user login behavior, authentication types, granting of administrative privileges, and IP addresses of resources connecting to Snowflake.
With Snowflake’s Cybersecurity workload, customers gain access to the power and elasticity of Snowflake’s platform to natively handle structured, semi-structured, and unstructured logs. Customers are able to efficiently store years of high-volume data, search with scalable on-demand compute resources, and gain insights using universal languages such as SQL and Python, currently in private preview. With Snowflake, organizations can also unify their security data with enterprise data in a single source of truth, enabling contextual data from HR systems or IT asset inventories to inform detections and investigations for higher-fidelity alerts, and running fast queries on massive amounts of data.
Less-demanding security workloads
Implementing a zero trust security framework streamlines security workflows, reducing the amount of time your security team spends on manual network security-related tasks, allowing them to spend more time analyzing data to find new ways to improve their security posture. Using the Snowflake Data Cloud enables cybersecurity teams to break down data silos to enable better visibility, deliver advanced analytics that remove manual processes, and give security teams a clearer picture of evolving risks and threats coming their way.
Better user experience
A zero trust network automatically provides access only to what users need without waiting on administrators for approval. This improves the user experience, resulting in quicker access to resources without network performance issues that can accompany the use of VPNs.