First coined by Forrester Research, zero-trust architecture “abolishes the idea of a trusted network inside a defined corporate perimeter.” Put simply, zero-trust means “never trust, always verify.” Zero-trust assumes your systems are already compromised by cyber intrusion. Under zero-trust, the enterprise is mandated to create micro-segmentation around sensitive data, backed by deep visibility into how the enterprise uses data across its ecosystem in pursuit of customer satisfaction. This combination of micro-segmentation and awareness greatly enhances security across the enterprise.
As described by O’Reilly Media, the increasingly popular zero-trust approach is based on five key premises:
The network is always hostile.
External and internal threats always exist on the network.
Network locality isn’t enough to decide trust in a network.
Every user, device, or network flow must be authenticated and authorized.
Policies need to be dynamic and derived from multiple data sources.
Why is Network Perimeter Trust Insufficient?
Bad actors can breach networks in countless ways. Granting trust to a user who was somehow accessed only one layer of your network security creates both a false sense of security and introduces multiple security gaps.
Perimeter trust ignores policy and context change. Relying on IP address data to establish local trust is insufficient protection. For instance, this ignores risk based on user type and business role and request reason (geo-location/time). In addition to security concerns, ignoring these controls also represents potential policy compliance failure.
Perimeter trust also ignores the possibility of compromised credentials. Per Verizon’s 2019 Data Breaches Investigations Report, 32% of breaches stemmed from phishing attacks, while 29% involved stolen credentials. By trusting the credentials of a single user, your network becomes susceptible to similar outside attack.
Finally, perimeter trust also ignores the existence of compromised devices already on the network. Compromised devices can be purposefully or accidentally introduced to corporate networks by countless means. Symantec's 2019 Internet Security Threat Report research indicates that “one in 36 devices used in organizations present high risk.” Such devices may include malware and other malicious software.
Zero Trust security provides defense in depth based on a handful of guiding practices.
Trusted user identities backed by strong identification, visibility & authentication,
Enable secure access to all apps on the network,
Enforce adaptive & risk-based policies at endpoints, and
Ensure trustworthy device and data transactions.
Grey Matter ensures security and access control based on zero-trust design and implementation.
Industry has signaled increased interest in zero-trust infrastructure for service-to-service mTLS connections, scheduled or on-demand key rotations, service cryptographic identifiers, observability (i.e. continuous monitoring, granular audit compliance), service level management, and policy management throughout the enterprise service fleet.
Grey Matter meets each of these requirements. Leveraging zero-trust within Grey Matter, development teams can quickly and flexibly deploy new capabilities and functions without specific instrumentation required for security or compliance. The platform enables zero-trust segmentation that enforce secure business operations while ensuring audit capture for every event in a normalized and repeatable way establishing a baseline for compliance reporting.
The concept of Zero Trust is centered on a belief that enterprises do not automatically trust systems or services inside or outside its perimeters, instead verify everything attempting to connect before granting access. Grey Matter is designed to operate using a zero-trust threat model to ensure each service and transaction running within a Grey Matter enabled hybrid mesh is appropriately protected.
Grey Matter elevates a multi-facet security model and unprecedented compliance insight into the service mesh and data layers, drastically reducing developer complexity burden. The platform enables Enterprise IT teams to continuously deploy to a common hybrid mesh while maintaining security enforcement and compliance reporting.
Zero Trust security requires the following six areas of control. Together, they provide a defense in depth approach to securing corporate resources no matter where they’re deployed and who needs access to them.
Verify the identity of all users with secure access solutions such as two-factor authentication (2FA) before granting access to corporate applications and resources
During authentication and authorization, verify the following before proceeding:
Is this user legitimate?
Was this user identified in a manner that is acceptable to the task being performed?
Is their device healthy enough for the task they are performing?
Is this user who they say they are?
Should this user have access under any circumstance?
Should this user have access given their current circumstances?
Verifying and authenticating user identity from the moment of registration to each request for access is critical to improving security. These capabilities ensure that all users (privileged and not) and all resources are protected no matter where they’re deployed.
Gain Visibility into Devices & Activity
Gain visibility into every device used to access corporate applications, whether or not the device is corporate managed, without device management agents.
Legitimate users often incidentally expose their organizations to high levels of risk by accessing resources with compromised devices. These capabilities ensure that when a device is compromised, access won’t be provided.
Protect every application by defining policies that limit access only to users and devices that meet your organization's risk tolerance levels. Define, with fine granularity, which users and which devices can access what applications under which circumstances.
Grant users secure access to all protected applications through a frictionless secure single sign-on interface accessible from anywhere without a VPN. Protect all applications - legacy, on-premises and cloud-based.
Preventing lateral movement between segments is often the most effective way to minimize the impact of a breach. These capabilities ensure that breaches are contained with access terminated as soon as malicious behavior is detected or a risk threshold is exceeded.
Attacks come from those with valid credentials as well as from the outside. These capabilities ensure that context is included in all authorization decisions and that vulnerabilities in applications and APIs are covered.
Ensure Device and Data Transaction Trustworthiness
Certain transactions pose more risk than others. Grey Matter's capabilities ensure that high-risk transactions are verified by the user while recognizing anomalous behavior.
Grey Matter inspects all devices used to access corporate applications and resources at the time of access to determine their security posture and trustworthiness. Devices that do not meet the minimum security and trust requirements set by your organization are denied access to protected applications.
Is this session still driven by the real user?
Does the amount of trust in the user identity match the level of risk associated with this transaction?
Has the request been verified?
Did the user provide consent for access, and to whom?
What transactions (READ, MODIFY, DELETE) did they consent to?
Should this data be encrypted?
Whether its sensitive IP or user data covered by one of the many privacy regimes popping up around the globe, data security has become paramount for many organizations. These capabilities ensure that data is encrypted where it needs to be, and that users are always in control of their data.
Start your zero-trust journey with a strategic deployment of global, adaptive authentication. Use this capability as the policy administration and decision point for where all risk signals and policy decision meet.