With vanishing perimeters and multi-cloud or hybrid cloud environments becoming the norm, enterprises are beginning to realize that trust, even within the network, can no longer be implicit. This realization is one of the main reasons why CIOs and CISOs across the world have started adopting zero trust principles into their cybersecurity strategy. However, before implementing zero trust into your security framework, you must first gain a deeper understanding of trust and its various dimensions, as trust is at the very core of this model.
These are the four key trust dimensions in zero trust security:
- User Trust
- Location Trust
- Device Trust
- Time Trust
The 4 Different Dimensions of Trust
In the traditional security model, trust is largely treated as a static factor. If a device is present within the company’s premises, it is provided access to connect to other servers. Likewise, when a user logs in, they are provided access to their company’s data until they log out. However, the zero trust security model states that trust should no longer be static. It should change based on: Who wants to access what (resource/data), from which location, using what device, and at what time? Here are four major trust dimensions that come into play when deploying zero trust security.
1. User Trust
User trust is the most common trust dimension and is usually established by a login mechanism which could be a password or biometrics. In recent times, enterprises have deployed multifactor authentication as an additional security layer. In the case of user trust, authorization is granted once the identity has been established. However, identity theft and insider threats are security challenges you must be prepared for when using only user trust for authorization or access. A simple but effective method to overcome this challenge is to employ the principle of least privilege by providing need-to-know access or limited-time access to resources.
2. Location Trust
The location from which a user accesses network resources can also be a key trust dimension. A user could be accessing an application from within the company premises, a corporate network, or from a public place such as a café. The risk of providing access varies significantly with the location. Location trust can be established with several fine-grained location parameters like:
- Network profiles (e.g., office, home, or public Wi-Fi)
- Site or building differentiation (e.g., Headquarters, Building 1, the New York Branch, US-Arizona, or EU-London)
- Country, state, or city
- GPS data
A combination of different parameters could be used to restrict or grant access based on the user’s location.
3. Device Trust
Most users today juggle several devices and demand access from multiple devices to stay connected with the enterprise network. These could be company laptops managed by the enterprise’s IT department, work or personal phones, tablets, or personal laptops. The risk factor involved with each of these devices depends on the operating system used by the device, security solutions installed, and whether it has the latest security patches. Also, device trust is not static. For example, if an employee was on vacation and his device missed a security patch, then that device would have a lower trust score.
4. Time Trust
Risk can also be identified based on the time at which a resource is being accessed. The time information that is used as a trust factor could be the time zone or the clock time. In practice, the time information needs to be correlated with other trust factors, such as location. For example, an employee working from the company premises might have access to an application only during working hours. However, if they are at a location that falls in a different time zone, access should be granted based on work hours followed in that time zone.
Applying Trust Dimensions to Achieve Zero Trust Security
To start your zero trust journey, the first step is to determine what needs to be protected. The second is to decide the trust parameters on which access needs to be granted to each of the protected entities. By using a combination of the four trust dimensions explained in this blog, a fine-grained and dynamic trust framework can be created to effectively control access to resources and data. For successful deployment, enterprises should invest in solutions that address multiple trust dimensions and offer a robust policy engine that can enforce fine-grained policies based on context, especially since trust is both dynamic and variable.
ColorTokens Xshield enables enterprises to implement zero trust security across data center, multi-cloud, and hybrid cloud environments by delivering deep visibility and micro-segmentation of critical network assets. To see Xshield at work, sign up for a free, customized demo.
About the Author: Natarajan Venkataraman is a Distinguished Engineer at ColorTokens. He has over two decades of experience in domains like embedded systems, networking, and security. As a network architect, his career spans leading companies like Ericsson, Intel, and Juniper Networks. He has filed nine patents, authored articles, and delivered lectures on topics covering QoS, network data plane, and cybersecurity.