Zero Trust Security: Is It Optional?
Zero Trust Security: Is It Optional?
Volume 9, Issue 9, September – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24SEP1521
Zero Trust Security: Is it Optional?
Prashant Bansal
Abstract:- Zero Trust Architecture (ZTA) is a "defense-in-depth" approach did something similar, but in
cybersecurity model that authenticates and authorizes smaller areas, creating isolated systems that made sharing
every interaction between a user or device and a data difficult while focusing on physical security. Zero trust
network. It's based on the idea that "trust is good, but makes it possible for organizations to regulate access to
control is better", and assumes that all networks and systems, networks, and data without giving up control.
traffic could be potential threats. ZTA goes beyond the Therefore, the number of organizations that are moving to a
traditional "trust but verify" approach, by treating zero-trust security model (meaning trusting nobody) is
every access request as potentially dangerous and growing, so that companies can safeguard data with security
requiring a thorough check before granting access. This controls that restrict access to the data according to a specific
is regardless of the requester's identity or location. Zero policy.
Trust is a security model that assumes nothing should be
trusted automatically, even within a network. It requires While Zero Trust doesn't offer new technologies, it's
all users, regardless of location, to be verified and gaining popularity due to a government mandate. Executive
authorized before accessing resources. This is achieved Order 14028 required U.S. federal agencies to implement
through strict security measures like multi-factor Zero Trust to improve information sharing between
authentication, advanced endpoint protection, and agencies. This order aimed to balance sharing with security,
robust identity management. Today, people expect to a long-standing challenge. Previous security models focused
access applications and data anytime, anywhere. With on limiting access based on need-to-know, while Zero Trust
the rise of cloud computing and IoT, the number of emphasizes the need to share. However, individual program
connected devices and potential attack points is growing. managers may still be hesitant to share data due to concerns
To protect data and networks, we need a new approach. about security.
This article explains what Zero Trust is and some of its
key principles. II. 8 PRINCIPLES OF ZERO TRUST
Keywords:- ZTNA, Zerotrust, Security, Authentication, Zero Trust is a security paradigm that assumes nothing
Authorization, Cyberthreat, Cybersecurity, Zero Trust inside or outside a network can be trusted automatically. It
Security. requires strict verification and authorization for all access
requests, regardless of the user's location or device. Zero
I. INTRODUCTION Trust security marks a major shift in cybersecurity. It
demands a fresh look at security strategies, stricter access
The traditional castle-and-moat security model - where control, and constant monitoring. As more businesses move
anything and everything inside the firewall was to the cloud, remote work, and mobile devices, the need for
automatically trusted - has long been outdated. What if a more flexible security approach grows. Zero Trust provides
organizations can't trust anyone or anything inside or outside a framework that fits well with today's changing network
their network? Can organizations still be secure? This is environments.
where Zero Trust Security comes into picture.
Here are the eight core principles of Zero Trust
Cybersecurity has a history of quick-fix solutions to security:
protect data from various threats. These have included
encryption, access controls, firewalls, VPNs, SSL/TLS, PKI, A. Never Trust, Always Verify:
blockchain, AI, and more. A common theme is the level of
trust placed on internal and external users and systems. This fundamental principle emphasizes that no user,
Today, the latest proposed solution, Zero Trust, takes this to device, or application should be trusted implicitly. Every
the extreme by assuming no one or nothing can be trusted at request, regardless of its origin, must be verified before
any time. Zero Trust Security is about lowering trust levels granting access.
of the network and considering how to design security
principles and deploy appropriate security controls, based on B. Least Privilege:
the assumption that the network is compromised and cannot
be trusted. Grant users only the minimum necessary permissions to
perform their job functions. This principle helps to
Zero Trust doesn't introduce a completely new security reduce the potential damage caused by unauthorized
philosophy. It enhances existing security measures by access or compromised accounts.
adding more checkpoints and time limits. The previous
IJISRT24SEP1521 www.ijisrt.com 3336
Volume 9, Issue 9, September – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24SEP1521
C. Zero Trust Perimeter: In conclusion, Identity and Access Management is a
fundamental aspect of modern cybersecurity. By
Eliminate the traditional network perimeter. Instead, effectively managing user identities and access
consider every device and user within the network as privileges, organizations can enhance security, improve
potentially compromised. This approach helps to prevent efficiency, and comply with industry regulations.
lateral movement of threats within the organization. Endpoint Security: Protects devices (laptops,
D. Micro-Segmentation: smartphones, etc.) from threats and ensures they meet
security standards. These devices, often referred to as
Divide the network into smaller, isolated segments to endpoints, are vulnerable to various threats, including
limit the impact of a security breach. This principle helps malware, viruses, ransomware, and unauthorized access.
to contain threats and prevent them from spreading to By ensuring that endpoints are protected and compliant,
critical systems. organizations can reduce the risk of unauthorized access
and data breaches. Endpoint security solutions can help
E. Continuous Monitoring: to verify the security posture of devices before granting
access to network resources and data.
Constantly monitor user behavior, device health, and Network Segmentation: Divides the network into
network traffic for anomalies. This proactive approach smaller, isolated segments to limit lateral movement of
can help to detect and respond to threats before they threats. It is a security strategy that involves dividing a
cause significant damage. network into smaller, isolated segments. This approach
helps to limit the spread of threats and reduce the
F. Assume Breach: potential damage caused by security breaches. By
dividing the network into smaller segments,
Assume that a breach has already occurred and design organizations can implement a more granular approach
defenses accordingly. This mindset helps to focus on to access control and reduce the risk of lateral movement
mitigating the impact of a breach rather than preventing of threats.
it entirely. Micro-Segmentation: Further subdivides networks into
smaller, more granular segments for enhanced control.
G. Risk-Based Access Control: This technique provides a more granular level of control
and helps to reduce the potential impact of security
Make access decisions based on the risk associated with breaches. Micro-segmentation helps to ensure that only
each request. This approach helps to prioritize security authorized users and devices can access specific
measures and allocate resources effectively. resources, even if a breach occurs.
Data Loss Prevention (DLP): Monitors and prevents
H. Centralized Policy Enforcement: unauthorized access to sensitive data. It is a security
strategy that helps organizations identify, monitor, and
Enforce consistent security policies across the entire prevent the unauthorized use, disclosure, or loss of
organization. This helps to ensure that all users and sensitive data. DLP solutions can be implemented at the
devices are subject to the same rules, reducing the risk of network, endpoint, or application level to detect and
inconsistencies and vulnerabilities. block data breaches.
Application Control: Restricts access to specific
By adopting these principles, organizations can applications based on user roles and privileges. By
significantly enhance their security posture and protect limiting the types of applications that can be run,
against emerging threats. Zero Trust is a proactive approach organizations can reduce the risk of malware infections,
that helps to shift the focus from preventing breaches to data breaches, and other security threats. By restricting
mitigating their impact. the use of unauthorized or potentially malicious software,
application control helps to reduce the risk of data
III. CORE COMPONENTS OF ZTA breaches and ensure that only authorized applications can
access sensitive information.
Identity and Access Management (IAM): Centralized Network Access Control (NAC): Ensures devices meet
system for managing user identities and granting access security requirements before granting network access. It
to resources. It is a critical component of modern is a security strategy that ensures that only authorized
cybersecurity. It provides a framework for managing user devices that meet specific security requirements can
identities, authenticating their access, and authorizing access a network. NAC solutions can be implemented at
their privileges within an organization's IT infrastructure. the network perimeter or at individual endpoints to
IAM plays a crucial role in Zero Trust security. It ensures enforce access control policies. By ensuring that only
that only authorized users with the necessary privileges authorized devices that meet specific security
can access sensitive data and applications. By requirements can access the network, NAC helps to
implementing strong authentication and authorization reduce the risk of data breaches and other security
controls, IAM helps to prevent unauthorized access and threats. NAC can be used to implement a more granular
mitigate the risk of data breaches. approach to access control and ensure that only
IJISRT24SEP1521 www.ijisrt.com 3337
Volume 9, Issue 9, September – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24SEP1521
authorized users and devices can access specific Regular Policy Reviews: Policies should be reviewed
resources. and updated regularly to ensure that they remain aligned
with the organization's changing needs and security
IV. TWO IMPORTANT FACTORS requirements.
C. Dynamic Policy Management:
A. Users: The Foundation of Zero Trust
Users are the individuals who interact with an Contextual Awareness: Adjust policies based on factors
organization's network and resources. In a Zero Trust such as user location, device type, and network
environment, users must be authenticated and authorized conditions.
before being granted access to any system or data. This Real-time Updates: Implement mechanisms for updating
involves verifying their identity and ensuring that they have policies in real-time to respond to emerging threats.
the necessary permissions to perform their job functions.
D. Policy Enforcement Point (PEP):
Identity and Access Management (IAM): A critical
component of Zero Trust is IAM, which provides a Centralized Enforcement: Deploy a centralized PEP to
framework for managing user identities, authenticating enforce policies across the entire organization, ensuring
their access, and authorizing their privileges. consistency and reducing the risk of policy violations.
Multi-Factor Authentication (MFA): Requiring users to Integration with IAM: Integrate the PEP with the
provide multiple forms of identification, such as a organization's IAM system to ensure that policies are
password, a security token, or a biometric scan, can applied based on user identities and privileges.
significantly enhance security.
Role-Based Access Control (RBAC): Assigning users E. Policy as Code:
roles based on their job functions and granting them
appropriate permissions can help to ensure that only Automation: Define and manage policies as code,
authorized individuals can access sensitive information. enabling automated enforcement and updates.
Version Control: Use version control systems to track
User Behavior Analysis: changes to policies and ensure that only authorized
individuals can modify them.
Anomaly Detection: Monitor user behavior for unusual
patterns that may indicate malicious activity, such as V. CONCLUSION
excessive data transfers or unusual login times.
Privilege Abuse: Detect instances where users are ZTA is built on the principle of least privilege, which
accessing resources that are outside the scope of their means that users and devices are only given the permissions
authorized privileges. they need to perform their tasks. This helps to reduce the
attack surface and make it harder for attackers to gain access
User Education and Training: to sensitive data. ZTA also uses other security controls, such
as granular micro segmentation and multifactor
Security Awareness: Provide users with training on authentication (MFA), instead of the traditional "network
security best practices, such as strong password perimeter" that gives broad permissions to all devices and
management, phishing prevention, and recognizing users.
social engineering tactics.
Policy Enforcement: Ensure that users understand and While ZTA could potentially provide better protection
comply with the organization's security policies. for an organization's data and systems, it can be difficult to
implement because there's no widely accepted definition of
B. Policies: The Rules of the Road what a fully functional ZTA looks like. However, it has been
Policies define the rules and guidelines that govern observed that ZTA can reduce risk impact by an average of
access to an organization's network and resources. In a Zero $684,000 over four years for small to medium-sized
Trust environment, policies must be comprehensive, up-to- organizations and enterprise-level organizations.
date, and enforced consistently.
Availability of Data and Materials: The author states
Least Privilege: The principle of least privilege dictates that there is no data and materials to declare
that users should be granted only the minimum necessary Competing Interests: The author states that there is no
permissions to perform their job functions. This helps to conflict of interest
reduce the risk of unauthorized access and data breaches. Funding: The author states that there is no funding
Separation of Duties: Dividing responsibilities among available
different users can help to prevent fraud and abuse. Acknowledgements: NA
Data Classification: Classifying data based on its
sensitivity level can help organizations implement
appropriate security controls.
IJISRT24SEP1521 www.ijisrt.com 3338
Volume 9, Issue 9, September – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24SEP1521
REFERENCES
[1]. Weidman J, Grossklags J (2017) I Like It but I Hate
It: Employee Perceptions Towards an Institutional
Transition to BYOD Second-Factor Authentication.
Proceedings of the 33rd Annual Computer Security
Applications Conference (ACSAC 2017) (ACM,
Orlando, FL), pp 212-224.
https://doi.org/10.1145/3134600.3134629
[2]. Publication, IJRASET. “A Zero Trust Framework
Security to Prevent Data Breaches and Mitigate the
Cloud Network Attacks.” International Journal for
Research in Applied Science & Engineering
Technology (IJRASET) 10.V (2022): 3530–3538.
Web. https://doi.org/10.22214/ijraset.2022.42976
[3]. onome edo. “Zero Trust Architecture: Trend and
Impact on Information Security.” International
Journal of Emerging Technology and Advanced
Engineering (2022): n. pag. Web.
https://doi.org/10.46338/ijetae0722_15
[4]. Bobbert, Yuri. “Zero Trust Validation: From
Practical Approaches to Theory.” Scientific Journal
of Research & Reviews 2.5 (2020): n. pag. Web.
http://dx.doi.org/10.33552/SJRR.2020.02.000546
[5]. SendhilVelan, SiVa. “Zero Trust Networking -
Effects on Cyber Risk & Challenges.” Zero Trust
Networking -Effects on Cyber Risk & Challenges
(2019): n. pag. Print.
[6]. Chaturvedi, Ikshit & Pawar, Pranav & Muthalagu,
Raja & Periyasamy, Tamizharasan. (2024). Zero
Trust Security Architecture for Digital Privacy in
Healthcare. 10.1007/978-981-97-0407-1_1.
