Considering more than 80% of all cyberattacks1 involve the misuse of credentials (i.e., username and password) on a trusted network, it’s safe to say the days of “trust, but verify” in cybersecurity are coming to a close.
Since the recent Sunburst software supply chain attack in 2021 and the subsequent President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021, a growing number of organizations and federal institutions have implemented or are in the process of implementing Zero Trust Security and the principle of least privilege.
Zero Trust in Cybersecurity
The main purpose of cybersecurity is to maintain the confidentiality, integrity, and availability (CIA) of data and information. As such, modern security breaches take all shapes and sizes, including a leak of classified documents or personal information (confidentiality), unauthorized access or manipulation of documents (integrity), or a shut-down or unauthorized deletion of documents (availability).
The traditional “trust, but verify" method, which is slowly becoming obsolete, allows users to have special permissions in specific networks where they’ve already verified their identity (typically via credentials) within a specific network perimeter – such as a company’s intranet.
While this method allows for a certain amount of convenience, the risks have been proven to outweigh the benefits in some cases, massive fines and penalties from regulators as well.
How Zero Trust Works
In contrast to the “trust, but verify” method, Zero Trust takes on the motto “never trust, always verify” – coined by Forrester Research analyst and thought-leader John Kindervag – upon the assumption that risk is an inherent factor both inside and outside the network.
Based on NIST 800-207 (paraphrased below for readability), the Zero Trust model is comprised of the following tenets:
Verify Identity: Authenticate and verify the identity of all users and devices trying to access the network or resources,
Least Privilege Access: Grant users and devices the minimum level of access and permissions necessary to perform their responsibilities. Avoid giving broad or unnecessary access, and revoke access immediately, when required.
Micro-Segmentation: Segment the network into smaller, isolated zones to contain and mitigate the impact of a security breach. This limits lateral movement of attackers within the network.
Continuous Monitoring: Continuously monitor and analyze user and device behavior, network traffic, and other activities to detect and respond to anomalies or suspicious behavior.
Multi-Factor Authentication (MFA): Require users to provide multiple forms of identification before granting access.
Device Trustworthiness: Prior to granting access, evaluate the security posture and trustworthiness of a device to ensure it meets security standards and are not compromised.
Encryption: Encrypt data both in transit and at rest to protect sensitive information from unauthorized access.
Dynamic Access Policies: Adjust access policies to reflect the current state of the organization, including user roles, device status, and the overall security environment.
Continuous Risk Assessment: Regularly assess and reassess the risk associated with users, devices, and the overall network to adapt security measures to evolving threats.
Zero Trust Network Architecture: Design network architecture with the assumption that threats can come from anywhere, both inside and outside the network. This involves a perimeter-less approach where security is enforced at every level.
These principles collectively work to create a security posture that minimizes the risk of unauthorized access and reduces the potential damage caused by a security breach. The Zero Trust model is proactive and emphasizes continuous monitoring and adaptation to the evolving threat landscape.
Is Zero Trust Required?
U.S. Federal agencies are required to adhere to an executive order (EO 14028) that mandates implementation of Zero Trust principles as outlined in NIST 800-207. The Office of Management and Budget (OMB) has also issued a zero trust strategy document (M-22-09 Memorandum for the Heads of Executive Departments and Agencies) that requires Federal agencies to hit certain zero-trust goals by the end of Fiscal Year 2024.
At the present, there is no Zero Trust directive for the private sector, but companies that handle sensitive information would benefit greatly from the implementation of Zero Trust security.
How To Implement Zero Trust
In general, Zero Trust and the principle of least privilege includes the technical enforcement of strict access policies and permissions for all accounts, including programmatic credentials like service accounts. Service accounts and third parties should also be monitored for abnormal behaviors and granted limited connection privileges. Additionally, Zero Trust requires data encryption at rest and in transit, secure email, and assessment of device security hygiene prior to granting connection access.
Successful implementation of the Zero Trust framework has been described as one that satisfies the Zero Trust security needs without over-burdening users – now referred to as ‘frictionless’. To achieve this, organizations combine advanced technologies like risk-based, multi-factor authentication, endpoint security, and cloud workload technology that verifies users and systems with real-time analytics, making access decisions at the moment of request.
Although each organization’s needs are unique, the general phases to implement a mature Zero Trust model include:
Phase 1: Map Current Architecture – Create the necessary lists, diagrams and visualizations to map all of your organization’s resources, access points, risks, and threat vectors.
Phase 2: Classify and Mitigate Risks – Prioritize your transformation to Zero Trust based on risk classification. Wherever possible, segment systems based on existing data classification policies, user roles, risk, sensitivity of information, etc. These segments should be segmented technically or virtually, through cloud-enabled features like containerization.
Phase 3: Optimize for Security & Usability – Expand protections throughout your IT infrastructure and resources, while balancing the needs of the end user, IT, and security teams.
Sample Case: How Inkit Delivers Zero Trust Document Generation
Inkit offers the only frictionless approach to Zero Trust document generation. Here’s how we offer maximum security with minimal disruptions:
- Zero Trust Cloud Infrastructure – Inkit’s cloud-native solution is the only Zero Trust document generation platform that adheres to NIST 800-207. Inkit utilizes industry-standard encryption protocols, perimeter defense, and integrations with leading security tools, like Splunk, RedShift, and more, for maximum coverage across your in-network, hybrid, and third-party systems and devices.
- Continuous Monitoring – With automated detection and notification features, Inkit delivers all the necessary data and meta-data that your security team needs to identify threats and deploy remediation measures as quickly as possible.
- Automated Expiring Documents and Retention Policies – Inkit lets you send documents that automatically expire after a certain amount of time or views. You can also automatically enforce organization-wide retention policies based on the type or classification of documents.
- Secure Document Storage and Access Control – Create digital filing systems with easy-to-configure access control policies that let you set permissions at the folder-level and the resource-level.
- No Document Downloads or Exports – Keep sensitive documents in a secure perimeter with Inkit’s Magic Links and Document Streaming. Send links to documents that cannot be downloaded, screenshotted, or exported, with complete monitoring of access and activity.
- Superior User Experience – For secure document generation, sharing, deletion, and retention, Inkit makes it easy for both users and system admins to perform their daily business tasks while complying with Zero Trust policies. We are also the only DocGen platform compatible with Microsoft Office (Word, PowerPoint, Excel, etc.) as well as HTML-to-PDF documents, all with built-in encryption and access control.
The traditional notion of a secure perimeter is steadily becoming obsolete. Zero Trust acknowledges that threats can originate from anywhere, be it external or internal. By adopting the principles of Zero Trust, your organization can take a more secure approach to the creation, storage, and sharing of sensitive documents.
As we enter 2024, into an era where data breaches and cyber threats continue to escalate, the implementation of Zero Trust in document generation is not merely a best practice; it's a strategic imperative. Zero Trust security and the principle of least privilege add several layers of protection to your most critical information, and reduces the impact of breach if/when it happens to occur.
For your Zero Trust Document Generation needs, consider Inkit’s full suite of document generation, sharing, deletion, and retention tools. Trusted by organizations and institutions where privacy and security matter most.
1 Verizon Data Breach Investigations Report (DBIR) 2023