Zero Trust What is Zero Trust?
Zero trust is a newer model of cybersecurity designed to better address changing security requirements for modern organizations. Zero trust frameworks can improve security posture, limit lateral movement throughout the network, and prevent data breaches.
- Zero trust explained
- How does zero trust work?
- How is zero trust different from perimeter-based security?
- What are the core principles of zero trust?
- What are the benefits of zero trust?
- Where do I start with zero trust?
- What are the differences between zero trust and SASE?
- How can HPE help with achieving a zero trust architecture?
Zero trust explained
The complexity of today’s cyberattacks, expansive attack vectors, and constant threats can often paralyze even the nimblest enterprises. Zero trust security helps simplify your approach to security, to make managing your environment easier.
Essentially, the zero trust security model replaces faith in the integrity of secure network perimeters (such as private networks, firewalls, and VPN/VPC) with that of the individual software systems which are managing critical data.
Hewlett Packard Enterprise has recognized that, for customers and partners to be able to deliver a robust and agile zero trust security solution for their most critical data systems, trust must be built into everything they use—from the silicon that runs the software to the network that connects users and devices to the applications and data they need.
How does zero trust work?
To enhance security in modern enterprises where users and devices are remote and threats are bypassing traditional perimeter defenses, it’s critical to have a rigorous security model that performs checks on a continuous basis. Before accessing the network, all devices and users should be identified and authenticated and given the least amount of access required, and then continuously monitored.
How is zero trust different from perimeter-based security?
Unlike traditional security approaches focused primarily on the perimeter, modern zero trust security architectures recognize trust as a vulnerability. They assume no user or device—regardless of how or where they connect—should be trusted by default because the user could be compromised. Identity and device attestation and authentication are required throughout the network. Every component in the network must independently establish its trustworthiness and be authenticated by any other component it interacts with, including existing point security measures.
What are the core principles of zero trust?
- No implicit trust: Always authenticate and authorize based on all available contextual data, such as user identity, location, time of day, device posture, and the application being accessed. Trust is never assumed.
- Least privilege access: Grant users and devices only the permissions necessary to perform their specific tasks, and only as long as they are behaving consistently with their role. This minimizes the risk of unauthorized access and lateral movement of attack within the network.
- Assume breach: Design systems under the assumption that a breach has already occurred or could occur at any time. Focus security capabilities on detecting, containing, and minimizing impact.
- Micro-segmentation: Divide the network into smaller, isolated zones to limit access and reduce the attack surface. Even if one zone is compromised, the rest remain secure.
- Continuous monitoring and validation: Monitor device behavior, device status, and access patterns to detect anomalies and enforce policies in real time.
- Device and identity-centric security: Tie security policy to identity and role rather than location (where the user or device is connecting from, e.g., within the network perimeter). This is critical in cloud and hybrid environments and for remote workforces.
HPE Aruba Networking security-first, AI-powered networking activates zero trust principles intrinsically at every point of connection to provide a comprehensive set of capabilities that span visibility, control, and enforcement to address the requirements of a decentralized, IoT-driven network infrastructure.
What are the benefits of zero trust?
Network security is increasingly challenging because of mobility, IoT, and telecommuting environments. Zero trust allows you to increase visibility, control, and enforcement to address the security requirements of a decentralized, IoT-driven network infrastructure.
- Limits exposure to security risks related to vulnerable IoT devices.
- Helps reduce the risk of advanced threats that bypass traditional perimeter security controls.
- Limits damage related to lateral movement by attackers and infected devices.
- Takes a more holistic approach to security regardless of who or what is connecting and from where.
- Enables application of best practices such as micro-segmentation to support least-privilege access.
Where do I start with zero trust?
Zero trust architectures focus on authentication, authorization, and continual risk management. Here’s how to get started:
1. Eliminate network blind spots by discovering and profiling all devices connected to the network.
2. Verify identity before allowing access using 802.1X-based authentication techniques, as well as emerging solutions for IoT devices.
3. Compare endpoint configuration to compliance baselines and remediate as needed.
4. Establish least-privilege access to IT resources by segmenting traffic based on identity-based policies.
5. Continuously monitor the security state of the user and device, and bi-directionally communicate with other elements in the security ecosystem. Establish policies to revoke a user or device’s access rights in cases of compromise or attack.
What are the differences between zero trust and SASE?
Zero trust and Secure Access Service Edge (SASE, pronounced “sassy”) are two approaches to enhance security as workforces become increasingly remote and dispersed, and organizations’ attack surfaces expand.
SASE defines the components needed to provide optimized, secure access at the edge. It combines comprehensive wide area network (WAN) capabilities including SD-WAN, routing, and WAN optimization with cloud-delivered security services such as SWG, CASB, and ZTNA. A SASE solution must be able to identify sensitive data, plus encrypt and decrypt content with continuous monitoring for risk and trust levels. This approach is particularly useful for organizations with multiple remote and branch offices and highly distributed workforces.
Zero trust is a model and philosophy meant to reduce security risk across the enterprise by eliminating the concept of implicit trust and instead enforcing least-privilege access based on continuously monitored identity-based authentication and authorization. It encompasses not just secure access but also monitoring of cyberthreats to the organization, data governance and compliance requirements, and maintenance of the network environment.
Zero trust and SASE have overlapping principles. Implementing a SASE solution can be one step in an organization’s journey to a complete zero trust security architecture.
How can HPE help with achieving a zero trust architecture?
Project Aurora is HPE’s edge-to-cloud zero trust security architecture to help protect customers from some of today’s most sophisticated malware attacks. Building on HPE’s silicon root of trust, Project Aurora measures everything before it is enabled or released for execution and continuously repeats this measurement during runtime.
Rather than being a point solution, Project Aurora addresses end-to-end security for edge-to-cloud deployments, with new embedded and integrated security solutions starting at the silicon level. It incorporates designed-in security technologies with automated verification and attestation to establish a defense-in-depth approach that begins at the lowest foundational layer—the silicon.
By embedding security across a secure chain of trust from the silicon to the workload, Project Aurora will make it possible for organizations to place greater assurance in their distributed software systems, allowing for more agility and flexibility to bring cost-effective and differentiating solutions to market.
Project Aurora will lay the foundation for delivering more zero trust services across HPE GreenLake and other HPE offerings. Initially, it will be embedded within HPE GreenLake Lighthouse to automatically and continuously verify the integrity of the hardware, firmware, operating systems, platforms, and workloads, including workloads from security vendors. This can help minimize the loss and unauthorized encryption (and corruption) of valuable enterprise data and intellectual property.
In the future, Project Aurora will be embedded within HPE GreenLake cloud services to provide a platform-agnostic way to define, create, and deploy a zero trust architecture distributed from edge to cloud.