Zero Trust protects your company's resources and manages their access. Can you trust everyone and everything who wants to have access to them? No. You want to legitimately authorize every subject—a user, an application, or a device—before accessing the targeted resource (your data or relevant IoTs sending instructions—printers, for instance). Not doing so opens the path for attackers to access your most valuable assets.

However, multiple trends make this goal harder to achieve as you aim to secure access to your assets. First, the Bring Your Own Device (BYOD) is developing, increasing the number of devices not owned by your company that need access to your network. Moreover, remote working has grown sharply in recent years, increasing the number of devices and de-materializing the workplace; people can work from different locations, sometimes temporarily, sometimes abroad, and often on unsecured local networks.

Last but not least, companies are also increasingly migrating their data to the cloud. This creates a hybrid architecture between cloud-based storage and on-premise that is more complex to manage. As a result, black holes are left behind, and assets aren't effectively protected, even if an array of security tools is trying to build a safe space!

Zero Trust was introduced to answer this complex architecture. No one can be blindly trusted and given access to your company's assets without being authenticated and authorized beforehand. However, the deployment of a mature Zero Trust architecture is time-consuming and prone to errors:

• Zero Trust relies on a set of principles that differ from classic authentication and privilege management architecture;

• It implies using multiple technologies that need to be connected in automated workflows by a Security Orchestration, Automation, and Response tool (SOAR).

A Zero Trust Architecture relies on a set of principles

Zero Trust model differs from older security architectures

Zero Trust leverages different ways to secure your company's architecture. It relies on identity governance (user, roles, and systems), which paves the way for authorization and revocation of users attached to these identities and their different accesses according to their positions in your company.

This architecture is based on micro-segmentation and network architecture. Zero Trust leverages micro-segmentation techniques to divide your network into individual-level areas.

It also uses network monitoring to collect and analyze information to detect suspicious behavior on your network. Then, it calls for response and general protective and preventative controls.

To sum up, Zero Trust differs from older security controls, where security is added as a compensating layer on top of a large perimeter. With Zero Trust, your company is securing the relevant data from the inside out. Using the technologies cited supra, Zero Trust builds security controls where they are needed inside segmented perimeters.

According to the Zero Trust Architecture, only trusted identities with the relevant role can access the applications, systems, networks, and data to which they are entitled to perform their jobs. This Trust is verified at every step to ensure employees are who they say they are.

This architecture limits breaches, risks, and impacts. It cannot replace a cybersecurity architecture, but it helps contain incidents before they metastasize into breaches and become a critical threat to your company, thanks to limiting incidents to one identity to spread to all identities in your company. In other words, it adds layers of Trust before accessing the targeted data. User, system, and behavior trust must be compromised to access data. Compromising each layer also increases the risk of being caught before the attackers achieve their mission.

The Zero Trust Principles

Segment the number of privileges given to your employees.

One of Zero Trust's core principles revolves around the necessity of privilege and access management. However, this management has to be deployed without impacting your employees' ability to complete their tasks. Thus, you need to map the missions, the access to which data and networks are available, and the applications required to complete these missions on an employee-per-employee basis to the exact perimeter needed.

You cannot trust indefinitely; you always need to verify

Even if privileges and accesses are adequately segmented in your company, you cannot go on and trust them. There are multiple reasons to believe that, at some point, somebody can access their privileges. Let's repeat: no action or user is trusted in a Zero Trust architecture. You need to authenticate or verify every new entry into a system or request access to new data.

You always have to monitor users, systems, and networks

To ensure the Zero Trust model deployed works, you need consistent monitoring and evaluation of your users' behavior, data, and network flows for suspicious changes or alterations. In addition to authentication and privileges management, general zero-trust monitoring is needed to verify all actions taken within your company's infrastructure, such as lateral movements that could reveal an underlying attack.

SOAR helps you orchestrate Zero Trust Architecture

A mature Zero Trust Architecture needs a wide variety of tools that need to be orchestrated and automated by a SOAR.

Even if the last years saw a tremendous increase in Zero Trust adoption, few are leveraging innovative tools such as orchestration and automation. This induces a critical lack of productivity and is prone to human errors. The metaphor used by Dr. Chase Cunningham is striking:

"If you want to dig the Suez Canal you could do it with shovels. It would suck, but you could if you had millions of shovels. But that’s dumb, and you will always need more ditch diggers. Wouldn’t it make more sense to use power tools and bulldozers and have your tools power the dig?".

Yes, automation and orchestration can critically alleviate the burden on your teams' shoulders. 

Zero Trust is, in itself, not a technology. It's an architectural model. You must leverage different tools to deploy such a model based on the abovementioned principles. Usually, you have technologies like User Entity Behavior Analytics, User Onboarding and Offboarding management, Network monitoring, Endpoint protection, SIEM, PKI and certificates management, Cloud security, Next-generation Firewalls, IDP/IPS, etc.

As we've already seen, the variety of tools isn't an obstacle per se as long as you can manage them. Adequately ordering the tools at your disposal helps in two main ways: take the most of every tool to strengthen your security stance and stay on the edge of innovation.

We already know that automation and orchestration are needed for incident response or to manage information overload. But a SOAR can also be incorporated into broader security maintenance plans, such as Zero Trust architectures!

A SOAR answers the need to orchestrate a technology stack or one to streamline and automate repetitive tasks (remember the manual configuration of your vLANs? It's not so cool), especially when you're getting started on the Zero Trust path. Let's take Identity Access Management (IAM), for instance.

By automating IAM, you're correlating the provisioning and de-provisioning, the real-time updates to identity information with detected changes in the authoritative source systems used by your company. As a result, it eliminates repetitive manual tasks for IT staff while freeing up valuable time for more complex tasks.

This is why we're adding SOAR to this stack. We want to unlock the orchestration and automation possibilities to help your teams manage the general Zero Trust architecture and help them do one more step: remediate.

But also to do one more step: automated remediation

Besides orchestrating and automating the interception of Zero-Trust violations, a SOAR also helps you remediate these breaches at machine-time speed. Although your company may have deployed micro-segmentation and continuous data resources' control, any breach, if not detected fast enough, allows attackers to evolve in your systems and cause potential harm.

Let's go back to IAM. Automating it lets your teams determine triggers to automatically launch machine responses for suspicious activities such as malicious or impossible logins. Even for essential components of a Zero Trust Architecture, you can make a substantial difference by powering IAM or even Multifactor Authentication (MFA) orchestration and remediation with a SOAR.

Yes, Zero Trust needs to be combined with the more classical SOAR incident response function. Intercepting incidents is not enough. You need to be able to act on each one. Also, by using a SOAR, you're on the path to lower MTTD and MTTR metrics, reducing the criticality of a given breach since the longer a breach goes undetected and/or remediated, the more costs are induced.

Plus, a SOAR helps your teams standardize and rapidly scale up workflows for detection or remediation. Doing this helps connect the technologies used to enforce Zero Trust within your company as it grows or as new and former employees come and go. Have a look at our user lifecycle management use case, for instance.

Most of all, even though a Zero Trust Architecture is deployed, it eventually comes down to humans. As long as humans are your company's weakest link, you need to identify and remediate breaches quickly.