Transforming Cyber Security with Zero Trust Frameworks (DDN2-A53)

Transforming Cyber Security with Zero Trust Frameworks

Information technology (IT) networks are expanding at unprecedented rates, driven by innovations like hybrid cloud infrastructures and the ever-growing demands of modern businesses. However, as these networks grow, so do the cyber threats that target their vulnerabilities. With data, users, and services now scattered across multiple locations, the traditional security perimeter has all but vanished. This shift has exposed critical gaps in conventional security models, making it clear that relying solely on perimeter-based defences is no longer enough. Zero trust architecture (ZTA) is a security model designed to meet these modern challenges head-on, by treating every connection, user, and device as untrusted until proven otherwise.

This article's content was adapted from the publication A Zero Trust Approach to Security Architecture written by the Canadian Centre for Cyber Security at the Communications Security Establishment.

Zero trust and zero trust architecture

ZTA is a comprehensive security framework designed around the principles of zero trust (ZT). At its core, ZTA operates on a simple yet crucial idea: no entity—whether user, device, or system—should ever be trusted by default. Instead, every request is thoroughly verified, ensuring that security is maintained at every layer, regardless of location or prior access.

With a ZTA, the following apply:

• Every interaction initiated between a user and a device or application is strongly authenticated (as per the Government of Canada's Account Management Configuration Requirements) and authorized. For example, a remote employee attempting to access the financial database could be required to complete multi-factor authentication and role-based verification before access is granted.
• Control of access to resources is made as granular as possible. For example, a developer's access could be limited to specific code repositories and folder permissions needed for their project. In other words, access rights are restricted based on a person's role and specific project needs, preventing unnecessary access.
• Access control decisions are made by dynamically assessing the trust level of each access request. When an employee logs in from an unfamiliar location, for instance, ZTA could flag the attempt and prompt for additional verification. Access could be temporarily limited to less sensitive data until the system confirms a lower risk level.

In a ZT model, communication between users, systems, and devices is constantly verified. Access is controlled by strict, policy-based rules that consider factors like user role, time, location, device, and data sensitivity. Trust determines access—higher trust allows greater access.

A key feature of ZT architecture is its ability to block lateral movement, so if an attacker gains access to one area, they can't easily move to others. This containment is the main goal of ZT. Other advantages, like improved boundary defence and support for policies such as bring your own device, are added benefits.

Zero trust security approach

Adopting ZT strengthens your organization's security, streamlines resources, improves compliance, and boosts overall resilience. Shifting to a ZT approach means you should:

• assume connections to your network infrastructure and resources are always hostile
• assume all network traffic and resource access requests are malicious
• assume attackers will eavesdrop on communication and data flow
• implement thorough real-time logging and monitoring of access requests, system management, configuration changes and network traffic to measure the integrity and security posture of all assets
• authenticate, verify, and authorize each access request with the principle of least privilege, granting only access required by the user to do their work and making that access time bound
• implement adaptive security by making access control decisions using dynamic, context-aware, risk-based policies
• consider that granting access to sensitive resources will increase your risk of cyber threats
• have an incident response and recovery plan in place that will ensure damage control and business continuity

Industry-accepted zero trust frameworks

As organizations shift from traditional security models to ZT, they are encouraged to use trusted frameworks and guidelines. Authorities like the US Cybersecurity and Infrastructure Security Agency (CISA), the US National Institute of Standards and Technology (NIST), and the UK National Cyber Security Centre (NCSC) provide resources to help organizations create ZT frameworks suited to their unique needs and threats.

The Government of Canada (GC) is currently developing its own ZT security framework, designed to align with the pillars established by CISA and NIST. The GC's goals for this shift include:

• maintaining a resilient digital security ecosystem that ensures safe and secure delivery of government services
• offering a seamless, enhanced user experience for authorized users
• providing a secure platform that safeguards systems and data, whether physical or virtual, within the GC network
• delivering end-to-end protection for GC information, applications, devices, networks, hardware, and physical facilities
• enforcing mature security processes, governance structures, and standards
• ensuring the confidentiality, integrity, and availability of IT infrastructure and critical government data

Until the GC publishes its ZT framework, GC organizations are advised to follow established frameworks or guidelines from trusted sources like NIST (Zero Trust Architecture [PDF], particularly the 7 tenets of zero trust), CISA (Zero Trust Maturity Model [PDF]), and NCSC (Zero trust architecture design principles). Choosing the right ZT framework and adhering to well-respected guidance are critical first steps in crafting an effective zero trust strategy.

The 5 pillars of zero trust

• Users: identification and authentication, least privilege access, two-factor authentication
• User devices: identification and verification, management
• Networks: isolation and protection of network devices and infrastructure
• Resource protection: protection of assets, including data, applications and services
• Continuous monitoring: ongoing automated security event management and user behaviour analysis; real-time correlation, threat assessment and response

Practices for implementing a zero trust architecture

• Authenticate all connections: Don't trust local networks by default. Traditional architectures trust any connection inside the perimeter. With ZT, however, every connection must be authenticated. At minimum, the user and device should be authenticated with geolocation, date and time. In situations where security requirements are higher, the number and complexity of authentication factors should be increased.
• Implement ZT policies: ZT policies are crucial but labour intensive. These policies ensure proper security across your network and traffic flow. To start, answer key questions: Who are the users? What do they need access to? From where?
• Establish a trust engine: A trust engine evaluates access requests based on various factors like device security, behavioural patterns, and overall network security. It dynamically grants or denies access, integrating security inputs from all architecture levels.
• Know your assets: Create an inventory of your data, users, devices, and applications. Understanding the value and potential risks of your resources is key to building a ZT architecture.
• Use multi-factor authentication (MFA): MFA requires at least two forms of authentication, like a password and a physical token, to reduce the risk of compromised credentials. Adaptive MFA goes further by using contextual data to assess risk and apply additional factors as needed. It's essential for ZT.
• Apply least privilege with role-based access control (RBAC) and attribute-based access control (ABAC): Use RBAC to map access rights by role and ABAC to grant access based on user and data characteristics, enforcing least privilege.
• Encrypt all traffic: Encrypt all traffic to prevent unauthorized access to sensitive data, ensuring only authenticated users can decrypt and access information.
• Enforce policy-based access: Use risk-based policies to dynamically control access. Apply the principle of least privilege to limit resource access based on identity rather than network location.
• Use privileged access management (PAM) and secure administrative workstations (SAWs): PAM secures admin accounts through temporary "just-in-time" access, with approvals and logging for oversight. SAWs provide dedicated machines for sensitive administrative tasks, adding another layer of protection.
• Monitor and log activity: Continuously track devices and services to identify suspicious activity. Security information and event management systems help by analyzing logs for unusual patterns.
• Manage devices: Assign unique identities to devices, ensure compliance with security standards, and manage access through policies. ZT extends to all devices. Trusted platform modules enhance device security.
• Enforce bring your own device (BYOD) security: ZT provides granular control over BYOD environments, requiring every device to authenticate before accessing organizational resources.
• Use network segmentation: Segment networks to limit lateral movement. Micro-segmentation offers even greater control, isolating individual workloads to protect sensitive data.
• Leverage software-defined perimeters (SDPs): SDPs support ZT principles, offering fine-grained access control and encryption for remote users. They provide secure access to applications without exposing the network, reducing the attack surface.

Benefits of a zero trust security framework

1. Improves data protection: Traditionally, if an attacker breaches your network perimeter (for example, firewall), they can move laterally to steal sensitive data. ZT reduces this risk by securing individual resources instead of relying solely on perimeter defence. It enforces strict authentication and applies the principle of least privilege, granting users only the access they need.
2. Provides greater visibility and improved monitoring: The ZT approach requires organizations to register all devices and enforce strict authentication for resource access. This ensures visibility into who accesses what and why, helping identify necessary security measures for each resource. ZT also mandates continuous monitoring of activities and communications, enabling better detection and timely responses to potential threats.
3. Improves incident detection and response: ZT enhances incident response by providing detailed information on suspicious access requests, including the user, device, data, and application involved. When an incident occurs, ZT allows precise tracing back to specific entities and resources.
4. Improves access control over cloud: While cloud service providers offer robust native security solutions, protecting organizational assets is a shared responsibility. ZT ensures that all cloud assets are classified and access controls are tailored. This approach verifies that legitimate entities are the only ones connecting to your cloud infrastructure.
5. Helps support continuous compliance and facilitate auditing: A ZT architecture helps support continuous compliance with privacy standards and regulations by evaluating and logging every access request. Tracking the user's and application's identities when they request access, as well as the time when and location where the requests are made, allows for a complete audit trail. As a result, minimal effort is required to comply with audits and to uphold governance.
6. Secures the remote workforce: The rapid shift to remote work has made traditional perimeter defences, like firewalls, insufficient. Remote and hybrid workers expand the attack surface, creating new entry points for attackers. ZT addresses this by segmenting the network and creating micro-perimeters with strict identification and validation policies, controlling access to secured zones.

Challenges for organizations transitioning to zero trust

Shifting to a ZT model can be challenging, as it requires precise control over access, authentication, and monitoring—capabilities older systems often lack. Success requires a deep understanding of business needs. To start, organizations should:

• identify their most critical data, assets, and applications
• understand who their users are, what they're accessing, and how they're connecting

This helps prioritize and protect key resources during ZT implementation. While traditional security mechanisms will still be necessary during the transition, organizations must integrate more mature security solutions across all technology layers.

Key challenges to expect

• Complex user management: Administrators must define detailed attributes for every user and resource to support trust and access decisions.
• User friction: Multi-factor authentication and more frequent authentication may frustrate users.
• Hardware needs: Devices may require costly hardware tokens, and rolling them out organization-wide can be time consuming.
• Legacy technology: Older firewalls and systems may lack the dynamic capabilities needed for ZT, necessitating phased equipment upgrades.
• Resource constraints: Skilled technical resources for implementing ZT may be scarce, adding to the challenge.

The migration to ZTA can be complicated, especially when some systems are ZT compatible and others are not. CISA's ZT Maturity Model (PDF) offers a roadmap, enabling organizations to transition gradually and incrementally improve their security posture.

A full shift to ZT requires a lasting change in mindset. Leadership, administrators, stakeholders, and users must all support the effort for it to succeed. ZT requires years of effort, ongoing updates, financial investment, and proactive maintenance.

Moving forward with zero trust

ZT is not a "set it and forget it" solution. As your organization grows, your ZT framework must evolve. For example, routine updates of access controls are necessary to ensure critical information is limited to authorized individuals. Staying vigilant is essential to prevent unauthorized access.

Resources

Courses

• Discover Cyber Security (DDN235)
• Introduction to IT Security Management (DDN106)
• Cyber Security in the GC and Online Exposure (DDN233)
• Cyber Security in the GC for Home and Telework (DDN232)

Publications

• A zero trust approach to security architecture
• Zero Trust Concept Paper (PDF)

Learn more

• Read more articles

Stay connected

• Subscribe to the CSPS Digital Academy Newsletter
• Follow the CSPS Digital Academy on X
• Discover resources from the CSPS Digital Academy on GCXchange
• Email the CSPS Digital Academy