The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.
All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.
Disclaimer
The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.
For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.
Now more than ever, organizations are increasingly trying to understand the concept of ‘Zero Trust’ and how it can be used to bolster the security of their data and systems. No doubt, a zero-trust strategy can safeguard any type of business, small or large, in this new era of remote work.
So, what exactly is Zero Trust and how does it work? In this article, we’ll explore the concept of zero trust security and more.
1. What is Zero Trust?
Zero Trust is not a product, vendor or technology.
Zero Trust is a security model or framework for protecting data and applications in an organization. It is about a simple concept – “trust no one, always verify”. It means that organizations must not trust anything by default, inside or outside their IT network or infrastructure. They must strictly verify identity and authenticate and authorize users who are closer to their resources.
To implement this model, organizations are essentially required to include verification activities such as auditing, tracking, monitoring, and alerting in every aspect of their IT infrastructure.
Zero Trust is similar to the Principle of Least Privilege, where only those users are given privileged access who require it to perform their job. The only difference in Zero Trust is that organizations are required to track the activities of all the users, including the most privileged ones.
So, don’t trust anyone, not even your most privileged users.
Credit: Pexels
2. How Zero Trust works?
Practically, a Zero Trust model focuses on five key areas:
User
Device
Application
Data
Session
Among the five focus areas, User and Device are the key areas that the Zero Trust ecosystem emphasizes on the most. If we think about how organizations must take cybersecurity, these choices will make a lot of sense. However, due to the increasing use of cloud technologies, there are other areas too that increase an organization’s risk surfaces, and therefore, areas such as Data and Applications have also gained importance in the cloud-first strategy (as listed above).
Hence, rather than addressing security only from an identity standpoint, organizations have broadened their security strategies by addressing Zero Trust from a more controlled access standpoint.
2.1. Zero Trust Architecture
Organizations build a Zero Trust Architecture (ZTA) by blocking unauthorized users from accessing areas of the network, applications, and data.
Zero Trust Architecture – Core Components (Credit: NIST)
There are three approaches that organizations use for creating an effective Zero Trust architecture.
2.1.1. Identity-based
Organizations often take an identity-based approach when building their Zero Trust security architecture. This approach puts the identity of devices, users, or services in focus while drafting policies. For example, the resource access policies of an organization are based on role assigned attributes.
The basic requirement for any user or device to enter an organizational resource is to have access privileges. This access is granted to them only after their identity is verified by a trusted source. Enterprises need to authenticate identity and the health of each device and then decide whether to allow entry to the users or devices on a real-time basis.
2.1.2. Network-based
The nature of the network-based approach requires the ability to divide the network perimeter of corporate resources into sub-sections where each sub-section is secured through a web gateway. While this approach is quite safe yet is not completely risk-free, as anything that manages to enter the network gateway is trusted. Hence, organizations must use robust security measures in this approach to protect each resource.
Organizations must also use network devices such as intelligent switches for improving network efficiency or Software-Defined Networking (SDN) for improving performance, monitoring and overall network management.
2.1.3. Cloud-based
A cloud-based approach uses systems that integrate with any asset and make cloud access more manageable for any organization. It uses software-defined perimeter, identity and access management, and multi-factor authentication to block unwanted events from occurring. Like other approaches, it also divides traditional perimeters into sub-zones. This enables easy monitoring and better access control.
Overall, everything required for a sleep-deprived or overly stressed security team to protect their data and resources is the ‘Zero Trust security model’.
2.2. How to design a Zero Trust Architecture? Few points to consider.
Plan ahead and design an architecture based on the outcomes you define.
When designing, consider securing all areas.
Decide who, what, where, and when to allow access and at what levels. Accordingly, draft access control policies and implement them across environments.
Inspect all traffic that enters or leaves your network and take full control of all activities over all layers.
Use multi-factor authentication (MFA) and short-lived credentials.
Apply the right workflows and regularly create reporting and analytics of compliance.
2.3. Trust Broker and Actionable Metrics
In a Zero Trust architecture, a trust broker plays a crucial part in deciding whether the context, identity, and policy adherence are sufficiently trusted before allowing access to the specified participants. To make this decision, following are the trust metrics on the basis of which security teams operate within an organization:
2.3.1. People Trust Metrics
User Authentication: This involves verifying the authentication status of users and the security level that users need to pass. For example, two-factor or multi-factor authentication provide better security than simple authentication.
User Activity: This involves verifying if the users follow normal working patterns in an organization. For example, are users accessing the devices during normal working hours? Are users accessing the organizational resources from their usual access devices?
2.3.2. Device Trust Metrics
Location Tracking: This involves verifying whether a device is being operated from an expected geographic location, using a safe network.
Device Security: This involves steps that authenticates if the device is used by an authorized person and has anti-virus, anti-malware installed.
2.3.3. Data Trust Metrics
This includes verifying the following:
(a) Who has access to what kind of data?
(b) What is the level of sensitivity of the data?
(c) What security parameters are set on the different data types?
3. Do you need Zero Trust security?
Here are the benefits of implementing a Zero Trust security architecture:
3.1. Reduces risk for organizations
Zero Trust helps organizations to minimize risk in the cloud and improve governance and compliance. It helps them to gain better visibility into all devices and users, detect threats, maintain control across a network. A Zero Trust model helps in defining policies that get updated automatically when risks are identified.
3.2. Turns down the breach possibilities
Data breaches can not only cause financial loss to companies but also can impact a customer’s confidence in them. Both customers and governments are increasingly growing their demands for security and data privacy, and it is on enterprises to meet that requirement in the best possible manner.
To reduce the possibility of breaches, a network using the Zero Trust architecture continuously analyzes the workload. The moment a mismatch is detected, its communication privileges are blocked from the rest of the system. This process continues within the system until the system is improved according to the defined security policies.
3.3. Improves compliance and trust
Zero Trust architectures naturally improves an organization’s appetite for compliance and adherence to the policies. This in turn, helps them gain customer trust. There are many tools provided by trusted vendors offering cyber security services to businesses of all sizes to help make the digital world more secure.
4. Conclusion
You may be having a secure infrastructure and so, may have nothing to be worried about. But what’s the harm in getting it assessed and verified.
Building a Zero Trust security architecture can be an excellent decision for futuristic organizations . With time, Zero Trust will be the only framework in the market when it comes to cybersecurity.
That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.
ZNet Technologies Private Limited, incorporated in 2009, is a cloud services provider offering cloud infrastructure and managed services to partners and end customers across the globe with a primary focus on India. We empower 90k+ websites.
I've witnessed first hand the transformative potential of Large Language Models (LLMs) in the business world. Yet, despite significant investments in this technology, many organizations still grapple with a fundamental question: "How can we leverage…
Cybersecurity Mesh is a distributed security architecture that connects various security tools and technologies to create a cohesive defense. It's designed to address the challenges of traditional network security approaches, which often struggle to…
The widespread impact of the CrowdStrike outage has forced businesses to reevaluate their cybersecurity strategies. Luckily, the incident didn't breach any systems, but it revealed the fragility of even the most sophisticated security…
In today's data-driven world, data analytics has emerged as a cornerstone of modern business strategy. The ability to collect, process, and analyze data has transformed how organizations operate, enabling them to make informed decisions, enhance…
THE HIDDEN COST OF DLP INCIDENTS
Financial Fallout, Operational Challenges, and the Way Forward
Data Loss Prevention (DLP) is a critical aspect of modern cybersecurity, designed to detect and prevent potential data breaches. DLP incidents pose…
In today’s digital age, cybersecurity is a critical concern for businesses of all sizes. Having attended a recent cybersecurity event hosted by NASSCOM, I’m eager to share some insights and practical precautions that companies should adopt to…
