Zero Trust What is Zero Trust?
Zero Trust is a newer model of cybersecurity designed to better address changing security requirements for modern organizations. Zero Trust frameworks can improve security posture, limit lateral movement throughout the network, and prevent data breaches.
- Zero Trust explained
- How does Zero Trust work?
- How is Zero Trust different from perimeter-based security?
- What are the three main concepts of Zero Trust?
- What are the benefits of Zero Trust?
- Where do I start with Zero Trust?
- What are the differences between Zero Trust and SASE?
- How can HPE help with achieving a Zero Trust architecture?
Zero Trust explained
Zero Trust is a security model in which no device, user, or network segment is inherently trustworthy and thus should be treated as a potential threat.
- Security threats can be inside or outside your network.
- Every device and person accessing resources on your network must be authenticated and authorized.
- By default, no person or device is trusted.
How does Zero Trust work?
To enhance security in modern enterprises where users and devices are remote and threats are bypassing traditional perimeter defenses, it’s critical to have a rigorous security model that performs checks on a continuous basis. Before accessing the network, all devices and users should be identified and authenticated and given the least amount of access required, and then continuously monitored.
How is Zero Trust different from perimeter-based security?
Unlike traditional security approaches focused primarily on the perimeter, modern Zero Trust Security architectures recognize trust as a vulnerability. They assume no user or device—regardless of how or where they connect—should be trusted by default because the user could be compromised. Identity and device attestation and authentication are required throughout the network. Every component in the network must independently establish its trustworthiness and be authenticated by any other component it interacts with, including existing point security measures.
What are the three main concepts of Zero Trust?
- Comprehensive visibility: Active and passive discovery provides full visibility of all users and devices on your network, which can help you implement controls.
- Least privilege access: Defined access control policies grant access to only resources necessary for a user or device to do their job or fulfill their function and segment them from other resources that are not required.
- Continuous monitoring and enforcement: Ongoing monitoring of users and devices and dynamic policy enforcement greatly reduces risks related to threats and malware.
HPE Aruba Networking security-first, AI-powered networking activates Zero Trust principles intrinsically at every point of connection to provide a comprehensive set of capabilities that span visibility, control, and enforcement to address the requirements of a decentralized, IoT-driven network infrastructure.
What are the benefits of Zero Trust?
Network security is increasingly challenging because of mobility, IoT, and telecommuting environments. Zero Trust allows you to increase visibility, control, and enforcement to address the security requirements of a decentralized, IoT-driven network infrastructure.
- Limits exposure to security risks related to vulnerable IoT devices.
- Helps reduce the risk of advanced threats that bypass traditional perimeter security controls.
- Limits damage related to lateral movement by attackers and infected devices.
- Takes a more holistic approach to security regardless of who or what is connecting and from where.
- Enables application of best practices such as micro-segmentation to support least-privilege access.
Where do I start with Zero Trust?
Zero Trust architectures focus on authentication, authorization, and continual risk management. Here’s how to get started:
1. Eliminate network blind spots by discovering and profiling all devices connected to the network.
2. Verify identity before allowing access using 802.1X-based authentication techniques, as well as emerging solutions for IoT devices.
3. Compare endpoint configuration to compliance baselines and remediate as needed.
4. Establish least-privilege access to IT resources by segmenting traffic based on identity-based policies.
5. Continuously monitor the security state of the user and device, and bi-directionally communicate with other elements in the security ecosystem. Establish policies to revoke a user or device’s access rights in cases of compromise or attack.
What are the differences between Zero Trust and SASE?
Zero Trust and Secure Access Service Edge (SASE, pronounced “sassy”) are two approaches to enhance security as workforces become increasingly remote and dispersed and organizations’ attack surfaces expand.
SASE defines the components needed to provide optimized, secure access at the edge. It combines comprehensive wide area network (WAN) capabilities including SD-WAN, routing, and WAN optimization with cloud-delivered security services such as SWG, CASB, and ZTNA. A SASE solution must be able to identify sensitive data, plus encrypt and decrypt content with continuous monitoring for risk and trust levels. This approach is particularly useful for organizations with multiple remote and branch offices, Internet of Things (IoT) and edge deployments, and highly distributed workforces.
Zero Trust is a model and philosophy meant to reduce security risk across the enterprise by eliminating the concept of implicit trust and instead enforcing least-privilege access based on continuously monitored identity-based authentication and authorization. It encompasses not just secure access but also monitoring of cyberthreats to the organization, data governance and compliance requirements, and maintenance of the network environment.
Zero Trust and SASE have overlapping principles. Implementing a SASE solution can be one step in an organization’s journey to a complete Zero Trust Security architecture.
How can HPE help with achieving a Zero Trust architecture?
Project Aurora is HPE’s edge-to-cloud Zero Trust Security architecture to help protect customers from some of today’s most sophisticated malware attacks. Building on HPE’s silicon root of trust, Project Aurora measures everything before it is enabled or released for execution and continuously repeats this measurement during runtime.
Rather than being a point solution, Project Aurora addresses end-to-end security for edge-to-cloud deployments, with new embedded and integrated security solutions starting at the silicon level. It incorporates designed-in security technologies with automated verification and attestation to establish a defense-in-depth approach that begins at the lowest foundational layer—the silicon.
By embedding security across a secure chain of trust from the silicon to the workload, Project Aurora will make it possible for organizations to place greater assurance in their distributed software systems, allowing for more agility and flexibility to bring cost-effective and differentiating solutions to market.
Project Aurora will lay the foundation for delivering more zero trust services across HPE GreenLake and other HPE offerings. Initially, it will be embedded within HPE GreenLake Lighthouse to automatically and continuously verify the integrity of the hardware, firmware, operating systems, platforms, and workloads, including workloads from security vendors. This can help minimize the loss and unauthorized encryption (and corruption) of valuable enterprise data and intellectual property.
In the future, Project Aurora will be embedded within HPE GreenLake cloud services to provide a platform-agnostic way to define, create, and deploy a zero trust architecture distributed from edge to cloud.