Chef Blogs

What is Zero Trust, and Why Should We Care?

Michelle Sebek Sudeep Charles | Posted on | Chef Cloud Security | Chef Desktop | compliance

Zero trust, the phrase gets thrown around, is misunderstood, and overused by multiple organizations. The zero-trust security model, sometimes known as perimeterless security, describes an approach to designing and implementing IT systems. Zero trust is a paradigm where implicit trust is removed from the computing infrastructure. Implicit trust is replaced with explicitly calculated, real-time adaptive trust levels as validated by Gartner observers. 

One constant thing is change, and enterprise needs are continuously and the increase in IT management challenges. One key aspect of concern as a business organization is often security. Failure to comply with policies and regimes usually has severe repercussions. For example, data breaches within endpoint devices can cause massive downtimes, loss of data, or other forms of service disruption and revenue loss, if not monitored continuously. As a result, "Zero Trust" is rapidly adopted among organizations to prevent data breaches and minimize security risks.

What is Zero Trust?

Users cannot be trusted, and neither can the network!
Source: Verizon DBIR Reports 2021

Zero Trust is a security practice that enforces a technological and cultural belief of "never trust, always verify" for people and devices within organizations. It allows IT admins to overcome the challenges of keeping endpoints secure and compliant while allowing frictionless freedom for employees to securely access everything they need from anywhere within the network. By continuously monitoring endpoints and verifying all users accessing different applications within the network, Zero Trust helps replace traditional manual security management techniques through role-based security management. A rule-based, automated, don't-assume-but-verify approach maintains security and allows the application of customized rules for different endpoints or users.

Challenges with Traditional Security Practices

The traditional security architecture has its own set of challenges. These challenges can be hard to address in a complex and evolving IT ecosystem and often can cause business service disruption when unnoticed. Some challenges associated with traditional architectures are:

Identities
Devices

  • Restrictive on-premises identity providers
  • No SSO is present between cloud and on-premises apps
  • Visibility into identity risk is minimal

Infrastructure

  • Devices are domain-joined and managed with solutions like Group Policy Object or Config Manager
  • Devices are required to be on the network to access data
  • Permissions are operated manually across environments
  • Hard to manage configurations of VMs and Network servers with high workloads

Apps
Network

  • On-premises apps accessed through physical networks or VPN
  • Critical cloud apps are accessible to all/ many users with no restrictions
  • Few network security perimeters and flat open network
  • Minimal threat protection and static traffic filtering
  • Internal traffic is not often encrypted

Data

  • Access governs by perimeter control, not data sensitivity.
  • Sensitivity labels are applied manually, with inconsistent data classification.

How Zero Trust Helps

The Zero Trust concept comes with three guiding principles in addition to "never trust":

  • All resources must be accessed securely from a secure machine, regardless of location.
  • Access control is on a "need to know" basis correlated to a user's identity and what that user is authorized to access, and device context.
  • Organizations must inspect and log all traffic to verify users are always doing the right things to maintain security.

Zero Trust Security, The Back Story

It was 2010, and Forrester Research Inc coined the famous term zero trust. A few years later, Google stated they were implementing the model, and then the rest of us started the adoption.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a leading technology that empowers organizations to implement Zero Trust security. ZTNA conceals most infrastructure and services, setting up one-to-one encrypted connections between devices and the resources they need.

How to implement Zero Trust security

At Progress Chef, a top goal is to simplify the complex, zero trust may sound complex at first view, but it becomes simple when embracing the devsecops model. Chef Desktop allows organizations to extend the capabilities of Zero Trust from a simple practice to a more meaningful application of security and compliance policies through the Rule Engine. Chef Desktop automates Configuration Management by allowing codification of Infrastructure Configurations through policy files. This makes applying and maintaining configuration changes across a large fleet of machines faster and provides visibility into their real-time status. Besides automating configurations, Chef Desktop uses compliance as code principles to automate security and compliance checks for endpoints to detect and remediate issues.

Through Chef Desktop, your Zero Trust Rules Engine now has significantly more security insights about system hardening status and device compliance to make decisions regarding the accessibility of various resources to different nodes or users. Customizable templates allow flexibility to add and modify configurations to accommodate the unique requirements of specific users, endpoints, or apps. A unified dashboard to track nodes' current status in configuration, health, and compliance makes it easier to track security and configuration management data across the entire IT resource fleet.

Watch our on-demand webinar and learn how to use DevOps principles and a Zero Trust approach to automate security and detect and resolve security issues quickly. Watch now!