Zero Trust: Verify Trust at Every Interaction Stage Across Your Network and Systems
Trust no one. Verify Everything. When it comes to cybersecurity and protecting your expanding attack surface, that’s more than a catch-phrase. It’s the way you should approach access to your network, systems and assets.
Zero trust security does just that. It’s a strategic way to approach your cybersecurity practice — from a position of trust elimination and continuous verification — to ensure controls are in place to verify trust at every stage of an interaction across your network and systems. With traditional on-prem IT systems, this has generally been managed by hardware and other network tools to build an access perimeter, but those practices are no longer enough in a cloud-first or hybrid work environment.
In this zero trust knowledgebase, we take a closer look at what zero trust is, how it works and why it’s a critical component of a mature, best-practice focused cybersecurity strategy.
Here’s what you’ll learn:
Talking to Your Boss and Board About Zero Trust
Take a look at zero trust from a business risk perspective before engaging with key stakeholders.
Learn MoreZero Trust Frequently Asked Questions
Have questions about zero trust architecture and what to do? Check out this FAQ for some answers.
Learn MoreBasic Tenants of Zero Trust
Explore NIST’s seven core tenants of designing and deploying zero trust architecture for your organization.
Learn MoreTenable Connect community for Zero Trust
Tenable Connect is a great place to connect with other professionals interested in zero trust.
Learn MoreZero Trusts Given
Tenable One will help accelerate your zero trust journey. With foundational visibility into all assets across your modern attack surface, vulnerability prioritization and Active Directory (AD) security — all in one exposure management platform — your security team will have what it needs to stop lateral movement and prevent attacks before they happen.
Rethink Your Security With a Zero Trust Approach
The modern business world is constantly evolving. To keep up, your attack surface is evolving along with it. As both become more complex, it’s no longer possible to define modern attack surfaces with a logical perimeter.
So, how do you now effectively control and secure your network, applications and users? The answer is zero trust.
Because of increased use of cloud services, software, applications and new interconnected devices, security teams are finding it ever-more difficult to get their arms around everything that makes up the attack surface. Without that knowledge, most have limited visibility into where they have cyber risk so they can’t make plans to address it.
Zero trust is a strategy that can help your security teams adapt to this complex environment. In this solution overview, learn more about how you can:
- Identify misconfigurations and vulnerabilities on your network
- Apply best practice recommendations to address security weaknesses
- Identify and resolve often-overlooked risks in your Active Directory (AD)
- Evolve your risk-based vulnerability management practices to support zero trust
Tech Insights
How Tenable Helps Federal Agencies Meet CISA’s Binding Operational Directive 23-01
Federal agencies are required to comply with the Binding Operational Directive (BOD) 23-0, a compulsory direction about safeguarding federal information and information systems. Through BOD 23-01 agencies must conduct continuous and comprehensive asset visibility, focusing on asset discovery and vulnerability enumeration. But what exactly does that mean for your agency?
In this piece, learn more about asset discovery and vulnerability enumeration as it relates to BOD 23-0 mandates, including an overview of new requirements and insight into how Tenable can help address them.
The Path to Zero Trust: Is it Time to Rethink What We're Calling a Vulnerability?
Before the pandemic, organizations were making slow moves toward adopting zero trust, but post-pandemic has certainly accelerated implementation speed. Still, some organizations are slow to get on board. However, today’s modern business environments, which now include cloud services, software and applications, coupled with more workers working from home than pre-pandemic means traditional network perimeters just aren’t enough to protect enterprises.
Some organizations are hesitant to move toward zero trust out of fear it’s just too complex to implement, especially for large organizations. But should the benefits of zero trust and the simplicity of the concept outweigh those concerns?
There are some key factors to consider before answering:
- Is there a solution for zero trust?
- How can I migrate our existing IT ecosystem to meet zero trust principles?
- How do I address security concerns?
In this piece, learn more about those three core questions and take a closer look at four factors that can help give you a clearer picture about the benefits of implementing a zero-trust architecture.
Eliminating Attack Paths in Active Directory: A Closer Look at Preventing Privilege Escalations
Attackers love to steal identities and credentials because once they successfully get access to your identity systems, they can make lateral movements throughout your network and escalate privileges, often without you knowing they’re there.
An often overlooked source of this type of access begins in Active Directory (AD), a place where attackers hope you’ve missed unpatched vulnerabilities and are unaware you have misconfigurations or other security issues.
As part of your zero trust security strategy, it’s important to give your Active Directory the attention it deserves. This white paper takes a closer look at how attackers can take advantage of Active Directory.
Read more to learn:
- Why Active Directory is a crucial part of attack paths
- How attackers can take advantage of vulnerabilities and escalate privileges
- How you can detect and eliminate attack paths before attackers exploit them
Frequently Asked Questions about Zero Trust
Are you new to zero trust? Do you have questions about zero trust but not sure where to start? Check out this FAQ:
What is zero trust?
Why is it called zero day?
Why is zero trust important?
How does zero trust work?
What is zero trust architecture?
Are zero day and zero trust the same?
What are the main components of zero trust?
What are the benefits of zero trust?
What are some disadvantages of zero trust?
What is the CISA Zero Trust Maturity Model?
The CISA Zero Trust Maturity Model is a framework organizations can use to transition to a zero trust architecture. It is made up of five pillars and three capabilities based on zero trust.
The Five Pillars
- Identity
- Device
- Network
- Application workload
- Data
Capabilities
- Traditional
- Advanced
- Optimal
To learn more about each of these pillars and capabilities, download CISA’s pre-decisional draft of “Zero Trust Maturity Model.”
What is zero trust network access (ZTNA)?
What are the basic tenets of zero trust?
According to NIST, there are seven basic tenants of zero trust:
- All data sources and computing services are resources.
- All communication is secure.
- Access is granted on a per-session basis.
- Access is determined by dynamic policy.
- Monitoring and measuring integrity and security posture of all assets.
- Dynamic and enforced resource authentication and authorization.
- Information collection on current state of assets, network infrastructure and communications and uses.
Take a closer look at these tenants in the NIST and the Basic Tenants of Zero Trust section below.
Tenable Connect community: Your go-to resource for zero trust
While the concept of zero trust has been around for a while, some organizations are just beginning their zero trust journeys. If you are and have questions about zero trust and implementing zero trust architecture, join Tenable Connect community. It’s a great place to engage with other professionals interested in learning more about zero trust and how Tenable can help.
Local Scanner in Zero-Trust Model
We are going through an office network reconfiguration that will be based on a zero-trust model using Meraki networking hardware. This has led to some issues with how our Tenable scanner will be able to discover and scan machines in the environment if things are so heavily segmented. Does anyone have experience?
Read MoreDisadvantages for the Tenable agent?
One of our departments wants to avoid providing us root access for their Linux clients. The idea would be to use the Tenable agent on the client in order to get full scan results. What are the advantages, and especially disadvantages, for the scan results when using the scanning agent?
Read MoreTenable and the Path to Zero Trust
Zero trust, a cybersecurity concept first introduced by Forrester in 2010, is emerging as the answer du jour for a wide range of challenges facing today’s digital enterprise. It accommodates the perimeter-busting work-from-home trend necessitated by the COVID-19 pandemic.
Read MoreRethink Your Security With Zero Trust
Is your organization implementing zero trust architecture as part of your overall cybersecurity strategy? You’ll need continuous insight into all of your assets and their vulnerabilities, Active Directory (AD) security to find and fix issues before attackers exploit them, and the ability to prioritize remediation based on risk. Tenable One has everything you need — all in a single platform.
NIST and the Basic Tenants of Zero Trust
NIST SP 800-207 helps enterprise security architects better understand zero trust, including a roadmap to help security practitioners implement a zero trust approach to their existing cybersecurity practices and deploy zero trust architecture.
Why is this important? Modern enterprises are increasingly complex. Core operational systems are no longer traditional IT hardware and software that sit safely behind a network perimeter. Today, organizations around the globe work with on-prem networks, systems and assets alongside cloud-based services, applications and software.
Legacy security practices, such as setting up firewalls to keep the bad guys out are no longer effective. That’s why the industry is moving toward adopting zero trust for all assets and users, no matter where they live.
According to NIST, zero trust security “assumes that an attacker is present in the environment and that an enterprise-owned environment is no different — or no more trustworthy — than any non-enterprise-owned environment.” As such, enterprises can no longer assume implicit trust and must continuously verify to manage and mitigate risks.
NIST’s seven core tenants of designing and deploying a zero trust architecture are:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy — including the observable state of client identity, application/service, and the requesting asset — and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
Want to explore these tenants in more detail? Download “NIST Special Publication 800-207 Zero Trust Architecture.” It includes:
- A zero trust network view
- Components of zero trust architecture
- Deployment scenarios and use cases
- Threats related to zero trust architecture
- Zero trust and existing frameworks
- Guidance on migrating to a zero trust architecture
Zero Trust Blog Bytes
NSTAC Aces Zero Trust Recommendations for Protecting Government Entities
In mid-2022, the National Security Telecommunications Advisory Committee released a report focusing on zero trust and trusted identity management as a cybersecurity best practice. This blog takes a closer look at that report, why a shift to zero trust is important and the role of zero trust in basic cyber hygiene.
How to Talk to Your Boss About Zero Trust
While a then-Forrester analyst introduced the concept of zero trust back in 2010, many non-information security professionals may just now be taking note. This blog offers key guidance on how to have a zero trust conversation with your boss, how to make it easy to understand and how to roll out implementation within your organization.
How to Talk to the Board About Zero Trust
Zero trust isn’t just a term that’s applicable to cybersecurity professionals. It’s an important way of reducing business risk, so if it hasn’t already, it’s likely to catch your board and executives’ attention. Check out this blog to learn how to connect the dots between the tech and business sides in a way your key stakeholders will understand.
Accelerate Your Zero Trust Journey with Tenable One
Thinking of implementing zero trust architecture for your organization? Consider including Tenable One as part of your zero trust strategy. Tenable One gives you foundational visibility into your attack surface, enabling you to discover and inventory all of your assets, discover their vulnerabilities, misconfigurations or other security issues, help you prioritize which issues matter most to your organization and even make best practice recommendations to address them.
Comprehensive Visibility
Understanding your organization’s assets and their related security weaknesses is a key part of adopting a zero trust approach to cybersecurity. With Tenable One, you get continuous visibility into all of your assets and their vulnerabilities across your entire attack surface: IT, OT, Active Directory (AD), and from code to cloud.
Identity Security
Many breaches start with user identity or credential theft. Once attackers gain access to your identity systems, they can quickly escalate privileges and move laterally across your network, often without you knowing they’re there. With Tenable One, you can discover and fix issues within Active Directory to find and respond to attacks in real time.
Risk Prioritization
While your organization may have insight into some of the many vulnerabilities across your attack surface, you might not be sure which ones you should remediate first. With Tenable One, you get a risk-based approach to vulnerability management so you can identify risks and make trust decisions based on risk scores and asset criticality measures.
See Tenable One in Action
Trust no one. Verify everything. Remove attack paths and secure your organization against cyberattacks.
- Tenable One