Continuing our Zero Trust series, today we look at enforcing the principle of never trusting a connection. Zero Trust is built around limiting access, logging and monitoring your network and its users, and segmenting it to reduce threats or damage should a bad actor be able to gain access.
These form its three core principles: never trust a connection, assume a breach has or will happen and enforce least privileged access. Our series examines how each of these components interacts.
Our last blog focused on least-privileged access and how limiting a user’s privileges makes your network safer. Today’s blog goes beyond that user’s access and digs into what they are doing while connected.
What is Zero Trust Logging and Monitoring
Monitoring and logging is a critical component to your Zero Trust architecture. Secure remote access ensures that a user is given only the privileges needed and only at the right time to perform their role. Once that user has said access, you must also know if they are performing their role and that your endpoints have not changed in a way that leaves them open to threats.
Zero Trust Logging and Monitoring Applied
Logging and monitoring applied to your network means all user activity is logged while accessing the environment. The endpoint’s configuration is also monitored, ensuring inputs or changes have not been made by the user that could indicate a threat or attack.
A mature logging and monitoring implementation will alert you about a user’s behavior if it does not align with their role. While they’re connected, the user’s actions are logged. You will know what has changed when, and why it changed as it happens. You also compare the endpoint to your baseline once the connection has terminated.
Should any behavior performed by the user’s role be deemed out of the scope of their intended purpose, the connection can be flagged or immediately terminated. In tandem with least-privileged access, you significantly increase your security and awareness.
Most importantly, this happens continually across your environment and is automated. Should a bad actor gain access to your environment and start accessing endpoints, you’ll know when it happened and what they did. You are alerted immediately if a user inputs something that is prohibited or exhibits behaviors that could be seen as a threat. A supervisor can review activity further or the user’s connection can be terminated immediately.
These security automations heighten your awareness and give you the response time you need when an attack could be underway. Together, with the forensic evidence always being collected by your logging and monitoring setup, you always know what happened, when it happened and who did it.
The First Two Principles Combined
With the two principles we’ve discussed in this series acting together in unison, you significantly increase your security and reduce threats. By implementing secure, least-privileged access, you only permit as much access as needed to perform the user’s role, only when they need the access, and always verify their connection.
With logging and monitoring, you continue to follow that user’s journey, monitoring their connection and the endpoint in real time, logging all actions taken by the user, and implementing automations to alert you if suspicious activity is detected. When a user’s connection ends, the device they connected to is also verified against your baselines.
In the final entry of the Zero Trust series, we’ll look at how assuming a breach has or will happen affects what your network should look like and how it ties into the other two principles.
