Zero-trust security describes a set of principles for enforcing strict access controls for sensitive systems, while simultaneously asserting that every user, app, service, or device—internally or externally—requires identity verification to be deemed "safe." Its overall goal is to strengthen the security of private networks while safeguarding the data contained within.
How does zero-trust security work?
Zero trust contrasts with the long standing "castle and moat" approach to network security, where tight security controls become more lax once a user gains internal access. Most focus is placed on making initial access challenging for bad actors (while making trustworthy users jump through more hoops as a result), after which it's assumed that authenticated and authorized users are legitimate. However, the zero-trust mindset recognizes that someone successfully impersonating a trusted user (or even a trusted user themselves) can cause real damage once inside that castle.
Zero-trust security also makes more sense within a multi-cloud landscape, since there are many more decentralized access points to manage versus one single point of access. This encompasses user accounts and endpoints such as phones, tablets, computers, and virtual environments. Organizations can no longer assume that addressing external-facing weaknesses is adequate when infrastructure complexity and attack surfaces keep growing. There's no well-defined network edge like there once was.
Despite this, the concept of zero-trust security is relatively new. Forrester Research analyst John Kindervag originally coined the term in 2010. Plus, the primary principles of zero trust weren't formalized until roughly 2018, despite the concept dating back to 2004's Jericho Forum. In many ways, security researchers and organizations themselves are actively rewriting many aging guidelines (and habits) from years past.
What are the principles of zero-trust security?
We know the inspiration behind zero trust, but how does that look in practice? Here are some key tenets of zero-trust security and why they matter.
Least privilege
Users should only have access to the resources they need and are authorized to view. This also includes things like network and system access. By limiting the scope of access organizations can help prevent one or more individuals from exposing sensitive information (accidentally or purposefully) or infrastructure weaknesses. This requires granular permissions handling through measures such as role-based access control (RBAC).
Mobile device management (MDM)
User devices are endpoints for sensitive systems, so controlling how they're used and which systems they're accessing—or can access—is critical. All devices must be secured and updated to patch vulnerabilities and minimize data exposure in the event of loss or theft. And when a device is no longer in use, it should be decommissioned out of precaution.
Microsegmentation
Organizations should consider splitting up their larger security perimeters into more manageable portions. Just like microservices architectures leverage decoupled services to streamline maintenance and development, security teams can granularly control permissions and authorization for each designated zone. An individual might have access to one or many zones, but will need to authenticate themselves while moving from one to another.
Multi-factor authentication (MFA)
MFA requires clients to present multiple forms of verification (one-time codes, passwords, challenge question responses, hardware keys, etc.) to ensure successful authentication. Simply entering a password isn't enough, as a zero-trust strategy recognizes how often passwords are compromised. Two-factor authentication (2FA) also falls under this umbrella, but only allows for one additional piece of verification.
Lateral movement prevention
Organizations should attempt to minimize or prevent malicious actors from navigating across a network's surface after gaining access. This can introduce major privacy and security concerns when this behavior is left unchecked or undetected. For example, bad actors can uncover and take advantage of infrastructure vulnerabilities.
A microsegmentation strategy can help here. If we imagine a wanted motorist traveling across a city (the network), setting up checkpoints at the borders of each neighborhood (or network segment) can help discover and oust that criminal actor.
Does HAProxy support a zero-trust security approach?
Yes! HAProxy products support a number of features that help make zero-trust security possible for organizations. From IP-based access lists and WAF to mTLS certificate automation, HAProxy gives you the tools to strengthen infrastructure security.
To learn more about zero-trust in HAProxy, check out our blogs on Zero-Trust mTLS Automation with HAProxy and SPIFFE/SPIRE or Rate limiting based on AWS VPC ID.