Ever since mobile devices started to company applications via the internet, there has been an increasing need to implement a zero trust security. If you can’t trust the device, network, or connection, zero trust seems like an excellent idea. However, over in the past few years, there’s been a lot of confusion as to what it really means.
When did zero trust start? John Kindervarg published a paper about the zero trust concept back in 2010. He discussed how this type of security model works. Basically, the zero trust concept means enterprises should not trust any attempts to connect to an application or system inherently. They must be verified first before granting any level of user access.
The concept is very simple. You need to assume that all attempts are hostile. This may seem obvious but this particular concept is considered antithetical to the cybersecurity model of an organization. During the early 1990s, firms have been establishing a network architecture that comes with a secure perimeter through end point based controls, depending on the approved IP addresses, ports as well as protocols to authenticate data, applications, and users, which are then verified to communicate within the network.
On the other hand, a zero trust network security will treat all of the traffic, within or outside the perimeter as hostile. Unless the workload have been authorized they will be considered untrusted and will be blocked from any form of communication. Identity based rules will lead to a stronger security that goes with the workload regardless of where it communicates – in a hybrid environment, public cloud, container, or on-premises network architecture. Since the protection is considered environment agnostic, the services and applications are secured even when they communicate across the network environments, needing no policy updates or architectural changes.
An important aspect of a zero trust security is the least privilege access, which means it gets rid of the trust that users automatically have when they are inside the conventional network. With a zero trust security, least privilege access is applied before providing access to connections, devices, services as well as to the where and when so that the attack surface is reduced while the defenders get a narrower scope of concentration.
The networks today are extremely hostile. They host applications and data that are critical to businesses, which make them the perfect target for cyberattack by hackers who want to hold hostage, destroy, and steal confidential data such as intellectual property and personally identifiable information, as well as financial data for personal gain.
Although there’s no perfect network security, and data breaches cannot be eliminated fully, zero trust can significantly reduce the attack surface and restrict the blast radius, which involves the severity and the impact, of a cyberattack, which decreases the cost and time of responding to as well as cleaning up after a data breach.
The idea behind a zero trust model involves considering all, in or out the network perimeter, as unauthorized without proper verification. This concept is getting a lot of attention from companies that are struggling to stop data breaches through the use of traditional methods.
Companies that would like to use this model must be prepared to jettison methods that are based on the embedded ideas of trusted insiders as well as safe corporate network.
Zero trust was a term that first popped up back in 2010. It referred to a security model where any device and anyone that tries to connect to any network asset is considered as untrustworthy. The model focuses on using device as well as user credentials, instead of network location, as the basis for denying or granting access to the network.
A zero trust model is crucial in stopping attackers from moving about without detection within a network and looking for targets once they have infiltrated the perimeter. Various data breaches took place due to the traditional security controls as well as tools for data leak prevention were not able to identify malicious activities that are being performed by external actors through stolen credentials to move freely. The issue lies in the method used by companies which involves trusting traffic and users implicitly on the internal network while only considering external users as untrusted entities.
There are other issues aside from threat actors. A growing mobile workforce as well as the increasing use of cloud solutions to host services and applications have made it more difficult for many companies to enforce and establish a network perimeter. The old method of gating access to only internal resources through a heavily protected perimeter is no longer effective because of enterprises have become so scattered and the many different ways they can be accessed. With zero trust security, everything is considered as untrusted.
Implementing Zero Trust
It can be challenging to implement zero trust. One of the pioneers in this aspect is Google. It spent six years transitioning from VPN as well as privileged network access to a zero trust network environment. The company also had to restructure and redefine job classifications and roles, create an new master inventory service in order to monitor devices, allow better visibility over the applications, and then overhaul the user access and authentication control policies.
When you want to embark on your journey towards zero trust, you have to remember that nothing can get access to internal resources until they’re verified as trusted. The trust that is assigned cannot rely on whether the users is trying to access an company application inside or outside the network perimeter. Access should be based on what you know regarding the user, which you know about the device, and what it’s trying to access. It should focus on authenticating the users securely, identifying their roles, as well as their access privilege, while being able to identify abnormal device and user behaviour.