The idea behind a zero trust model involves considering all, in or out the network perimeter, as unauthorized without proper verification. This concept is getting a lot of attention from companies that are struggling to stop data breaches through the use of traditional methods.
Companies that would like to use this model must be prepared to jettison methods that are based on the embedded ideas of trusted insiders as well as safe corporate network.
Zero trust was a term that first popped up back in 2010. It referred to a security model where any device and anyone that tries to connect to any network asset is considered as untrustworthy. The model focuses on using device as well as user credentials, instead of network location, as the basis for denying or granting access to the network.
A zero trust model is crucial in stopping attackers from moving about without detection within a network and looking for targets once they have infiltrated the perimeter. Various data breaches took place due to the traditional security controls as well as tools for data leak prevention were not able to identify malicious activities that are being performed by external actors through stolen credentials to move freely. The issue lies in the method used by companies which involves trusting traffic and users implicitly on the internal network while only considering external users as untrusted entities.
There are other issues aside from threat actors. A growing mobile workforce as well as the increasing use of cloud solutions to host services and applications have made it more difficult for many companies to enforce and establish a network perimeter. The old method of gating access to only internal resources through a heavily protected perimeter is no longer effective because of enterprises have become so scattered and the many different ways they can be accessed. With zero trust security, everything is considered as untrusted.
Implementing Zero Trust
It can be challenging to implement zero trust. One of the pioneers in this aspect is Google. It spent six years transitioning from VPN as well as privileged network access to a zero trust network environment. The company also had to restructure and redefine job classifications and roles, create an new master inventory service in order to monitor devices, allow better visibility over the applications, and then overhaul the user access and authentication control policies.
When you want to embark on your journey towards zero trust, you have to remember that nothing can get access to internal resources until they’re verified as trusted. The trust that is assigned cannot rely on whether the users is trying to access an company application inside or outside the network perimeter. Access should be based on what you know regarding the user, which you know about the device, and what it’s trying to access. It should focus on authenticating the users securely, identifying their roles, as well as their access privilege, while being able to identify abnormal device and user behaviour.