Ever since mobile devices started to company applications via the internet, there has been an increasing need to implement a zero trust security. If you can’t trust the device, network, or connection, zero trust seems like an excellent idea. However, over in the past few years, there’s been a lot of confusion as to what it really means.
When did zero trust start? John Kindervarg published a paper about the zero trust concept back in 2010. He discussed how this type of security model works. Basically, the zero trust concept means enterprises should not trust any attempts to connect to an application or system inherently. They must be verified first before granting any level of user access.
The concept is very simple. You need to assume that all attempts are hostile. This may seem obvious but this particular concept is considered antithetical to the cybersecurity model of an organization. During the early 1990s, firms have been establishing a network architecture that comes with a secure perimeter through end point based controls, depending on the approved IP addresses, ports as well as protocols to authenticate data, applications, and users, which are then verified to communicate within the network.
On the other hand, a zero trust network security will treat all of the traffic, within or outside the perimeter as hostile. Unless the workload have been authorized they will be considered untrusted and will be blocked from any form of communication. Identity based rules will lead to a stronger security that goes with the workload regardless of where it communicates – in a hybrid environment, public cloud, container, or on-premises network architecture. Since the protection is considered environment agnostic, the services and applications are secured even when they communicate across the network environments, needing no policy updates or architectural changes.
An important aspect of a zero trust security is the least privilege access, which means it gets rid of the trust that users automatically have when they are inside the conventional network. With a zero trust security, least privilege access is applied before providing access to connections, devices, services as well as to the where and when so that the attack surface is reduced while the defenders get a narrower scope of concentration.
The networks today are extremely hostile. They host applications and data that are critical to businesses, which make them the perfect target for cyberattack by hackers who want to hold hostage, destroy, and steal confidential data such as intellectual property and personally identifiable information, as well as financial data for personal gain.
Although there’s no perfect network security, and data breaches cannot be eliminated fully, zero trust can significantly reduce the attack surface and restrict the blast radius, which involves the severity and the impact, of a cyberattack, which decreases the cost and time of responding to as well as cleaning up after a data breach.