Zero Trust security means exactly how it sounds – you should trust nothing. It is the next wave of security that is being adopted by IT professionals looking for new, more modern methods to secure networks, systems, clouds, data and applications. Zero Trust is grounded on the concept that organizations should not automatically trust anything inside or outside its security perimeters and should validate everyone and everything trying to gain access. But with so much at risk and a continuous rise in data breaches ̶ up 33% over the last year[i] ̶ many businesses still rely on traditional security practices.
The Zero Trust model basically breaks the legacy security practice of organizations defending their network perimeter with thicker walls and wider moats while at the same time assuming everything inside their network was not a threat. In large part, hackers, once they gain access inside a corporate firewall, have been able to move through internal systems without resistance. This is due to the fact that companies do not have corporate data centers serving a contained network of systems, but instead typically have some applications on-premises and some in the cloud with users – employees, partners, customers – accessing applications from a range of devices from multiple locations.
Understanding that existing approaches do not solve these challenges, CISOs and IT organizations are seeking something better. In many cases, the Zero Trust model is that answer.
Download the IOA® - Security Blueprint
Gain visibility into unsanctioned cloud consumption and apply real-time policy controls with existing security tools against cloud services.
Download NowData breaches are up 33% over the last year.
The Technologies of Zero Trust
Zero Trust principles rely on existing technologies and governance processes in order to secure enterprise IT environments. In particular, Zero Trust supports a micro-segmentation strategy and more granular perimeter policy controls based on identity (i.e., users), locations and other data to determine whether to trust a user, server or application seeking access to a particular part of the enterprise.
It all comes down to understanding the enterprise user. An enterprise should be able to verify that the user is who they say they are, where they are coming from (i.e., the device), and whether that device is a supported and secure endpoint. Additionally, the user has a set of granular policies that indicate what minimum components can be accessed to do his/her job.
To accomplish this, Zero Trust leverages existing security technologies such as identity and access management (IAM), multi-factor authentication (MFA) orchestration, permissions management, scoring, encryption and analytics. It also includes a primary governance policy of giving users the least amount of access they need to execute a specific task.
Zero Trust is becoming more trusted
Despite its slow pick up by security professionals, Zero Trust is gaining momentum. Major hyperscalers such as Amazon, Google and Microsoft and networking and telecommunications giants, such as Cisco and Verizon, have announced Zero Trust architectures for their cloud and networking platforms.[ii]
Beyond the largest hyperscalers, a number of enterprise IT organizations are already implementing different components of Zero Trust, including IAM, multifactor authentication and some level of policy controls. They are also increasingly implementing micro-segmentation strategies to look at east-west traffic within their environment. In fact, according to a Cybersecurity Insiders and Zscaler’s Zero Trust adoption survey, “78% of security IT teams are looking to embrace a Zero Trust model in the near future.”[iii]
That being said, executing a Zero Trust strategy is not just about implementing these individual technologies. It’s also about using these capabilities to enforce the idea that no one and nothing can have access until they have proven they are trusted users.
Zero Trust requires protecting a greater attack area
The distributed nature of today’s digital world requires security organizations to think beyond the perimeter of their corporate network. As more data creation and consumption happens at the edge, outside the boundaries of the corporate security perimeter, new edge security measures need to be put in place. Companies need to be able to gain visibility into those users, devices and systems that may be trying to access corporate data and applications. Policy-based controls are required that consistently monitor and respond to legitimate and illegal access requests and reports, and alerts need to be generated in real-time to have a proactive threat detection and response strategy.
Some of the best practices of a Zero Trust policy include:
- Verifying all users with multifactor authentication. This addresses the idea of validating the identity of every user (privileged user, end-user, customers, partners) using multiple factors.
- Device verification that includes ensuring that any device used to access internal resources meets an organization’s security requirements.
- Limiting access through “least privileged access” policies to better control what users are able to get into. For example, governance policies can be established that limit user access based on the task they are doing.
- Monitoring and reviewing all user activity across the network. This will help identify any suspicious activity in real time.
- Adopting attribute-based controls to authorize access to resources along with a security stack – from cloud and on-prem applications, to APIs, to data and infrastructure.
- Segmenting access by network, devices, and apps into more controllable segments to mitigate and contain breaches and minimize their impact.
Optimizing Zero Trust architectures at the edge
Zero Trust architectures do not require data center security experts to tear up and replace the existing network or implement expensive new software solutions.Additional segments and access policies based on users, applications and data types can be implemented, allowing security measures to be scaled up over time. Organizations should begin at the edge, imposing strict policies regarding users and devices to ensure that unauthorized users aren’t able to access the network.
By leveraging Zero Trust principles, enterprises can significantly strengthen their perimeter defense to combat critical vulnerabilities posed at the digital edge. Despite the security concerns raised by new users and devices, implementing Zero Trust to protect edge computing frameworks can help organizations guard against both known and unknown threats. It’s also a security architecture that can grow along with an edge network, continually expanding to protect infrastructure from unauthorized access.
For more information, read the Distributed Security Blueprint
[i] Risk Based Security, Q3 2019 Data Breach QuickView Report,” November 2019.
[ii] Amazon, Google, Microsoft, Cisco and Verizon Zero Trust architectures.
[iii] Cybersecurity Insiders and Zscaler, “2019 Zero Trust Adoption Report,” 2019.