Zero trust is a new security model initially developed in 2010 by John Kindervag of Forrester Research. The zero trust model, as its name suggests, assumes that any connection, endpoint, or user is a threat, and the network needs to defend against all threats, both internal and external.
While this may sound a bit paranoid, it is exactly what organizations need in a world where IT is highly distributed, with systems deployed in the cloud and at the edge, millions of IoT devices, and many employees working from home or via mobile devices. The old idea of the “network perimeter” is dying and is being replaced with the idea of the zero trust network.
In practice, here is how the zero-trust security model works in an organization’s network:
- Zero trust employs least-privilege access to ensure users can only access resources on a limited basis.
- Zero trust verifies and authorizes each connection and ensures the interaction meets all requirements set by organizational security policies.
- It authenticates and authorizes each device, connection, and network flow according to dynamic policies, using context from many data sources.
These best practices for security ensure that if any user or device accesses a network resource in an anomalous or unauthorized manner — they will be blocked, and security will be immediately notified. This process creates watertight protection against even the most sophisticated threats, even if they are already inside the network.
Why Is Zero Trust Gaining Popularity?
The demand for products supporting zero trust is continuously growing. The global zero trust market is likely to double in five years, projected to reach over $50 billion in 2026. The main factors driving this market are the frequency of targeted cyber attacks, new data protection regulations, and information security standards.
Many organizations are adopting a centralized approach to identity and access management (IAM), a key component of a zero-trust architecture. Companies are increasingly implementing IAM technologies and control mechanisms like multi-factor authentication (MFA) and single sign-on (SSO).
Another trend leading to the adoption of zero trust started with the pandemic—many organizations switched to zero trust network access (ZTNA) instead of relying on virtual private networks (VPNs).
Zero trust security can help organizations defend against sophisticated attackers and modernize their cybersecurity infrastructure. It also improves user access to cloud applications. Zero trust approaches incorporate advanced security technologies focusing on data protection, integrating with existing identity management and endpoint protection systems.
Zero Trust Architecture Principles
The modern network is a highly dynamic and complex environment with no defined perimeter to protect. Remote work and bring your own device (BYOD) paradigms allow employees and third parties to connect to the network sporadically to gain access to resources. The supply chain includes many partners and vendors that can integrate with the network to provide service.
A user can be a human employee or a partner API that connects as needed to the network, which can see numerous connections from diverse locations and devices worldwide. As a result, there is no defined perimeter, and it can be difficult to distinguish between legitimate connections and malicious intrusions.
Additional endpoint threats the modern network faces include accidental data leaks and unintentional download of malicious software (malware) by legitimate users, and data theft by insider threats or malicious intruders. Phishing schemes have become common as cybercriminals realize they can penetrate networks by manipulating employees of all ranks.
Unlike traditional security paradigms that defend the inside of a network against external threats, the zero-trust security model protects against both internal and external threats. By assuming what’s inside the network is untrustworthy, the model can apply protections that prevent cyber criminals from exploiting endpoints to breach the network.
Zero trust principles
The zero trust model treats all connections and devices are untrustworthy to block threats while allowing access. The architecture helps protect resources while adhering to the National Institute of Standards and Technology (NIST) zero trust tenets. Here are the core principles:
- Resources—the architecture considers all computing services and data sources as resources.
- Communication—it secures all communication regardless of the network location, working under the assumption that all networks are hostile and untrustworthy.
- Sessions—the zero trust architecture grants access to each enterprise resource on a per-session basis.
- Policies—it uses a dynamic policy to enforce access to resources. The policy includes the observable state of identity, application, device, and network and might include behavioral attributes.
- Monitoring—the enterprise must monitor assets to ensure all remain in a secure state.
- Dynamic—resource authentication and authorization is always dynamic and enforced strictly before allowing access.
- Data—enterprises must collect sufficient information about the current state of communications and network infrastructure, using this data to continuously improve the enterprise’s security posture.
Zero Trust Technologies
Zero trust is not just an idea – it is also a set of technologies built to help organizations implement its principles. The following are the most important technologies that can help an organization implement zero trust.
Secure Access Service Edge (SASE)
SASE is a cloud architecture model that consolidates network and Security as a Service functions into one cloud service. It enables organizations to unify all network and security tools into one management console, providing a simple networking and security tool that is independent of the location of employees and resources.
Zero Trust Network Access (ZTNA)
ZTNA is a remote access security solution that implements specific privileges for applications. It grants access according to granular policies when responding to remote workers’ requests for company assets. The solution evaluates each request individually, considering the context and authentication details such as role-based access control (RBAC) policies, IP address, location, time constraints, and role or user group.
ZTNA is highly beneficial when deployed as part of a SASE solution that unifies the network security stack with network optimization features such as software-defined WAN (SD-WAN). Implementing SASE enables organizations to replace a traditional perimeter-based approach with a zero trust security model.
Next-generation Firewall (NGFW)
An NGFW is a third-generation firewall technology you can implement in software or hardware. This technology enforces security policies at the port, protocol, and application levels to detect and block sophisticated attacks. Here are common NGFW features:
- Integrated intrusion prevention systems (IPSes).
- Application awareness.
- Identity awareness through user and group control.
- Using external intelligence sources.
- Bridged and routed modes.
Most NGFW products integrate at least three basic functions: enterprise firewall capabilities, application control, and an IPS. NGFWs provide additional context to the firewall’s decision-making process. The technology enables the firewall to understand web application traffic details as it passes through and block suspicious traffic.
Identity and Access Management
Identity and access management (IAM) is a framework that utilizes business processes, policies, and technology to facilitate the management of digital or electronic identities. It enables IT staff to control user access to information.
Common IAM capabilities include single sign-on (SSO), two-factor authentication (2FA), multifactor authentication (MFA), and privileged access management. These technologies help securely store identity and profile data and apply data governance functions to control data sharing.
Microsegmentation helps split a network into logical and secure units using policies to determine access to data and applications. You can apply network micro-segmentation to cloud environments as well as data centers.
Organizations can harden their security by splitting the network into smaller parts and limiting traffic types allowed to laterally traverse through the network. It also enables security teams to determine how applications share data within a system, the direction for sharing it, and the required security and authentication measures.
How Zero Trust Will Change Security
A modern workplace does not require all employees to work from the same location. Remote work has enabled companies to employ geographically dispersed individuals and collaborate with partners in different countries. Physical proximity is no longer a factor in security planning.
Zero trust makes the user’s physical location irrelevant. It ensures continuous verification regardless of the location or network, improving the organization’s security by universally restricting access.
Reducing Friction with Security Teams
Development teams often view security teams as a hindrance because they bar the use of some tools or add security steps to work processes. Zero trust reduces this friction by eliminating security restrictions and verifying each user when accessing an application remotely. Employees can use their devices without going through a firewall or VPN.
As a result, DevOps teams trust the security team and cooperate more readily.
Fulfilling an Organization’s Security Needs
Zero trust helps maintain visibility over all the network’s endpoints, allowing security teams to verify endpoints before granting access. Higher visibility allows teams to prevent cyberattacks proactively.
Initially, most companies relied on VPNs when transitioning to a remote work model. However, VPNs cannot always accommodate all the traffic from a large remote workforce. The future will likely see hybrid work models become the norm, with zero trust as the only viable option for maintaining security in the long term.
Featured Image Credit: Photo by Cottonbro; Pexels; Thank you!