Zero Trust security concept is a model and framework developed by former Forrester analyst John Kindervag in 2010. Since then, the Zero Trust model is widely adopted, with leading researchers at Gartner, Microsoft, and Google all developing and implementing their variations of Zero Trust frameworks while keeping the core concept intact.
With the number of cyberattacks rapidly growing in numbers and sophistication, organizations need an IT security framework that mitigates the risks of bad actors penetrating their perimeter. The Zero Trust framework equips them with a proactive approach toward protecting corporate data.
Number of Cyberattacks Grows Globally
The core concept of the Zero Trust framework, as its name suggests, is the introduction of a model in which organizations implement a least-privilege approach, not trusting users behind their corporate firewalls in the same way they do not trust third-party connections. The Zero Trust method naturally addresses the problem with the growing number and types of insider threats organizations need to deal with across complex and distributed IT environments.
Basics of the Zero Trust Framework
The Zero Trust model does not rely on a single technology to protect organizations' data. The framework incorporates different technologies and best security practices to deliver a centralized view about who, how, and why is accessing apps and data. Furthermore, the Zero Trust model is deeply interested in whether an application or a user has explicit permission to access the digital resource in question.
In short, the Zero Trust framework introduces a mindset of "never trust, always verify" as opposed to classic IT security models, which are based on a "trust but verify" philosophy. A growing number of organizations adopt the Zero Trust approach's core principles without realizing that they follow the model. The primary security principles include:
- Least-privilege Access: Limits user access to allow access to information a user needs to perform his immediate job tasks. Limits application permissions to avoid the spread of malware once it has penetrated a system
- Micro-segmentation: Segments the corporate network into components with different access credentials and user access rights; this prevents bad actors from easily penetrate other networked segments once they have access to one component of the network
- Data Usage Controls: Prevents users from performing specific actions with data to which they have legitimate access; this may include restricting email actions, copying of files, or any other action related to working with data
In contrast to traditional security models, the Zero Trust framework is also protecting the perimeter but focuses on preventing threats from spreading across and within the network by creating granular micro-segmentation. Thus, the Zero Trust model can effectively protect granular perimeters based on where data resides, the user requesting access to that data, and the kind of data being accessed.
In other words, the Zero Trust model wants to know who is accessing specific data from where and why and whether the actor has specific credentials for initiating and performing such action.
Why CISOs Should Embrace Zero Trust
The classic IT security model works well for protecting the perimeter from known threats or threat patterns across a relatively tightly bound IT ecosystem. Both networks and threats are getting increasingly complex, with environments including cloud-based components, remote workplaces, and Wi-Fi mobile devices. Therefore, one should expand the definition for a perimeter far beyond what is reasonable to call a corporate network perimeter.
Instead, the Zero Trust model focuses on users and the data they access, with users being both human beings and applications that connect to corporate digital assets and systems.
Below is a diagram by the Identity Defined Security Alliance (IDSA), which describes how a Zero Trust architecture works in identity verification where both human and machine users are part of the process.
Identity Defined Security Reference Architecture
Vendors such as Google and Microsoft and researchers like Gartner and Forrester use a similar model to protect corporate networks from all sides and insider threats.
As networks evolve and a typical corporate network involves hundreds of endpoints, servers and applications, many of those resources are mobile. In the cloud, Chief Information Security Officers can no longer stick to the traditional concept of securing the perimeter by defining lists of trusted users and apps.
The Zero Trust model offers better security by not trusting anyone by default, mitigating the risks associated with insider threats and bad actors originating from outside the perimeter.
Moreover, by building a granular network, the Zero Trust model contains a possible data breach within the penetrated segment and prevents the bad actor from accessing data and resources from other parts of the network.
Organizations Suspect Cyberattacks Are Getting More Successful
The Zero Trust model does not trust a single technology for protecting organizations' data. The overall model binds into a working unified framework, different security methods, tools, and approaches to achieve the ultimate goal of not allowing unauthorized access to data and exfiltration of sensitive information.
It is of increasing importance in an environment where data breaches are becoming a norm and in which nearly half of the IT security decision-makers believe their global network was compromised at least once a year.
How to Deploy the Zero Trust Model
Many organizations, especially small and mid-sized enterprises, do not realize that they have already adopted and actively operate one or more components of a Zero Trust framework. Requiring two-factor authentication (2FA) is one of the many components of a Zero Trust approach. The same is true for applying a comprehensive Bring-Your-Own-Device (BYOD) policy or adoption of tools for data loss prevention (DLP tools).
Implementing a Zero Trust model is about adopting a security-conscious mindset and encouraging cybersecurity awareness while always verifying access and login requests.
A working Zero Trust strategy requires an organization to pay attention to the following areas:
- Data: Data protection is the most fundamental security layer in Zero Trust. When data is protected under a Zero Trust strategy, attackers have limited access to sensitive data once inside the perimeter and before the in-house systems can detect abnormal behavior and data access requests
- Networks: By segmenting the network, a Zero Trust model limits an attacker's ability to get access to more than one network segment of the network before being detected
- People: Insider threats are a growing security concern, while a Zero Trust strategy keeps a close eye on all user activities, permissions, and login credentials
- Workloads and Devices: By not trusting any software or device by default, a Zero Trust model largely eliminates another threat vector by limiting the chance of malicious application or infected device from spreading malware inside the perimeter
- Visibility: An organization should equip its IT security team with all the tools to have a complete view of all operations and connections across the entire corporate network. The security team should have access to analytical tools for dissecting any incident while the pressure is growing for adopting machine-learning algorithms to fight unknown threats
- Automation: No organization can afford to maintain a Zero Trust model by manually monitoring the entire network and responding to incidents manually. Automation and orchestration are integral parts of a working Zero Trust implementation
Organizations can select among many available technologies and software tools to address the specific challenges they face in any of the above-listed areas. Nonetheless, one of the critical components of a working Zero Trust framework and strategy is building the required security mindset across both employees and managers.
Organizations can quickly fall into the trap of focusing all their efforts on securing their perimeter while leaving the inside of the network unprotected and allowing both malicious insiders and outside attackers to access business-critical resources and sensitive data.
A Zero Trust strategy can offer a feasible framework for mitigating the full spectrum of cybersecurity risks by introducing a proactive model of verifying every attempt to access data and systems by any user, application, or device.