Security in most organizations is focused on keeping intruders out. Cyberattacks have become much more precise in their methods, and we can no longer explicitly trust our own people – those on the inside.
In an article published by CSO Online, contributing writer Kary Pratt described Zero Trust as,
“The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn’t pose a threat and therefore was cleared for access.”
Pratt further emphasized the flaws of “trust” by pointing out that some of the most damaging data breaches happened because once the attackers were given access to “enter the castle,” they could explore internal systems with little resistance.
An example of the flawed concept of only needing to protect the perimeter is the case of Edward Snowden. As an NSA subcontractor, he was allowed past strong exterior layers of security. Once he had access to the network, there were no further authentication measures preventing Snowden from downloading top-secret information.
If the NSA had implemented a Zero Trust security framework, Snowden would have been met with authentication procedures within the internal network, preventing him from taking sensitive materials.
What is Zero Trust?
The term “Zero Trust” is attributed to a security analyst at Forrester Research. Zero Trust is relatively simple in concept. Don’t trust anyone. It doesn’t matter what title they hold or rights they have been granted, verify everyone and anything attempting to connect to your systems, regardless of how insignificant that system may be.
Jon Favreau’s character, Happy, in Iron Man 3 tried to enforce a physical model of Zero Trust by requiring all personnel to wear a security badge. Walking through the halls of Stark Industries, he would say, “Badge…badge…badge”, identifying anyone not openly wearing their required credentials. In a Zero Trust environment, anyone without a badge would have been stopped from roaming the halls or even removed from the premises. That is a very simple, no-technical description of Zero Trust.
The CTO of Enterprise and Advanced Projects Group at Akamai Technologies, Charlie Gero, said,
“The strategy around Zero Trust boils down to don’t trust anyone. We’re talking about, ‘Let’s cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized.’”
An underlying principle of Zero Trust is a governance policy giving users the least amount of access they need to accomplish a specific task. Before someone can gain access to any part of your infrastructure, you have to know who they are, which endpoint they are coming from, the security level and status of that endpoint, and what they are trying to access. No exceptions.
Zero Trust are the Knights Who Say “Ni!” No one passes without a shrubbery.
Security for a Connected World
It is essential to understand that Zero Trust Network Access is not solely to protect against hackers’ malicious threats. In a highly connected cloud environment, networks and devices are entwined in a complex web of collecting and sharing data.
There are multiple entry points to our networks and countless endpoints shared in an ever-expanding world-wide internet. Implementing Zero Trust Network Access is critical. Authentication and authorization must be enforced at every entry point of our networks to ensure visitors, welcomed or not, are screened and validated before any request is granted.
New ways of thinking and strict constraints need to be built around and within our networks. No system exists in isolation. Companies today have applications on-premise and some in the cloud with employees, partners, and customers accessing data from a range of applications and devices from multiple locations. Gone are the days of isolated corporate data centers serving a contained network of systems.
Chase Cunningham, a principal analyst at Forrester, said,
“We essentially trust way too much. That’s why the internet took off – because everyone could share everything all the time. But it’s also a key fail point: If you trust everything, then you don’t have a chance of changing anything security-wise.”
Cunningham thinks of Zero Trust as organizations taking back control of the battlefield.
Zero Trust is not making a system trusted. It is about eliminating trust. Zero Trust is not a technology; it is a mindset. A new way of thinking.
Implementing a Zero Trust Network Access model involves a great deal of technology and consistent management to give the right people access to the correct information. There are network security providers that can help create and maintain Zero Trust security practices.
For example, Exium provides a modern 5G standards-based, cloud-based security technology referred to as Intelligent Cybersecurity Mesh™ made to deliver complete protection across all connected devices at all places. Exium’s Zero Trust Network Access stops attacks from untrusted or suspicious networks with a high-powered software-defined perimeter model.
According to a Data Breach Study by the Ponemon Institute, the average cost of a data breach is $3.62 million. That was in 2017. Forbes expects spending on cybersecurity products and services to reach $128 billion in 2020.
No company is expected to implement a complete Zero Trust security solution overnight. Identify one area of your network, even just one system, and build from there. Take the approach of shutting everyone out. Then, start creating authentication criteria to allow access. The process will be slow at first, but once policies and practices take hold, your Zero Trust Network Access model will quickly take shape.
When allowing access, less is more. Limiting access strengthens your security.
A significant challenge in moving to Zero Trust is helping staff to think in a new way. Bill Mann, Senior Vice President of Products and Chief Product Officer at Centrify explains,
“Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments. Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment.”
Zero Trust is an ongoing effort. The security measures we are accustomed to haven’t kept pace with the digital transformation our economy has made over the past several years. Technology has made incredible advances while our security practices have remained, for the most part, unchanged.
We have to transform the way we view security. If we want ubiquitous security, we have to start thinking about it differently. We need to be more predictive in our security strategies. We need to respond rather than react to our changing world.