For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists.

Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps, APIs and IoT devices all clamoring to connect to networks. And from a security standpoint, the disappearance of the perimeter represents unprecedented challenges.

Back in 2009, Forrester analyst John Kindervag saw this change coming fast, and he coined the term zero trust. It centers on the belief that trust is a vulnerability, and security must be designed with the strategy, “Never trust, always verify.”

How has zero trust changed the course of cybersecurity? Let’s find out.

Operation Aurora

Operation Aurora was a series of cyberattacks carried out by advanced persistent threats (APTs) allegedly linked to China. Made public in a Google blog post in 2010, these attacks took place from mid-2009 to late 2009.

Several well-known organizations, such as Adobe Systems, Akamai Technologies, Juniper Networks and Rackspace, confirmed that these attacks had targeted them. Other companies such as Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical also reported that they had suffered from malicious actions.

In response to these attacks, Google created BeyondCorp — which became the company’s implementation of the zero trust model. In a 2014 newsletter, BeyondCorp stated:

“With the advent of a mobile workforce, the surge in the variety of devices used by this workforce and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm to the point of redundancy… One should assume that an internal network is as fraught with danger as the public Internet and build enterprise applications based upon this assumption.”

Zero trust quickly evolves

From 2014 forward, the concept of zero trust quickly evolved. In its true sense, zero trust can be considered a framework, an architecture or even a philosophy. For example, in 2018, Forrester developed seven core pillars of zero trust. However, the firm has since moved away from that stance. They more recently offered this definition of zero trust:

“Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”

In response to requirements like these, the security industry has developed tools such as identity and access management (IAM) built along with least privilege access. This means that only the minimum necessary rights should be assigned to any user (or software) requesting access to a resource. Additionally, privilege should be in effect for the shortest duration necessary.

Meanwhile, comprehensive security monitoring is accomplished by solutions such as Security Information and Event Management (SIEM). As cybersecurity threats become more advanced and persistent, it requires increasing amounts of effort by security analysts to sift through countless incidents. By leveraging threat intelligence, SIEM makes it easier to remediate threats faster with high-fidelity alerts.

Too many security concerns, so little time

A patchwork of disjointed security solutions makes the current security landscape more complicated. This leads to increased manual tasks for security teams and a lack of context to effectively minimize the attack surface. With rising data breaches and heightened global regulations, protecting networks has become increasingly challenging.

Data access has become a critical requirement for modern organizations, necessitating a robust security infrastructure. Zero trust aims to address this need. The goal is to offer dynamic and ongoing protection for all users, devices and assets. Unlike perimeter security, zero trust requires constant verification to be fully effective, enforcing security for every transaction, connection and user.

Implementing a zero trust framework provides a comprehensive view of an organization’s security posture. Furthermore, it helps security teams proactively manage threats. With consistent security policies and rapid threat response, zero trust offers a more secure and efficient solution to modern data access needs.

Further benefits of zero trust

Beyond the core security benefits, IT teams quickly recognized other advantages to zero trust models. The corollary benefits of zero trust include:

  • Enhanced network performance from a reduction in traffic on subnets
  • Improved ability to address network errors
  • More simplified logging and monitoring process due to heightened granularity
  • Shorter breach detection times.

Facing today’s threat reality

The modern cyber threat terrain is more treacherous than ever. The diversity and volume of attacks continue to increase, and multiple incidents per victim are quickly becoming the norm. We want a world where we can connect from any place, anytime. But this implies that attacks can come from any place, anytime as well. As a result, zero trust is quickly becoming the de facto security strategy.

In January 2022, the Executive Office of the President released an announcement about government-wide zero trust goals:

“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” the memo states. The White House stresses that incremental improvements will not provide the necessary security. Instead, the Federal Government seeks to make bold changes and significant investments to “defend the vital institutions that underpin the American way of life.”

The Pentagon plans to implement a zero trust architecture across its entire enterprise by 2027, according to Department of Defense Chief Information Officer John Sherman. “What we’re aiming for is by 2027 to have zero trust deployed across the majority of our enterprise systems in the Department of Defense in five years,” said Sherman.

Because zero trust implementation is not simple, the U.S. Government has set an ambitious goal. However, with current and growing adversary capabilities, there may be no other choice.

More from Zero Trust

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

SOAR, SIEM, SASE and zero trust: How they all fit together

4 min read - Cybersecurity in today’s climate is not a linear process. Organizations can’t simply implement a single tool or strategy to be protected from all threats and challenges. Instead, they must implement the right strategies and technologies for the organization’s specific needs and level of accepted risks. However, once the dive into today’s best practices and strategies begins, it’s easy to quickly become overwhelmed with SOAR, SIEM, SASE and Zero Trust —  especially since they almost all start with the letter S.…

Contain breaches and gain visibility with microsegmentation

4 min read - Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why zero trust works when everything else doesn’t

3 min read - The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should…