The remote work era makes the zero trust model critical for most businesses. The time has come to use it. But first, let’s understand what it really is and why the hybrid and remote work trend makes it all but mandatory.
What Is Zero Trust?
Zero trust is not a product or a service, but an idea or a strategy. Instead of relying on a perimeter (for example, a firewall), every user, device and app must be verified for every instance of access.
Other ideas connected with this idea include strong user identity, machine identification, network segmentation, policy compliance and others.
A student at the U.K.’s University of Stirling named Stephen Paul Marsh coined “zero trust” in his doctoral thesis in 1994. Later, the concept was briefly called de-perimeterization and perimeterless network architecture. In the end, the phrase zero trust became the most widely accepted term. Industry guidelines like Forrester eXtended, Gartner’s CARTA and NIST SP 800-207 further refined ideas and definitions around it.
Why Remote and Hybrid Work Demands Zero Trust
When the pandemic began, employees started working from home in their millions. It didn’t take long for threat actors to realize that the best way to break in was to enter through remote workers’ virtual private network (VPN) connections.
Each work-from-home employee, hybrid worker and digital nomad represents an expansion of the attack surface and new openings for attackers. An organization might be looking at dozens, hundreds or thousands of such employees. So, the attack surface becomes too large for older security models.
How to Think About Zero Trust
Zero trust replaces an outdated idea. That idea? The assumption that everything ‘inside’ is trustworthy by default and that only outsiders pose threats. First, the solution was firewalls to create a perimeter. Then, VPN enabled remote employees to ‘tunnel’ into the perimeter.
This perimeter-centric view is outdated for many reasons. The rise of arbitrary mobile and wearable devices, cloud computing and the Internet of Things trend have eroded it. Now, above all, the hybrid and remote work trend have, too. It also accepts that threats often start inside the walls. Plus, cyberattacks are becoming more high-tech all the time. (There’s still a place for firewalls in zero trust networks — just not for perimeter security.)
At a high level, zero trust best practices start with several elements. They are the identification of critical assets, the establishment of strong identity systems for users, devices and apps and the use of micro segmentation. First, you need to create micro-perimeters on the networks and restricted access zones inside data centers and cloud environments. These control which people, devices and applications have permitted access to each segment, zone and resource. Beyond access restrictions, the hunt for intrusions and malware takes place thorough ongoing encrypted traffic inspection and analysis.
Process or Policy?
The zero trust methodology enforces what used to exist in policies. In the past, company policies might say that only employees should access company resources. These employees had to use approved devices and apps. Policies might also call for employees to avoid rummaging through data beyond their purview.
Policies are great. The trouble is that this only guarantees security to the extent that people follow those policies.
Zero trust puts all-day, everyday enforcement of those policies into practice. The right people access the right resources using the right devices and applications. After all, only they have permission to do so. The default is every person, device and app is blocked from accessing every part of the network and everything on those parts until the person, device and app are all authorized.
Attackers are stymied at every turn in a zero trust network. If they can trick or work around user authentication, their device will be denied access. It narrows employee behavior. If one staff member decides to use an insecure app, that app won’t be allowed, even if they’re an authorized user on an authorized device.
The zero trust network architecture also helps with compliance auditing. It allows for improved visibility into user activity, device access and location, credential privileges, application states and other key factors. It also provides more data on which specific network resources have and have not been breached. Both of these are important for success.
Outsourced or In-House?
A zero trust network architecture represents a pretty radical departure from perimeter security. The decision over which parts to outsource and which to keep in-house depends on whether staff has experience with the elements of zero trust. It also depends on how well you’ve staffed in general.
It’s reasonable to outsource many parts of the transition. Then, after learning more, bring some parts in-house, depending on what makes sense for your needs. But even if you’re inclined to keep security work in-house, you might want to consider outsourcing to help with the transition.
The Human Element
Express the move to zero trust as part of the wider conversation about the new workplace. As we continue to adapt to remote and hybrid work, employees should be included as partners in this transition. Zero trust security is part of that.
Zero trust will impact all employees in multiple ways, including inconvenience in their workday and a learning curve up front. That’s why it’s super important to express the benefits, the link to hybrid and remote work and the impracticality of sticking with yesterday’s perimeter security mindset.
For many organizations — especially those fully embracing remote and hybrid work — zero trust is no longer an option. It’s time to trust it.