The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived.
Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a “default deny” security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource.
Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach occur. In the modern digital frontier, this approach has become invaluable.
Zero trust succeeds when nothing else does
Perimeter protection defined most previous security models. The idea was that a company firewall would protect computers and services from outside interference. But combined with physical security, plus VPNs for “tunneling” remote, traveling or other outside-the-perimeter access, perimeter security has been steadily weakening.
Now, this type of security is nearly obsolete. Mobile computing, insider threats, remote work, the Internet of Things, cloud computing, sophisticated malware and just about every other major trend in business networking and global cybersecurity have obliterated the perimeter as an effective defense.
Instead of relying on a perimeter, zero trust uses continuous monitoring, validation and repeated authentication of users and devices. Zero trust works so well because every networked resource has its own multidimensional security requirements. For example, if a malicious hacker sits down at an authorized logged-in machine with authorized software installed, the attacker themselves shouldn’t be authorized.
In another case, an attacker might download usernames and passwords from the dark web. Those won’t work if they’re attempting a login using unauthorized systems, software or other telltale metadata such as location.
Even in an extreme example, where an attacker establishes user, system, software and contextual authentication — as might be the case with a malicious insider — they’ll be limited by permissions to specific narrow access.
How zero trust principles compliment zero trust technologies
Zero trust is an abstract security model based on four broad principles:
- Verify every person and device each time it attempts to access network resources. This is governed by policies, which should consider factors such as location, IP address and operating system.
- Assume a “default deny” posture. This model denies every person, device or application automatic access based on any criteria except authentication.
- Microsegment networks into small zones, each of which requires full authentication to access.
- Real-time, continuous monitoring for breaches and anomalous behavior.
Zero trust itself is not a technology, but it does require the following categories of technology products or services:
- Identity and Access Management (IAM)
- Strong encryption
- Network microsegmentation technologies in the categories of agent-based, network-based or native cloud controls
- Next-Generation Firewall (NGFW)
- Secure Access Service Edge (SASE).
Zero trust security depends on designing the architecture, deploying the technologies and applying the practices in alignment with zero trust principles.
How and why zero trust implementation is lagging
The overwhelming majority of security professionals believe implementing zero trust is a major priority. But actually, very few organizations have fully embraced it or even begun the transition. One survey found that three-quarters of organizations say zero trust is critically important, but only 14% have implemented a zero trust strategy.
Why is that?
The same survey found that a “lack of clarity” or organizational understanding is the main barrier to adopting zero trust. About 94% of organizations say that they face those challenges.
Another major barrier is simply the time and energy it takes to make such a large transition. Achieving zero trust can take two or three years to implement and mature.
The common sticking point is clarity — clarity about what zero trust is exactly and clarity about how to go about implementing it.
Why zero trust should be a higher priority
Years ago, zero trust tended to be categorized as “an interesting idea that everybody should embrace someday.”
In the last two or three years, that view escalated. “Yeah, we really should get going on a major zero trust initiative” quickly became a more common refrain.
Today, the playing field is vastly different. So many organizations are likely to use zero trust over the next few years that malicious attention may be concentrated among the laggards. The pressure to adopt zero trust is higher than ever.
A boost came in the form of an executive order by President Joe Biden. The order will soon require all federal agencies to embrace zero trust security. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), responded to the president’s order with detailed guidance. The OMB gave federal departments and agencies until 2024 to implement zero trust.
This huge federal initiative is rapidly growing the knowledge base, expertise and product focus in the industry around zero trust, which can serve as a catalyst for organizations of all types to embrace the zero trust approach.
Beware, though. “Zero trust” has become a meaningless marketing phrase in some circles. Because it’s so powerful, companies are advertising their individual products as zero trust tools.
Remember that “zero trust” is a methodology and an architecture, not a product. Zero trust begins with developing a roadmap: a step-by-step plan for educating all stakeholders about the need for zero trust security, starting small and scaling up.