The zero trust model is going mainstream, and for good reason. The rise in advanced attacks, plus IT trends that include the move to hybrid cloud and remote work, demand more exacting and granular defenses.

Zero trust ensures verification and authorization for every device, every application and every user gaining access to every resource. This is a complete departure from the old model, where implicit trust was the norm and networks were protected by firewalls, VPNs and web gateways. After all, in the past it was safe enough to assume anyone or anything inside the firewall could be trusted.

What Is Zero Trust?

The concept was formally modeled and named in 2010 by Forrester Research principal analyst John Kindervag. (More detailed definitions are available in industry guidelines such as Forrester eXtended, Gartner’s CARTA and NIST 800-207.) But the idea has become mainstream in security circles in the past year. That’s because the sudden rush to remote work in 2020 exposed the flaws of the implicit trust model. It became clear that hijacking a remote worker was the key to entering the firewall via employee VPNs.

Zero trust has bonus benefits, too. It helps with compliance auditing and offers better insight into networks. It also bolsters the project of microsegmentation — closing off different parts of the network to prevent an intruder from gaining access to everything.

One of the biggest challenges to adopting this model can be summed up in one word: legacy. Older authentication protocols, tools, apps and other resources may be more difficult to integrate into a zero trust system. And that’s why the movement is driving a new push to replace legacy systems.

Discover zero trust

New Thinking With Today’s Tools

Zero trust isn’t a product. It’s a mindset and a holistic approach that relies on new kinds of governance.

Developers dragoon existing tech and planned changes (such as transitions to hybrid cloud environments) into service to implement zero trust. It takes advantage of well-known tech like identity and access management, endpoint solutions, identity protection tools and multi-factor authentication.

At its core, the zero trust mindset sees what authorization really means. Which is to say, an authorized user accessing an app they have permission to access over an authorized channel from an authorized device is the only scenario that maxes out safety. If any part of this is off the grid, access should not be granted.

We need a cultural pivot — a paradigm shift in how we think about digital defense. A zero trust model is dynamic and constantly changing. After your system verifies the user and device and assures minimum access, it’s vital to monitor, learn and adapt. That means zero trust is a growing, adaptable process.

Trust No One

The zero trust paradigm shift calls for thinking in a new way. In terms of authentication, everything is a resource. Employees, user devices, data sources, services and more — they all have the same status: the system doesn’t let them in by default.

Instead of a set-it-and-forget-it method, resource authentication is dynamic and applied each time a new request for access comes in. The key that unlocks the power of zero trust is real-time visibility into user IDs, device behavior, device credential privileges, device location, app update status and other attributes.

In addition, the zero trust mindset reduces the role of the perimeter. You can secure communication, for example, in the same way whether it’s coming from an unknown outside source or from inside the organization’s internal communications platform. Thinking a different way about everything sounds like a big change, but it’s a matter of using today’s tools in a different way — and keeping your data safer by doing so.

More from Zero Trust

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today