Zero Trust: Follow a Model, Not a Tool

September 20, 2021
| |
3 min read

The zero trust model is going mainstream, and for good reason. The rise in advanced attacks, plus IT trends that include the move to hybrid cloud and remote work, demand more exacting and granular defenses.

Zero trust ensures verification and authorization for every device, every application and every user gaining access to every resource. This is a complete departure from the old model, where implicit trust was the norm and networks were protected by firewalls, VPNs and web gateways. After all, in the past it was safe enough to assume anyone or anything inside the firewall could be trusted.

What Is Zero Trust?

The concept was formally modeled and named in 2010 by Forrester Research principal analyst John Kindervag. (More detailed definitions are available in industry guidelines such as Forrester eXtended, Gartner’s CARTA and NIST 800-207.) But the idea has become mainstream in security circles in the past year. That’s because the sudden rush to remote work in 2020 exposed the flaws of the implicit trust model. It became clear that hijacking a remote worker was the key to entering the firewall via employee VPNs.

Zero trust has bonus benefits, too. It helps with compliance auditing and offers better insight into networks. It also bolsters the project of microsegmentation — closing off different parts of the network to prevent an intruder from gaining access to everything.

One of the biggest challenges to adopting this model can be summed up in one word: legacy. Older authentication protocols, tools, apps and other resources may be more difficult to integrate into a zero trust system. And that’s why the movement is driving a new push to replace legacy systems.

Discover zero trust

New Thinking With Today’s Tools

Zero trust isn’t a product. It’s a mindset and a holistic approach that relies on new kinds of governance.

Developers dragoon existing tech and planned changes (such as transitions to hybrid cloud environments) into service to implement zero trust. It takes advantage of well-known tech like identity and access management, endpoint solutions, identity protection tools and multi-factor authentication.

At its core, the zero trust mindset sees what authorization really means. Which is to say, an authorized user accessing an app they have permission to access over an authorized channel from an authorized device is the only scenario that maxes out safety. If any part of this is off the grid, access should not be granted.

We need a cultural pivot — a paradigm shift in how we think about digital defense. A zero trust model is dynamic and constantly changing. After your system verifies the user and device and assures minimum access, it’s vital to monitor, learn and adapt. That means zero trust is a growing, adaptable process.

Trust No One

The zero trust paradigm shift calls for thinking in a new way. In terms of authentication, everything is a resource. Employees, user devices, data sources, services and more — they all have the same status: the system doesn’t let them in by default.

Instead of a set-it-and-forget-it method, resource authentication is dynamic and applied each time a new request for access comes in. The key that unlocks the power of zero trust is real-time visibility into user IDs, device behavior, device credential privileges, device location, app update status and other attributes.

In addition, the zero trust mindset reduces the role of the perimeter. You can secure communication, for example, in the same way whether it’s coming from an unknown outside source or from inside the organization’s internal communications platform. Thinking a different way about everything sounds like a big change, but it’s a matter of using today’s tools in a different way — and keeping your data safer by doing so.

Mike Elgan

I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...
read more