As we go further into the technological age, cybersecurity has become an integral part of the discussion in every boardroom, data centre, office, and just about any place where digital assets reside. One of the latest (and perhaps the most effective as well) strategies to be added to the IT security arsenal of cyber experts is Zero Trust.
What is Zero Trust?
Zero Trust is a security framework that requires all users and devices trying to access the enterprise’s resources to undergo strict identification, authentication, authorisation, and continuous validation, regardless of whether they are within or outside the network perimeter.
It goes against the traditional IT security mindset that assumes trustworthiness of anyone inside the network because Zero Trust assumes that there is no conventional network edge. It also presupposes that everything is hostile by default. Hence, authentication of user and/or device is essential not just at the perimeter but throughout the network.
In its Market Guide for Zero Trust Network Access (ZTNA), research firm Gartner states that, “Removing network location as a position of advantage eliminates excessive implicit trust, replacing it with explicit identity-based trust.” Or to put it more succinctly, Zero Trust operates on the principle—never trust, always verify.
The Evolution of Zero Trust
The fundamental concept that ‘nothing can be trusted’ was initially raised in 1994 by Stephen Paul Marsh in his doctoral thesis on computer security. Then in 2003, the Jericho Forum explored the challenges with setting boundaries for IT systems, further solidifying the validity of Zero Trust. Google was one of the first organisations to actually implement a de-parameterised framework based on this newly-introduced principle in 2009, calling it BeyondCorp.
However, security enthusiasts only took serious notice of the Zero Trust model—as well as the term—in 2010 when analyst John Kindervag (then a principal security analyst at Forrester Research) created the outline for Zero Trust architecture. He actively engaged with IT communities about this new model of trust and explained how this approach to IT security can be the answer to the seemingly unstoppable rise of data breaches.
Mainstream adoption of Zero Trust still took years, although more companies are now transitioning to this cybersecurity model. In fact, 45% of EMEA organisations have a defined Zero Trust initiative, and the global Zero Trust security market is anticipated to hit US$52 billion by 2026.
Core Principles Behind Zero Trust Security
Zero Trust adopts a holistic approach that embraces several key concepts in network security. These include:
-
Least privilege access.
The concept of least-privilege access emphasises the need for providing a user with only the information or resources that he/she needs. Doing so limits the user’s unnecessary exposure and access to the various parts of the network that are sensitive. Least privilege is implemented using strict management of user permissions. -
Continuous user validation.
Just because a user or machine has been given authorisation for a time doesn’t mean that access is unlimited. Users already in the network are continuously re-validated, and logins and connections are automatically timed-out after a certain period. -
Device access control.
Limits on device access is another core value of this security approach. Zero Trust-based technologies are designed to continuously monitor the network to see how many devices or machines are accessing the system, and whether all these are duly authorised. In today’s highly-mobile work environment, device access control helps limit the company’s attack surface. -
Multi-Factor Authentication (MFA).
MFA, a fundamental component of many security strategies, is also found in the Zero Trust framework. This entails requiring the user to present more than one piece of evidence as proof of their identity. A common implementation of MFA often utilised upon logging in to social media sites or mobile banking apps is two-factor authentication (2FA). In addition to entering a password, the user must also enter a code sent to their trusted device. -
Microsegmentation.
Zero Trust systems utilise microsegmentation where the network is partitioned into smaller zones—up to the individual workload level, and access to each zone requires a separate authorisation. Microsegmentation limits the area that a hacker can potentially wreak damage to if security is breached, and allows companies to exercise granular control over their data and applications. -
Lateral Movement Prevention.
In IT security, lateral movement is a strategy that a threat actor uses where, after compromising one endpoint, it then moves on to other applications and hosts in the network. A Zero Trust system however, is micro-segmented and requires continuous validation, thus preventing unauthorised movement within the network.
Why Use Zero Trust?
The principal tenet on which Zero Trust is based on—assume that everything is hostile by default, may seem extreme to some. But considering the rapid transformation of the business landscape, a Zero Trust-based architecture may well be the right cybersecurity solution at this time. Here are three top reasons why enterprises need Zero Trust:
-
Perimeter Security No Longer Suffices for the Evolving Organisation. Digital technologies are a staple in every enterprise, changing the way businesses operate and employees work. This makes the traditional perimeter security that we’ve always relied on, woefully inadequate and ineffective. Zero Trust however, reinforces security for this environment because it promotes a micro-level approach to user and device access authentication at every point in the network.
-
Cloud Adoption is at Its Peak, but the Internet is an Unsecured Network. Enterprises are becoming highly reliant on the cloud. From data and digital assets to applications and workloads, practically everything is moving to the cloud. Users are gaining access to corporate resources through the internet—an unsecured network that is rife with security threats just waiting for the right time to strike. Zero Trust’s never trust, always verify approach works perfectly in ensuring that only authorised users are granted access to resources, whether these are in data centres or the cloud.
-
Cyberattacks Continue to be on the Rise. Despite the widespread awareness of the importance of cybersecurity, data breaches are not letting up. While IT solutions are constantly evolving with more advanced security technologies, cyber criminals are simply a step ahead most of the time. An IT security framework based on Zero Trust principles can help businesses choose solutions and applications that could prove to be effective against cyber attacks.
Get Started with Zero Trust
It’s never too late to reduce the cyber security risks in your company, and Zero Trust could just be the way to do it. The move to this security model can be challenging though, and you might need some help along the way. To learn more about how to build a Zero Trust organisation, consult with a security consultant and IT managed services provider today.