A Primer on Zero Trust
The security industry, particularly the cybersecurity sector, has been buzzing about Zero Trust. Popularized in 2010 by Forrester Research analyst John Kindervag, the term Zero Trust revolves around the idea that an organization should not automatically trust anything or anyone connected to its systems — whether inside or outside its network perimeter. By not granting implicit trust to anything, along with deploying strong identity and access management controls, the thinking is that organizations can make certain only authorized devices, applications and people are accessing their networks and data.
Over the years, the tech community has been slow to implement Zero Trust initiatives, often due to cost or overconfidence in existing security infrastructure. However, the increase in massive cyberattacks that impact organizations and expose the sensitive data of millions of individuals has accelerated the shift to a Zero Trust model — so much so that the U.S. government has mandated that all federal agencies adopt a Zero Trust architecture strategy by the end of fiscal year 2024.
The Disappearing Perimeter
In the past, network security teams assumed that if the perimeter was secure, all assets/people/systems within the perimeter were also secure and could be trusted. This type of perimeter security approach depends on a firewall to protect corporate systems and data.
Conversely, this approach assumes that any assets/people/systems outside the perimeter — typically the public network, i.e., the internet — were not secure and therefore should not be trusted.
However, this traditional approach is no longer effective in today's connected world. The “network” perimeter has been blurred by remote workstyles spread across different locations using multiple devices in the cloud and on-premises — not to mention the introduction of the Internet of Things (IoT) and other potential vulnerabilities that increase the potential attack surface. As such, the idea of a trusted network no longer exists, making Zero Trust a better security approach.
A New-ish Paradigm — Zero Trust
The History of Zero Trust
Stephen Paul Marsh first used the term "zero trust" in 1994 as part of his doctoral thesis on computational security strategy at the University of Stirling in Scotland. However, it was Kindervag who really put the term on the map in 2010, when he proposed the idea that an organization should not implicitly trust anything inside or outside its perimeters.
Then in 2011, Google announced that it had developed a new approach for enterprise access management called the BeyondCorp, which was an implementation of the Zero Trust security paradigm that enabled every Google employee “to work from untrusted networks without the use of a VPN.” As a result of this initiative, more organizations began adopting the Zero Trust model.
In 2019, Gartner released a report stating that the "Zero Trust network access [ZTNA] replaces traditional technologies, which require organizations to extend excessive trust to employees and partners to connect and collaborate."
At that time, the research firm advised that organizations should implement pilot ZTNA projects for employee and partner applications. In the past few years, with the proliferation of cloud and mobile technologies, more organizations have adopted the Zero Trust model, bringing it into the mainstream.
What is Zero Trust and Why is it So Critical?
Zero Trust is an approach to cybersecurity that requires organizations to authenticate, verify and frequently validate all users, devices and assets inside or outside their networks before granting them access to tools and data inside those networks.
Previously, organizations implemented a "verify, then trust" security model, meaning that anyone with the proper user credentials could access whatever data, applications and devices they wanted to access. However, this model increased organizational exposure to ransomware, cyberattacks, data breaches and malware.
The Zero Trust security model has been designed from the outset to prevent data breaches by requiring even authorized users, devices and assets to prove they have the proper authorization before accessing organizations' networks and sensitive corporate data. As a result, Zero Trust gives enterprises stronger protection against the massive number of cyberattacks and data breaches affecting businesses as well as government agencies.
Zeroing in on Zero Trust
The Zero Trust framework depends on robust authentication and authorization before any person, device or asset is allowed to access an enterprise's network and data, no matter if they are inside or outside the company's network perimeter.
With Zero Trust, organizations have to monitor and validate user and device access as well as establish controls before those users and devices are granted access to their networks and data. Doing this enables an organization to minimize the attack surfaces of their networks.
A Zero Trust approach gives users and devices least privileged access, meaning they can only access the devices, systems and applications they need to perform their jobs or complete specific tasks. This helps minimize the amount of sensitive information users and devices can access.
In addition, with a Zero Trust approach, best practices for data encryption are deployed and robust user policies for email are implemented. Organizations are increasingly incorporating biometrics and multi-factor authentication into their security paradigms to ensure that apps and endpoints are connected and secured appropriately.
Zero Trust is gaining acceptance among enterprises as a way to protect against serious cyber threats. Given the current threat landscape, organizations of all sizes should consider making Zero Trust a core component of their cybersecurity strategy. Those that continue to depend on perimeter security run the risk of inviting more frequent and more advanced cyberattacks into their networks.
Want to learn more about how to build a comprehensive security strategy? HID and Microsoft powered up to give you the knowledge you need in this white paper, High Assurance Authentication That Empowers User Experiences >>
Stephen Allen is a senior product manager for HID IAMS' Authentication portfolio and a cyber security professional who wants to challenge the way you think about digital security. He uses his 18+ years of industry experience to help customers, Channel and OEM integration partners successfully solve business challenges by delivering solutions, not just technology. Prior to HID, Stephen has worked for companies such as Thales delivering cloud encryption and key management solutions to cloud providers such as AWS and Google as well as numerous well-known telco companies and governments globally.