The concept of Zero Trust has been around for many years, dating back to the early 2000s with the Jericho Forum. The focus during this time was mainly around de-perimeterization and repositioning critical security controls closer to the asset.
Since then many other organizations have come forward to define a path for adopting a Zero Trust Security Model. Forrester coined the term Zero Trust back in 2009, Google released their own publication in 2014, Gartner released publications coined CARTA in 2017 and NIST (800-207) released a draft standard in 2019 for building a Zero Trust Architecture.
Many people ask the question, "why it has taken Zero Trust so long to be put into practice and why now?"
The reality of Zero Trust
The answer is technology. More specifically cloud adoption, mobility (remote workers) and digital transformation.
When you combine cloud, mobility and digital transformation together, this creates the perfect storm that completely breaks the legacy security architecture of a perimeter based security model. Cloud has pushed the data, the users and the devices outside of the trusted corporate network. If organizations don’t respond with the appropriate security measures, this could impose additional vulnerabilities in the environment.
Zero Trust is centered around securing the company’s assets and preventing a breach. The mission of Zero Trust, “never trust, always verify,” is at the center of this new architecture. Many organizations have approached Zero Trust as a network architecture, while others have led the charge with identity, and neither’s wrong — just incomplete.
Zero Trust is not a single product or concept, but a series of concepts and many products working together across various pillars (user, data, devices, network, application, automation) to deliver a unified architecture coined Zero Trust.
Our view on Zero Trust
We agree that Zero Trust is a security framework that is defined by an architecture or set of architectures. This architecture is made up of various technical attributes that provide organizations a faster way to incorporate key concepts of Zero Trust in the highest risk areas.
Standards organizations (such as NIST) are publishing architectural blueprints centered around building out these Zero Trust Architectures. We are positioned to align closely to these standards and support a more practical implementation of Zero Trust that is comprised of short agile workstreams versus the longer, more complex workstreams.
Zero Trust maturity curve
Every organization will not be prepared to instantly move away from a legacy security architecture to a fully mature and optimized Zero Trust Architecture. We've laid out a logical path to provide our customers with a blueprint on how an organization can mature their architecture over time.
Many organizations start with enterprise segmentation in the data center to address lateral movement, with a plan in place to evolve the architecture over time to address the more contextual components of Zero Trust.
Customer benefits of Zero Trust
There are many benefits to organizations who are considering adopting a Zero Trust security model. Below are three critical customer benefits that can be recognized from implementing a Zero Trust Architecture compared to a legacy security architecture.
Reduced attack surface
Corporate initiatives like cloud adoptions and remote work quickly expand the company’s attack surface. Zero Trust can help to eliminate this vulnerability that a flat network presents.
The idea of a having a security perimeter does not go away with adoption of Zero Trust. Zero Trust focuses more on defining micro-perimeters closer to the data through the act of micro-segmentation. These are much smaller defined segments to eliminate the broad lateral movement that exists in many legacy architectures today.
There are technical solutions that will make company assets invisible to users if they are not authorized. Users will only see what they have access to based on a need to know basis. Attackers can’t attack what they can’t see, putting them at a disadvantage.
Continuous risk assessment
The legacy approach lacks a way to dynamically assess the security risk of users, devices and services. Zero Trust continuously assesses the risk level of the user, device or service requesting access. This concept provides a more effective way to mitigate changes that may occur post-authentication.
Legacy solution will grant access without a technical control in place to access the security posture of that resource post-authentication. Organizations can now instruct what level of risk is acceptable and how that session should be addressed if it falls below an agreed up risk threshold. This is done continuously in Zero Trust to ensure that access is immediately shut down if a resource falls below what the organization deems as an acceptable risk level.
Least privileged access
Zero Trust mandates a “never trust, always verify” approach in addition to enforcing a least privilege access model. This is true for requests that originate inside and outside the corporate network. As the number and the nature of breaches increase, organizations must evaluate how access is granted.
Access must be restricted on a need-to-know basis. Employees in a specific department, such as accounting, will need access to backend accounting software, but all other users should be restricted. This eliminates the grave impact of breaches, because there is a much smaller blast radius in the instance of negative cybersecurity event.
As we said, not all organizations will be prepared to move away from a legacy security architecture, and security leaders can’t solve these cybersecurity challenges alone. We can provide resources to work with organizations on the strategic and tactical elements of Zero Trust with confidence.
Learn more about Zero Trust and steps that can be taken to start your Zero Trust journey with the next article in this series, 5 Steps to Building a Zero Trust Security Model.