Zero trust security: What it is, why it matters
For two decades, companies have slowly reduced their reliance on perimeter security. In 2003, a group of leaders from government agencies and technology companies—later dubbed the Jericho Forum—searched for ways to better secure their networks at a time when companies were using more Internet infrastructure and laptops were becoming more common.
This trend toward so-called de-perimeterization became even more pronounced when smartphones and tablets took off a few years later. (Apple released the first iPhone in 2007.)
In reaction, security leaders formulated security measures that did not rely on securing the perimeter, but focused on treating each device, user, and data store as an asset that had to be monitored, secured, and maintained. And in 2010, then Forrester Research analyst John Kindervag, who is now field chief technology officer at Palo Alto Networks, came up with a name for the approach: zero trust.
"Rooted in the principle of 'never trust, always verify,' zero trust is designed to prevent lateral movement. No matter which technology or vendor you use to deploy zero trust, the strategy remains the same."
Here's what your team needs to know about zero trust, and why it is critical with your new remote workforce.
What's driving zero trust
Because companies had to change their processes and technologies to adopt zero trust, the concept did not take off—not until this year, that is. Forced to move employees to working from home because of the coronavirus pandemic, companies are searching for ways to secure their now-distributed workforce and have embraced the zero-trust concept.
The perimeter is unlikely to come back. Almost three quarters of companies expect to shift 5% or more of their workforce to continue remote work on a permanent basis, according to business intelligence firm Gartner.
"Zero trust was developed long before remote work became a thing. It just so happens that a post-COVID-19 world fits perfectly into a zero-trust strategy."
Understand what it is, and what it's not
Yet, with every vendor claiming that its product delivers zero trust, companies have to develop an operational understanding of the approach and how it can best be implemented in their business, said Kieran Norton, infrastructure solutions leader at consultancy Deloitte.
Zero trust is not a technology, Norton said.
"At the end of the day, it is an approach and a framework, and I think that confuses a lot of people, because there is so much noise in the market about zero-trust products at the moment. We know from our research that has caused a lot of confusion, and clients have indicated concern about chaos in the market, and it makes it hard for them to figure out where to start."
Deloitte looks at zero trust as a framework that includes technology and processes to secure five different types of assets: users, workloads, data, network, and devices. Tying it all together are telemetry and analytics to give the company visibility, and automation and orchestration to make operations both manageable and maintainable.
Palo Alto Network's Kindervag breaks down the zero-trust model into four basic design principles. Security leaders should:
- Focus on defining the outcomes for the business, so measures can enable business operations, not block them.
- Design from the inside out and figure out what business assets need protecting.
- Determine who or what needs access by establishing roles to limit permissions and the ability to impact assets.
- Monitor everything, by inspecting and logging all traffic across the network and cloud environments.
Many of these principles are not new. They harken back to many of the same requirements that applied to networks in a perimeter-based security model, said Deloitte's Norton.
"In reality, it is an iteration in the defense-in-depth concepts, which is from the late '90s. For a long time, the thought was that the more walls around the castle, the safer the castle is. That model is really no longer applicable in a lot of ways."
As network boundaries have disappeared and users have gone entirely remote and mobile, and as third-party organizations have increasing access to systems and workloads, the defense-in-depth concepts didn't work as well.
It's a new approach
What is different is the application of those principles. Rather than focus on a single network, zero trust essentially reduces the perimeter to be effective around every user, device, and asset.
Rik Turner, a principal analyst for cybersecurity at market researcher Omdia, breaks down cybersecurity measures into three different types: edge security, core security, and data security. While edge security sounds like perimeter security, in reality the edge is anywhere a company puts a gatekeeper, such as identity checks, device tokens, or malware scanning.
"The concept of the edge is increasingly notional, but there has to be checkpoints to keep the bad guys out and the good guys in. Once we have kept the bad guys out and the good guys in, we need to enable them to do things—that is core security."
Core security includes identity and access management (IAM) for assets, behavioral monitoring, and anomaly detection. When both core security and edge security fail, the company has to rely on data security to prevent bad actors from accessing sensitive business data.
Why it matters, and why now
In the end, zero trust is about recognizing the changing realities of how people work online—increasingly using a variety of devices and from a diversity of locations. This means the approach to security has to change as well, said Chase Cunningham, vice president and principal analyst at Forrester Research, a business intelligence firm.
"Every organization that I have talked to, somewhere along the way, some leader has decided that what we have done has failed, it is opening up to more compromises and not less, and so we need to change our approach."
Zero trust is the right approach to try right now, he says.