As cybersecurity attacks accelerate and tactics become more complex, modern organizations need a new security model that protects people, devices, apps, and data wherever they are located. In the following years, the traditional VPN will be replaced by Zero Trust, a smarter, safer approach to network security. Zero Trust offers a security model that aligns with the current IT landscape, where the separation between insider and outsider is generally irrelevant.
Explaining the ‘Zero Trust’ Model for Security
First introduced in 2010 by analysis firm Forrester, in collaboration with the National Institute of Standards and Technology (NIST), Zero Trust is a model where all assets in an IT operating environment are considered untrusted by default, until network traffic and application or service behavior is validated and approved. As opposed to traditional network security systems, the Zero Trust model assumes every individual, both internal and external, is a potential threat until they are verified. Zero Trust networking software utilizes similar authentication methods as risk-based authentication software but is specifically for network access control.
The Zero Trust approach for cloud scenarios and deployments uses network and application layer microsegmentation to move the perimeter in as close as possible to privileged apps and protected surface areas. Essentially, inside a Zero Trust model, any attempted communications are evaluated and compared against established policies to determine whether actions should be permitted.
To qualify for inclusion in the Zero Trust Networking category, a product must utilize adaptive authentication to continuously verify user permissions, allow for network segmentation to simplify and broaden policy enforcement, while also monitoring traffic and user behavior for future inspection and analysis.
Zero Trust Principles
Today, almost all mid-sized to large enterprises have moved some of their data and workloads into the cloud for better efficiency. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify”. Every access request is fully authenticated, authorized, and encrypted before granting access. Rich intelligence and analytics are utilized to detect and respond to anomalies in real-time, according to the “Zero Trust Maturity Model” released by Microsoft.
The Zero Trust principles listed in the paper are:
Assumption of breach
Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify that all sessions are encrypted end to end. Use analytics to get visibility and drive threat detection and improve defenses.
Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Principle of least privilege
Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
Zero Trust – Not Another Technology Buzzword
Most specialists agree that data security in 2020 must be tied to Zero Trust models.
The 2018 IDG Security Priorities Survey revealed that “Zero Trust and blockchain technologies are the top two researched security solutions, and also where there is the most future spending opportunity.”
A 2019 Cybersecurity Insiders survey noted: “When asked about their plans for adopting zero trust strategies, 78% of IT security teams are looking to embrace Zero Trust network access in the future. Nineteen percent are actively implementing Zero Trust, and 15% already have Zero Trust in place. When asked about the benefits of Zero Trust, two-thirds of IT security professionals (66%) say they are most excited about Zero Trust’s ability to deliver least privilege access to protect private apps. This is followed by apps no longer being exposed to unauthorized users or the Internet (55%), and access to private apps no longer requiring network access (44%).”
In December 2019, a request for information indicated that NASA is looking to implement a Zero Trust architecture as the agency looks to reconfigure its NASA Integrated Communications Services (NICS) contract. “The NICS 2.0 contract will continue NASA’s communications transformation through the deployment of network technologies enabling Zero Trust solution deployments and advanced network automation and segmentation to improve security and reduce operational cost,” the agency stated.
After going dormant for years, the Zero Trust model has returned to the spotlight with recent analyst endorsements, vendor hype, and success stories from early adopters. The latest contribution to the Zero Trust model comes from the Identity Defined Security Alliance (IDSA), an industry alliance of over two-dozen identity and security vendors that augmented the definition of Zero Trust to align with identity-centric security principles. The traditional VPN security model (perimeter-based network defense) is becoming obsolete and companies need to move with agility and speed to adapt to changing market conditions.