What is Zero Trust?
Zero trust is a cybersecurity framework that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter.
The zero trust model operates under the principle of “never trust, always verify.” This means that no users or machines are inherently trusted by default. Instead, access is granted on a per-session basis after authorization, and access is continually re-evaluated while that session is active to ensure compliance with security policies.
Some key principles of zero trust include:
- Least privilege access – Users are only granted access to the specific resources they need to do their jobs and nothing more.
- Strict access controls – Access to resources is granted on a per-session basis after explicit authentication and authorization. Access is continually re-validated while sessions are active.
- Inspection of all traffic – All network traffic is inspected and logged, whether it comes from internal or external sources.
- Granular segmentation – The network is segmented into small zones that allow easier monitoring of internal traffic between segments. Access between zones must be explicitly allowed through microperimeters.
- Assume breach – Security is designed under the assumption that breaches will occur. Damage is limited by restricting lateral movement across segmented zones.
Why is Zero Trust Important?
Traditional network security operates on the assumption that everything within the network can be trusted, while everything outside cannot. The perimeter is hardened, but once inside, lateral movement is easy.
This approach is ineffective given today’s IT environments:
- More devices and connections – There are more endpoints, IoT devices, cloud apps and remote workers connecting to networks from outside the perimeter.
- Mobile workforce – Employees work from multiple offices, homes and coffee shops, no longer just the corporate HQ.
- Cloud adoption – Apps and infrastructure now live in public clouds outside the network perimeter.
- Increased attacks – Phishing, malware and exploits are increasingly sophisticated and evade perimeter defenses.
Zero trust assumes that threats are both outside and inside the network. By eliminating implicit trust, zero trust security limits the damage from compromised users or devices. Granular segmentation and microperimeters also restrict lateral movement across networks.
How Does Zero Trust Work?
Zero trust encompasses a range of technologies and security controls:
Identity and Access Management
- Strong authentication – Users provide additional credential(s) beyond usernames and passwords, such as one-time codes, biometrics or public key certificates.
- Centralized authentication – User identities are stored in a directory and verified independently of the target resource.
- Single sign-on (SSO) – Users log in once to access multiple applications and resources.
- Multi-factor authentication (MFA) – Users provide two or more credentials for verification, such as biometrics plus a one-time code.
- Just-in-time (JIT) access – Temporary credentials are dynamically issued on a per-session basis and revoked immediately after.
Network Security
- Software-defined perimeters (SDP) – Resources are “cloaked” and access is granted dynamically based on identity.
- Microsegmentation – Granular network segmentation isolates resources and restricts lateral movement.
- Inline traffic inspection – All traffic is inspected by firewalls, even from trusted zones or users.
Analytics and Intelligence
- Behavioral analytics – Analyze patterns of user behavior to spot anomalies and potential attacks.
- Context-aware access – Make authorization decisions based on factors like user role, device security posture, location and content being accessed.
- Continuous diagnostics and mitigation (CDM) – Continuously monitor endpoints and networks to identify vulnerabilities and misconfigurations.
What are the Benefits of Zero Trust?
Zero trust offers significant advantages over traditional network security:
- Minimizes attack surface – Limits exposure by only granting least privilege access.
- Prevents lateral movement – Stops attackers from moving horizontally across networks by isolating systems and users.
- Stops compromised users – Limits damage from compromised user credentials via MFA and contextual controls.
- Centralized visibility and control – Consolidates security monitoring and policy control.
- Supports cloud adoption – Applies same security controls everywhere, irrespective of location.
- Compliance benefits – Improves auditability and may support regulatory compliance requirements.
According to Forrester, zero trust provides a 52% reduction in security breaches and a 27% reduction in breach impact.
Challenges with Zero Trust Adoption
While promising, zero trust also presents some challenges:
- Complexity – Significant architecture changes are required to adopt zero trust, especially for legacy environments.
- User experience – Additional authentication steps may negatively impact user experience and productivity. Adaptive authentication rules can help minimize this impact.
- Legacy systems – Integrating mainframes, proprietary protocols, IoT devices and custom apps can be difficult.
- Cultural shift – Mindset change is needed as teams must adapt to new ways of controlling access.
- Holistic view – Zero trust requires coordination between IAM, network, data, application, cloud, security and infrastructure teams.
Is Zero Trust Right For Your Organization?
Zero trust is an evolving security model that offers enhanced protection for modern IT environments. Consider zero trust if your organization:
- Has increased adoption of cloud services and remote workers.
- Suffers from repeated malware infections or frequent breaches.
- Wants to improve security visibility across distributed environments.
- Needs to comply with regulations requiring strict access controls and microsegmentation.
A phased approach is recommended, as completely revamping legacy security architectures is unrealistic. Focus first on use cases like remote access or development environments.
Zero trust should be adopted as a journey, not a destination. The model will continue to evolve as new technologies emerge. But organizations can realize concrete benefits today by embracing its guiding principles of least privilege access, continuous verification, and architectural segmentation.
Conclusion
Zero trust is a modern security framework to protect dispersed IT resources and remote workers. It minimizes risk by:
- Removing implicit trust and continuously validating all user access
- Applying strict least privilege controls and multi-factor authentication
- Segmenting networks, limiting lateral movement, and inspecting all traffic
- Providing centralized visibility across distributed environments
While complex, zero trust offers significant advantages over traditional network security. Organizations should start evaluating business cases, and consider adoption in a phased, risk-based manner. With resources increasingly located beyond the corporate perimeter, zero trust offers a robust model to improve data security.