The Zero Trust model has been gaining popularity among organizations in recent years. According to 2019 data, 78% of information security teams had implemented this model or at least were planning to make the move. Here, we break down the Zero Trust concept to see what makes it attractive for business.
The perimeter is no more
Perimeter security, a common term in corporate infrastructure protection, encapsulates the use of thorough checks for any and all attempts to connect to corporate resources from outside that infrastructure. Essentially, it establishes a border between the corporate network and the rest of the world. Inside the perimeter — inside the corporate network — however, becomes a trusted zone in which users, devices, and applications enjoy a certain freedom.
Perimeter security worked — as long as the trusted zone was limited to the local access network and stationary devices connected to it. But the “perimeter” concept blurred as the number of mobile gadgets and cloud services in use by employees grew. These days, at least a portion of corporate resources is located outside of the office or even abroad. Trying to hide them behind even the tallest of walls is impractical at best. Penetrating the trusted zone and moving around unhindered has become much easier.
Back in 2010, Forrester Research Principal Analyst John Kindervag put forward the concept of Zero Trust as an alternative to perimeter security. He proposed giving up the external-versus-internal distinction and focusing instead on resources. Zero Trust is, in essence, an absence of trust zones of any kind. In this model, users, devices and applications are subject to checks every time they request access to a corporate resource.
Zero Trust in practice
There is no single approach to deploying a security system based on Zero Trust. Despite this, one can identify several core principles that can help build a system like that.
Protect surface instead of attack surface
The Zero Trust concept typically involves a “protect surface,” which includes everything the organization must protect from unauthorized access: confidential data, infrastructure components, and so on. The protect surface is significantly smaller than the attack surface, which includes all potentially vulnerable infrastructure assets, processes, and actors. It is thus easier to ensure the protect surface is secure than to reduce the attack surface to zero.
Unlike the classic approach, which provides for external perimeter protection, the Zero Trust model breaks down corporate infrastructure and other resources into small nodes, which can consist of as few as one device or application. The result is lots of microscopic perimeters, each with its own security policies and access permissions, allowing flexibility in managing access and enabling companies to block the uncontrollable spread of a threat within the network.
Each user is granted only the privileges required to perform their own tasks. Thus, an individual user account being hacked compromises only part of the infrastructure.
The Zero Trust doctrine says one must treat any attempt at gaining access to corporate information as a potential threat until it’s proven otherwise. So, for each session, every user, device, and application must pass the authentication procedure and prove that it has the right to access the data at hand.
For a Zero Trust implementation to be effective, the IT team must have the ability to control every work device and application. Essential, too, is recording and analyzing information about every event on endpoints and other infrastructure components.
Benefits of Zero Trust
In addition to eliminating the need to protect the perimeter, which gets increasingly blurry as the business grows increasingly mobile, Zero Trust solves some other problems. In particular, with every process actor being checked and rechecked continuously, companies can more easily adapt to change, for example by removing departing employees’ access privileges or adjusting the privileges of those whose responsibilities have changed.
Challenges in implementing Zero Trust
Transition to Zero Trust can prove lengthy and fraught with difficulty for some organizations. If your employees use both office equipment and personal devices for work, then all equipment must be inventoried; corporate policies need to be set up on devices required for work; and others need to be blocked from accessing corporate resources. For large companies with branches in multiple cities and countries, the process will take some time.
Not all systems are equally well adapted to a Zero Trust transition. If your company has a complex infrastructure, for example, it may include obsolete devices or software that cannot support current security standards. Replacing these systems will take time and money.
Your employees, including members of your IT and infosec teams, may not be ready for the change of framework. After all, they are the ones who will become responsible for access control and management of your infrastructure.
That means in many cases companies may need a gradual Zero Trust transition plan. For example, Google needed seven years to build the BeyondCorp framework based on Zero Trust. Implementation time may be substantially shorter for less-branched corporate organizations, but you shouldn’t expect to squeeze the process into a couple of weeks — or even months.
Modern approaches to solving the Zero Trust problem
Although the trailblazers had to spend a lot of time and resources building their own Zero Trust–compliant networks, gaining an understanding of how nodes on the protect surface should interact with the trust system took much longer.
The most widely recognized architecture at present is ZTNA (Zero Trust Network Access). Its base components are a controller tasked with managing access policies on the levels of users, devices and applications, and a service gateway, which applies policies to connected devices and provides controlled access to corporate resources.
ZTNA helps reduce the attack surface significantly; only authorized users, devices, and applications are granted access to nodes on the protect surface.
Thus, large companies can already employ a combination of traditional methods of protecting users and applications within the network perimeter, and Zero Trust principles for remote users and to protect resources located in public or private clouds.
In 2019, the Gartner research company proposed a universal framework named SASE (Secure Access Service Edge). SASE is a new suite of technologies, with SD-WAN, SWG, CASB, ZTNA, and FWaaS as its core components. It enables the identification of confidential data and malware, as well as traffic decryption with continuous monitoring of user and device connections to cloud services. Zero Trust is the core of this new framework.
Zero Trust, security of the future
Thus, transition from traditional perimeter security to ensuring a protect surface under the Zero Trust framework, albeit assuming the use of available technology, may still be a less-than-simple or quick project, both in engineering terms and in terms of changing employee mindset. However, it will ensure that the company benefits from lower infosec expenses as well as a reduced number of incidents and their associated damage.
Established cybersecurity vendors such as Kaspersky have begun a gradual transformation of traditional protection tools for use in a cloud environment. The Zero Trust concept is becoming the core of new services, ensuring connectivity between valuable corporate resources and users, regardless of their location.
New cloud technology is following the long path from the adaptation and rethinking of use cases to practically corporate standards. Zero Trust is a vivid example of this kind of transition. We will soon witness the emergence of enterprise cloud systems that offer significantly shortened implementation times and retain the required levels of security and usability.