What is Zero Trust?
Zero Trust - A Model for Effective Security
The evolution of work has made traditional forms of network security inadequate for today’s world. The COVID-19 pandemic accelerated the trend of remote work, but even before then, companies realized the benefits of eschewing the 9-5 office model. Employees get work done not only in the office, but on their own devices, whether at a home office or on a mobile device. Companies don’t necessarily install all the applications their employees need on every computer, but instead buy licenses and let people login from wherever. The future of work is now, and with it comes a new standard for security models — zero trust security.
Zero trust is a security model that maximizes security and minimizes risk through a simple maxim: trust no one, verify everything. Security used to be based on network security alone. You had a network protected by various perimeter defenses — passwords, firewalls, intrusion detection and prevention systems, and so forth. If someone got past those defenses, whether with legitimate credentials or not, the network implicitly trusted them once they were inside the perimeter.
What zero trust security is
In contrast to that implicit trust of anyone inside the network, a zero trust security model trusts no one and requires continuous monitoring and verification of every user and device, whether within the network perimeter or not. This is especially important in the era of the cloud and remote working, when users access resources from a wide variety of endpoints.
Once a user or device is verified, a zero trust architecture provides only the minimal access required for a user to perform the tasks they need to do, limiting their ability to access other applications, data or resources within the network. This also ensures that if a device is compromised, the damage is contained to the resources available to that device. Access privilege also must be frictionlessly delivered in real-time, and thus requires real-time visibility into each user’s credentials and attributes.
What Zero Trust is NOT
What zero trust is not is a goal that, once achieved, exists in perpetuity. Nor is it a single solution or product. Strong, comprehensive identity access management is the first, foundational step of building any zero trust framework, but it’s not the only piece of the puzzle. Zero trust is an ongoing methodology.
Identity Access Management to Context-based Access Policies
Once you have an identity access management system in place that allows for single-sign on, whether on-premises or remote, a zero trust model needs context-based access policies. That context includes not only the identity of the user, but which application they are attempting to access, what device they are using, their geolocation, and other factors.
Depending on the context, the policy could allow seamless access, or require multifactor authentication (MFA) based on one of the aforementioned details. For example, if a known user attempts to access a resource they normally have access to from a new geolocation, that could trigger MFA. Access is also limited and controlled through the identity access management system by roles assigned within the system, and when the user leaves the organization.
Adaptive Risk Assessment
Finally, with those policies in place, a true zero trust architecture needs continuous monitoring that prompts that multifactor verification request raised in the previous example. Any changing factors automatically deploy the measures needed to verify, never trusting one piece of information — the user, the device, etc. — as enough to trust the access. This adaptive risk assessment allows an organization to set rules around the riskiness of each access or authentication attempt, both providing contextually appropriate security measures while also simplifying authentication for the end user.
Zero trust security is the new standard.
In an increasingly interconnected world where remote work, multiple devices and an increasing number of applications and resources are finding a home in the cloud, zero trust is on its way to becoming the default security stance.