The zero trust model is a security approach employed by IT that necessitates tight identification and device verification, whatever the user's location. The model assumes that all users, devices and packets are already compromised, regardless of whether they're inside or outside of the firewall.
Zero trust requires strict security controls on user access, as well as security controls on device access. Zero trust systems must monitor all the different devices that are trying to access their networks and ensure that every device is authenticated. This cuts down on the network attack surface even further.
By limiting which parties have privileged access to each segment of a network, or each machine in a secure organization, hackers have fewer opportunities to gain access to secure content.
A key value of zero trust security is multifactor authentication (MFA), a security mechanism that requires an additional method of authentication in real time from independent categories of credentials to verify the identity of a digital user for a login or other transaction. Multifactor authentication combines two or more credentials, such as what the user knows (password), what the user has (security token) or who the user is (biometric verification).
Perimeter vs. zero trust
In the past, information security was governed by a perimeter-based network security model. This model assumed that any user inside the boundary of the corporate network was "trusted" and any user outside this network perimeter was not trusted.
For nearly 20 years this idea of trust functioned as the justification for deciding which applications or resources people could access.
However, as time went on, perimeter security became less effective because of a number of factors, including the growth of cloud computing, increased use of mobile technology and changes in the way people worked.
Then, a new way of looking at security emerged that didn't favor "trusted insider" and "untrusted outsider." Rather, the new model assumed all users were untrusted and the ability to access the network or other resources was based on who -- not where -- the user is. This model became known as zero trust.
The zero trust approach can be traced back to the Jericho Forum, an international group founded in January 2004. The goal of the group was to establish a security framework to handle the effect of cloud computing as well as define the idea of deperimeterization – a term Paul Simmonds coined, which is a strategy to protect a company's data on multiple levels by using encryption and dynamic data-level authentication.
Forrester and zero trust
In 2010, John Kindervag, an analyst at Forrester Research, coined the term "zero trust," which centered around the idea that an organization shouldn't trust anything inside or outside its perimeters. Rather, a company must verify everything that tries to connect to its network before it grants access.
Zero trust questioned the security model of a firewall creating a perimeter between a trusted internal network and an external network that was not trusted. This security strategy falls apart if a hacker compromises the perimeter, or a malicious insider attempts to steal a company's sensitive data. As such, security professionals have to verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic.
The Forrester zero trust security framework revolves around the idea that security professionals must do away with the concepts of a trusted network (generally an internal network) and an untrusted network (external networks). In the zero trust model, all network traffic is untrusted no matter its origin.
Cloud, mobility and zero trust
The three main tenets of the original zero trust model are:
- Companies must provide secure access to their networks, no matter the location.
- Organizations must control access so that users can only access the resources they need. In addition, businesses must prevent users from accessing this information if their roles change or they leave their companies.
- Organizations must inspect and log traffic to ensure users are doing the right things.
However, the three main zero trust tenets had to evolve as the use of mobile devices increased dramatically, more organizations implemented software as a service, and cloud storage offerings, and cyberattacks became more sophisticated.
As the use of cloud services and mobile technology grew, companies couldn't count on perimeter-based tools to protect their sensitive corporate data. Consequently, they turned from securing the perimeter to securing the user.
In 2014, Google rolled out BeyondCorp, the search giant's implementation of the zero trust security model that shifted access controls from the network perimeter to individual users and devices.
At first, BeyondCorp was an internal Google initiative that allowed every employee to work from untrusted networks without having to use a VPN. Then Google opened up BeyondCorp to enable the employees, contractors and other users of non-Google companies to work more securely from any untrusted location without having to log into traditional VPNs.
A 2019 Google blog lists the three main principles of BeyondCorp as:
- Connecting from a particular network does not determine which service you can access.
- Access to services is granted based on what the infrastructure knows about you and your device.
- All access to services must be authenticated, authorized and encrypted for every request (not just the initial access).
The BeyondCorp strategy is based on the concept that perimeter security and a protected intranet isn't adequate any longer. The main reason many organizations adopt this model is to eliminate the need for a VPN, while still allowing employees to securely work from any untrusted network.
Zero Trust eXtended Ecosystem
Taking this into consideration, in 2018, Forrester analyst Chase Cunningham launched the Zero Trust eXtended (ZTX) Ecosystem. In addition to network segmentation, ZTX establishes seven categories that offer a complete approach to security.
The main category of the ZTX model is data. ZTX advocates developing data classification schemes and implementing technologies to encrypt data in transit as well as data at rest.
Four categories of the ZTX model deal with the agents that operate in IT environments, particularly people. However, the ZTX model also stresses how important it is for organizations to look at networks, devices and workloads. Because users have become so critical to security, companies must be sure to examine the networks and devices they're using and the data they're accessing.
The remaining two categories of ZTX are visibility and analytics, and then automation and orchestration. ZTX recommends that organizations implement technologies and processes to monitor and manage the underlying networks, people, data, workloads and devices. The goal is to give enterprises better insight into the activity within their networks as well as make it as fast and as easy as possible for them to take action on those insights.
The future of zero trust
Even though enterprises are dealing with distributed workforces and disappearing perimeters, they likely won't realize the full potential of comprehensive zero trust platforms for some time.
Still, companies today need to prioritize zero trust initiatives and start their journeys with providers that can deliver the controls that can best improve their security postures.
To remove inherent risk from the business, organizations will likely first implement user access and networking tools. For example, many companies are deploying least privilege tools to create secure zones in data centers as well as in the cloud to isolate and protect workloads.
Combined with zero trust tools -- such as multifactor authentication and remote browser isolation -- organizations that implement zero trust tools that handle access to their networks and the internet will likely be ahead of their competitors.