Zero trust (ZT) is an architectural approach and goal for network security that assumes that every transaction, entity, and identity is untrusted until trust is established and maintained over time. ZT strategies contrast with the legacy view that a network is secure unless security systems identify a breach.
Over the last decade or so, enterprises have become increasingly digitised. They now include cloud architecture, incorporate more remote work, and have added as-a-service solutions among other transformative changes. Security teams have scaled network security accordingly, often strengthening safeguards by segmenting the network into smaller zones.
This strategy, unfortunately, created more opportunities for attackers. When attackers access a user’s login information, they can move laterally across the network, spreading ransomware and adding privileges as they go.
Multi-factor authentication (MFA) improved credential strength, but added only one extra layer of authentication. Once in, hackers still have continuous access until they log out or the system logs them out.
New ways of working, including bring-your-own-device (BYOD), remote work and cloud architecture added a new set of vulnerabilities. But even new, stronger cybersecurity protections with heightened visibility end at the edge of the enterprise network and are blind beyond that point.
The ZT approach to cybersecurity turns the old paradigm upside down. Cybersecurity is no longer defined by network segments or within an enterprise network boundary. Trust is not granted based on whether a connection or asset is owned by an enterprise or an individual. It is also not granted based on physical or network location – internet or local area network.
Instead, ZT focuses on resources, users, and assets individually, no matter who owns them and where they are located. Authentication is individually performed for an enterprise resource before a user is granted access.
The ultimate goal is to get to zero trust of any network element until it is verified.
The short answer to zero trust certification and standards is that there aren’t any. The National Institute of Standards and Technology (NIST), founded in 1901 and now part of the U.S. Department of Commerce, provides technology, measurement, and standards information for the U.S. Its goal is to increase technology competitiveness.
NIST creates standards for communications, technology, and cybersecurity practices. The group has not yet created standards or certification for zero trust, but it has created a Special Publication (SP) discussing ZT’s architecture goals.
The paper’s abstract describes zero trust this way: “Zero trust is a term for an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources.” The document goes on to describe the zero-trust approach in depth.
There is some confusion in the cybersecurity world about what ZT is. Some vendors are taking advantage of the confusion to sell products tagged as ZT products. For the uninformed, this can lead to the misunderstanding that ZT is product-based.
ZT is not about particular products, although new and legacy products can be building blocks for ZT architecture. ZT is a revolutionary approach to cybersecurity. It stands firmly in the reality of how organisations and workers connect and work together today.
Moving toward zero trust
If an enterprise is building its infrastructure from scratch, it is possible, and perhaps simpler, to identify essential workflows and components and build purely ZT architecture. As the business and infrastructure change, the growth can continue to adhere to ZT principles over the long term.
In practice, most ZT implementations will be a process. Organisations will remain in some balance of ZT and perimeter-based security over time, gradually implementing modernisation initiatives.
Fully establishing ZT architecture is likely to take several years and encompass a number of discreet projects before reaching the ultimate goal of zero trust. However, there is never an “arrival” at ZT. It is about continuing to implement and enforce the ZT strategy over time, taking into account future business and infrastructure changes.
Developing a plan in advance of taking action can break the process down into smaller pieces and demonstrate success over time. Starting with a thorough catalog of subjects, business processes, traffic flows and dependency maps prepares you to address targeted subjects, assets, and business processes.
ZT architecture is a goal and an approach that takes time and attention to implement. It is not a one-time installation you can deploy and go on to the next. It is a philosophy of cybersecurity that is supported by four primary principles. A particular principle may rely on a particular security technique such as MFA for identity, but the technique used over time can change.
There are three basic functions that underlie the ZT approach.
ZT must be progressively implemented and continuously enforced. It is not a complete replacement or a one-time deployment that is then in place for the life of the network. It is a multi-year and multi-project incremental process that involves multiple aspects of the network, and it will need constant assessment as work habits, technology, and threats change.
How your organisation implements the ZT approach depends on your operation. Your highest-value assets are a good place to start.
The ZT journey includes four components: