The modern IT environment requires a modern security approach that evolves from the limitations of firewalls. Zero-trust security, a concept first introduced in 2010, is being thrust into the spotlight to address this challenge. Analysts warn IT professionals should understand exactly what zero trust is -- and isn't -- so they can make the best use of it in the enterprise.
The zero-trust framework operates on the assumption that all devices and users, even those within the network perimeter, are already compromised. A common misconception about zero trust is that it is a technology, while it is actually a technical model that uses capabilities like multifactor authentication, identity and access management, microsegmentation, software-defined perimeter and file system permissions. To sum it up: "In a zero-trust environment, the infrastructure will, on a very granular level, allow conversations to happen if they're supposed to happen and block everything else," said John Burke, CIO and principal analyst at Nemertes Research. "If A wants to talk to B, there is a very granular trust database that says A can talk to B using HTTPS and anything else will fail."
Benefits of a zero-trust security model
The traditional firewall and perimeter-based security approach does not offer strong enough protection against today's identity and credential-based attacks, whereas zero-trust networking has the following advantages:
- protects company data;
- boosts the ability to do compliance auditing;
- lowers breach risk and detection time;
- improves visibility into network traffic; and
- increases control in a cloud environment.
Enterprises also disperse their data across multiple applications, locations and cloud services, making a traditional firewall obsolete because there are so many channels through which cybercriminals can gain access.
Zero-trust security directly addresses the need for speed in the modern data center because it doesn't require all the maintenance and regression testing that goes into a firewall environment, Burke said. The zero-trust model also offers an attractive alternative to increasingly complex firewall environments. As network environments grow, security admins must expand firewall rules and filters accordingly, which is time-consuming and can be error-prone.
Zero-trust guiding principle: Trust no one
Burke likened zero-trust security to mitigation efforts that combat the spread of COVID-19 in the sense that all individuals should be regarded as potential sources of transmission, regardless of how they appear. "Just because someone does not show symptoms doesn't mean they are free from the virus. They could still be spreading it or could become infected the next day," he said. The same goes for network security. "Just because I admitted an individual onto the network doesn't mean they cannot become a source of ransomware the next day."
Chase CunninghamVice president and principal analyst, Forrester
The concept of zero trust is best understood as "not trusting things in your infrastructure that shouldn't have excessive trust," said Chase Cunningham, vice president and principal analyst at Forrester. "Your employees are a possible avenue of compromise, so you must treat them like another piece of infrastructure."
Implementing zero-trust security
Adopting a zero-trust security model is not an overnight process. "Younger companies with advanced architectures and less legacy equipment have an advantage since they are already utilizing new technology and are up to speed on new technology," said Pete Lindstrom, vice president of security research with IDC's IT Executive Program.
Legacy infrastructure is an obstacle companies face when trying to shift to a zero-trust approach. A common yet misguided course of action is to conduct a massive overhaul of security infrastructure.
"Companies often make the mistake of trying to boil the ocean and go way too broad in scope," Cunningham said. "They should focus in on granular things they can achieve one at a time, like enabling multifactor authentication, remote access control and disabling file shares."
Zero-trust security vendors
Since zero-trust security is a hot buzzword, businesses should be wary in terms of how they evaluate potential vendors since many like to pitch their products as zero trust when they really aren't.
"Rule No. 1: Companies should make sure the vendor is using zero trust [in its own network] so they are buying something from someone who understand their pains," Cunningham said.
All three analysts agreed the zero-trust security umbrella will only grow larger. New capabilities are popping up from the zero-trust framework, such as data loss prevention, user behavior analytics, cloud access security brokers and security gateways. "All of these capabilities at least complement zero trust," Lindstrom said.
Zero-trust security is ready now
With the COVID-19 pandemic ushering in an indefinite work-from-home culture, zero-trust security has the ideal opportunity to become standard security practice. With the right understanding and approach toward their vendor options, companies can update their infrastructure to include this more comprehensive protection, even if only starting on a granular basis. As IDC's Lindstrom stressed: "Zero-trust security is a journey, not a destination."