The main principle behind the zero-trust framework is never trust, always verify. This is a different approach from the traditional security architecture, which is based on the concept of trust, but verify. The latter incorrectly assumes that anything within a network can be considered trustworthy. Many security leaders are phasing out the traditional approach in favor of a zero-trust framework.
Initially developed by Forrester Research in 2010, the zero-trust model has been adopted by many organizations to better protect their users and data. Google implemented a corporate-wide zero-trust network architecture and has shared its experience under the umbrella of BeyondCorp.
So, what does zero trust mean for those involved in the design and development of software applications and services? Infosec professionals know that most users and components of a modern IT infrastructure exist outside the traditional walled garden and are not directly controllable. Zero trust acknowledges this by moving the responsibility for security away from the network perimeter and to the application as the application itself has the ability to validate and set policy on it. Developers cannot just rely on a simple API token that acts as both authentication and authorization. They must be able to completely understand how to secure each and every stage of an interaction with an application within the context of the requester.
A zero-trust framework requires developers to evaluate the full context of a session to determine its overall risk. Developers need to know the identity of the user, the state of the device the request originated from, the app being used and the sensitivity of data the request is trying to access -- even if everything resides inside the network perimeter. Developers need to ensure their code then implements the approved security policy to allow, block or restrict access or manage the data. This may require additional authentication, such as multifactor authentication, limiting functionality or applying compliance controls -- in other words, a whitelist-only approach to granting access.
To ensure an application effectively implements authentication and authorization, as well as strong data and communication encryption, it must be subjected to continuous static and dynamic application security testing. Security teams should also conduct fuzzing and penetration testing to find and remove any vulnerabilities introduced in the development lifecycle.
The zero-trust framework also requires not trusting the open source and third-party plugins required to create a modern application. It is vital developers know what components are used and how to track and implement updates and fixes. This is best done using a software composition analysis tool, such as Black Duck or WhiteHat Sentinel. The entire software supply chain, composed of delivery systems, channels and processes that eventually deploy code into a staging or production environment, should be monitored.
Developers must build security into their design and code base from the start. This is the best way to make the transition from implicit trust to explicit verification and strong identity and access management. This is why so many organizations are progressing from DevOps to DevSecOps, where security is present during every stage of the software delivery lifecycle. An application built within a zero-trust framework can protect access to sensitive data even when perimeter controls, such as firewalls, intrusion prevention systems and data loss prevention tools, fail to provide sufficient security due to misconfiguration or environmental drift.
Note that a zero-trust framework does not remove the need to continuously scan for new vulnerabilities that appear after deployment to ensure back-end systems and everything in between is properly secured and working. But it does enable seamless and flexible access to applications, systems and data -- whether resources are on premises, in cloud-hosted servers or managed by third-party SaaS apps -- while maintaining security for both users and the resources they need.