Zero trust isn't an easy concept to understand. Moving from a traditional security architecture that assumes trust for devices, individuals and locations toward a model that instead trusts nothing until it is verified requires new tools, methodologies and a different way of thinking.
Legacy network security designs were perimeter-based, castle-and-moat philosophies. Everything outside the perimeter was considered hostile until proven otherwise. Network security tools -- among them firewalls, intrusion prevention systems, VPN access and other security services -- were deployed to fortify internet and extranet edges of corporate networks. Once on the inside, network-connected devices, users and communications were largely considered "trusted."
Many in the industry realized this was not the most secure approach, but it was only recently that tools were developed that help assume all network devices, users and locations should be considered untrusted until they are verified.
Another factor driving the movement toward zero-trust strategies is public cloud usage. As applications, data and services began migrating to public clouds, security administrators quickly realized that network flows were no longer passing directly through the corporate network. Thus, edge security tools become far less effective.
The ability to create virtualized protective barriers around critical resources -- both on premises and in the cloud -- eliminates flaws found in previous perimeter security models.
Zero-trust use cases: The benefits
From a cost-benefit analysis perspective, zero-trust use cases offer several security advantages that are otherwise difficult or impossible to achieve.
Uniform security, regardless of device, user or location. Zero trust removes inherent bias stemming from device type, user status or location the device/user is connecting from. This flattens the security playing field, requiring full enforcement of security mechanisms across the entire corporate infrastructure.
Increased security visibility. Zero trust provides unprecedented visibility by centralizing security logging and management, as well as automating the discovery of devices, applications and end users. This helps create a uniform security policy, no matter where applications, data and services reside.
Regain security control of cloud services. Zero trust can be deployed anywhere it's needed. This not only includes users and devices that connect from or into privately owned and operated networks, but also public cloud services.
Myths about zero trust
Because zero trust is such a popular buzzword in 2020, myths are floating around that, in most cases, are being spawned by misleading marketing material. Two stand out, and the first is the claim that any infrastructure can easily adopt a zero-trust model. The unfortunate truth about deploying zero trust is that it's far more achievable with modern network hardware and applications. Legacy systems and applications cannot always be retrofitted to support zero trust.
In addition, several popular open and proprietary peer-to-peer (P2P) or mesh protocols, such as Zigbee or Z-Wave, are not conducive to zero trust. Thus, it's possible that major P2P or mesh deployments would have to be reworked to adhere to the zero-trust model.
The second myth is that zero trust will not restrict daily workflows or hold the organization back if it pivots toward new business goals. If zero trust is not carefully designed and deployed with flexibility in mind, the security model can quickly become an administrative nightmare when major changes are required. In this scenario, zero trust has the potential to be more trouble than it's worth.
Zero-trust use cases for the enterprise
For those who see zero trust as a good fit for their infrastructure, learning how to correctly build and manage a zero-trust network will likely be a top priority. One of the best ways to understand how to build a zero-trust network of your own is to look at zero-trust use cases. Here are three examples where zero trust can significantly bolster a company's security posture.
Secure third parties working inside the corporate network. Most enterprises support employees on the corporate network. However, it's inevitable that other users, such as third-party business partners, will also work from within your corporate network. These situations spotlight the true reason why location-based security tools are woefully overrated and why security should be uniform across the board.
Protect remote workers accessing public cloud resources. Managing the security of remote employees has been a major concern in 2020 in the wake of the COVID-19 pandemic. Security administrators are finding their edge security products provide no benefit to remote workers who use the internet to connect directly to public cloud resources. While it is possible to force remote workers through the corporate network to use VPN or virtual desktop infrastructure technologies, these options often prove inefficient and burdensome. Zero trust becomes a great alternative because it does not require users to connect to the corporate network before accessing cloud services.
IoT security and visibility. For businesses with IoT ambitions, security is a major issue because many embedded IoT devices are not considered secure out of the box. Instead, security mechanisms are often wrapped around IoT deployments.
Zero trust offers two key security benefits for IoT deployments. First, zero trust helps to build and maintain a dynamically learned inventory of devices that include IoT sensors. Knowing where IoT devices reside at any given time is an important consideration of any IoT project.
Second, zero trust can automate the security health monitoring of autonomous IoT devices. In many cases, it's impossible to install agent-based security, such as endpoint detection and response, onto IoT sensors. Zero trust can be used as an alternative to strictly limit who these devices can communicate with in the event of a compromise, thus reducing the overall vulnerability of IoT deployments.