The concept of zero trust security was first defined in 2010 by Forrester analysts. It is becoming increasingly relevant for organizations. The Covid-19 pandemic has rendered traditional network perimeters obsolete. Eliminating or reducing trust in the network environment and connected devices is critical. Organizations must defend against proliferating security threats in today’s business landscape.
Modern developments like mobile computing, remote work, and SaaS mean traditional perimeter security is insufficient. Zero trust addresses the need to meet complex security requirements. These strain organizations’ perimeter-based security measures.
What is Zero Trust Security?
Zero trust security means no user, device, or network traffic is trusted by default. This applies inside or outside an organization’s network. Appropriate controls must reduce unauthorized access risk to an acceptable level. The model mandates defense-in-depth mechanisms.
Implementing zero trust changes the traditional “trust but verify” model. Devices connected to an internal network were assumed to be mostly authorized. The new approach is “never trust, always verify”. Every device must pass identity and security policy checks to access corporate resources. Access control is limited to the minimum required.
Key Elements and Benefits
A zero trust architecture typically combines the following controls:
- Unified endpoint management for all devices, company-owned or BYOD
- Single sign-on for seamless user authentication across systems
- Multi-factor authentication using various factors beyond passwords
Adopting a zero trust approach delivers several benefits:
- Dynamic securing of user/device connections to resources/applications
- Facilitating secure access across hybrid, multi-cloud environments
- Reducing insider threats and attacks within the organization’s network
- Improving compliance visibility and control over access activities
Implementing Zero Trust
Organizations should create a phased zero trust strategy. Consider how to approach it and who will lead the effort. The dedicated zero trust team should include members from key areas. These include applications, data security, network security, infrastructure, and identity and access management.
Key implementation steps include:
- Assess the environment to understand existing controls and data flows
- Review emerging zero trust enabling technologies
- Launch foundational zero trust initiatives based on capability gaps
- Define operational security changes to avoid gaps as practices evolve
- Deploy, measure, assess, and iterate for continuous improvement
Cost concerns exist, but a gradual, phased approach can help. Start with identity and other critical controls. Organizations can progressively mature towards a comprehensive zero trust architecture.
The Post-Covid Imperative
The relevance of zero trust has increased post-Covid. IT environments are becoming more decentralized and distributed. Remote work is common, with more people accessing corporate and cloud resources over home networks using personal devices.
Guidance like NIST’s SP 800-207 is driving adoption. Organizations face rising compliance requirements to implement reasonable security practices. Although zero trust is a framework rather than a single product, cybersecurity vendors are adapting their offerings to support zero trust approaches.
In a rapidly digitizing post-Covid world, users, devices, and application workloads move beyond corporate network boundaries. The traditional perimeter enforcement model is no longer suitable. Zero trust is the most relevant security model for current requirements. It aligns with the need to treat everything as potentially compromised until identity and access is verified.
Organizations should embrace zero trust principles. This enables workers to securely access cloud and on-premises services. Assess existing toolsets to fill gaps in zero trust support and retire tools that don’t support a zero trust transition. By doing so, organizations can better meet evolving cybersecurity needs in an increasingly digital, distributed, mobile, and cloud-driven world.