What is Zero Trust?
Note: This is part one of a five-part series on the origins and tenets of Zero Trust.
Most IT security professionals are familiar with the concept of Zero Trust, but many have difficulty communicating that concept to decision-makers and stakeholders. The most basic explanation of Zero Trust is right there in the name: trust nothing. Authenticate, authorize, and continuously validate all users, devices, and other resources.
It sounds like a great idea that would be met with enthusiasm by companies of all sizes. Unfortunately, this is where things start to get murky for many IT teams. Non-IT employees think that you already have security, and they don’t want to be bothered with more logins or security measures. Decision-makers wonder how much this will cost, how the implementation will disrupt the business, and what the return on investment will be. Some people simply do not trust Zero Trust.
Origins of Zero Trust
IT leaders around the world began formally exploring deperimeterization in 2004. A group called the Jericho Forum was created to help the world adopt tools like encryption and advanced authentication methods to safely reduce the boundaries between an organization and the outside world. The business benefits of this approach include more efficient collaboration, greater agility, and lower business costs.
Today you can see the success of these efforts in bring-your-own-device (BYOD) environments, software-as-a-service (SaaS) adoption, and internet of things (IoT) deployments. Secure digital transformation is not possible with a perimeter-based approach.
This doesn’t mean that traditional perimeter defenses such as the firewall were eliminated. Companies everywhere use firewalls to secure and manage on-premises and multi-cloud deployments. Wide area networks, including SD-WAN and CloudGen WAN, wouldn’t be possible without firewalls. Operational technology (OT) and industrial control systems would not be secure without the purpose-built firewalls that protect them and connect them to a controlling device. Zero Trust implementations may change the firewall’s job, but they do not replace the device.
Explaining Zero Trust
It’s important to realize that there is no single product that you can deploy to create a complete Zero Trust environment. Zero Trust is a philosophy, and it begins as a paradigm shift away from traditional perimeter-based security to a more trust-based model. This means that IT teams should assume that vulnerabilities and threats stem from trust relationships. Every attempt to access company resources is a potential threat that has to be eliminated by multiple layers of security. These layers of security enforce the principle of least privilege. Authorized users have access to only to what they need. This reduces the potential reach of privilege misuse by that user’s account credentials.
It’s an unfortunate reality that some stakeholders will resist Zero Trust initiatives simply because they misunderstand the ‘trust’ part. People want to be trusted by employers and colleagues, and companies want to be trusted by customers and business partners. Sometimes you may need to address the context. Every time someone uses a key on a lock or a password on a device, it’s because trust has to be established before access is granted. The paradigm shift to a trust-based network is to make their work easier, not harder.
The National Institute of Standards and Technology formally defines Zero Trust in the NIST Special Publication 800-207:
Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. ... Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership ... Zero trust focuses on protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
That document should be considered required reading for anyone who wants to create a Zero Trust environment. The same goes for the Zero Trust guidance document published by the U.S. National Security Agency. Both will help you explain and communicate the value of Zero Trust.
In the next post in this series, we’ll take a look at how Zero Trust principles have made things easier for companies and employees around the world. You can read all posts in the series here.