What Is Zero Trust Security?
Zero trust security is a relatively new principle in the IT security domain. With a zero trust approach, strict verification is required for every user or device within a private or enterprise network, regardless of whether the user or device is present inside or outside the network.
In other words -- the network or system is continually authenticating users because there is zero trust.
Why Zero Trust?
The primary reasons for the movement to zero trust include the growing number of digital devices deployed in the private network and the increase in attack vectors due to a massive surge in data generated by new technologies. Digital data has become a prominent asset for businesses, and attackers want to breach systems to steal that data.
The attack surface has increased with the expansion of data across different types of environments. In addition to on-premises data centers, businesses are leveraging public and private clouds — and multi-cloud, hybrid environments that incorporate each approach — to deploy applications and host data. Due to this, users have different interfaces to different data. But as complexity in policy deployment at various points in the environment grows, the security perimeter becomes vulnerable.
Foundation of Zero Trust
Creation of the zero trust principle has been credited to John Kindervag, who used the term in 2010 as an analyst for Forrester Research. Among the first companies to deploy the zero trust concept in their network infrastructures were Google, Coca Cola, and WestJet Airlines.
Late in 2019, Google announced the integration of zero trust rules within its Google Cloud infrastructure in a microservices-based implementation named BeyondProd. Google’s success has prompted many other companies to investigate the zero trust concept.
The zero trust model of IT security does not involve a specific set of tools and frameworks for hardening internal or external access. Instead, it amalgamates various technologies to create a more trusted and secure infrastructure ecosystem than is possible using traditional methods.
Moving On from a Traditional Approach
Traditionally, IT security was based on a “castle-and-moat” strategy, which focused on a robust firewall mechanism built to govern access from outside the network. Internal users were free to access any resources without hassle.
This model was once followed in the majority of enterprises or private networks worldwide. But it was easily exploited by external as well as internal attackers, because considerable damage could result once the firewall was breached.
Zero trust introduces a more secure infrastructure that is based on the following rules:
- By default, any user or digital system inside or outside of the infrastructure is considered to be an attacker. Nothing and no one will be trusted.
- The access mechanism of zero trust is designed in such a way that a user or system gets least-privilege access to infrastructure resources to perform a specific task.
- Zero trust leverages micro-segmentation, in which the network is divided into segregated security zones. In this architecture, users or devices get access to specific zones and are restricted from using others based on attributes such as location or organizational role. This allows an internal user to gain limited access within the enterprise network without looking into other parts of it. Without proper authorization privileges provided by the admin function, no user can look out of their own dedicated zone.
- Multi-factor authentication (MFA) is heavily utilized in the IT network that is based on the zero trust principle. MFA checks various proofs of a user’s identity to grant access to resources that are assigned to them. One such proof is One Time Password (OTP), an authentication method wherein a user must manually enter a code sent to their mobile phone to gain access to the application. This is one of the strongest authentication mechanisms and is in use by many applications these days.
Adoption of Zero Trust
Adopting zero trust in infrastructure involves applying the “cradle-to-the-grave” approach, in which all access to data by users or devices is monitored, whether access requests originated internally or externally.
For this to happen, a granular monitoring system should be integrated into the network infrastructure. This monitoring element will track users or devices while they are using network resources and generate analytical information. If suspicious activity is detected, the monitoring system will raise an alarm for probable breach.