Zero Trust is a strategic concept used by security leaders to ensure their organizations remain secure as they adapt to changing conditions and requirements in the market. It encourages security teams to rely less on the safety of a network perimeter and more on secure processes and technologies which can be applied directly to corporate resources, irrespective of where they’re located and who needs to access them.
O’Reilly Media’s Zero Trust Networks, has perhaps the most succinct description of the principles underlying the Zero Trust approach:
The network is always assumed to be hostile.
External and internal threats exist on the network at all times.
Network locality is not sufficient for deciding trust in a network.
Every device, user and network flow is authenticated and authorized.
Policies must be dynamic and calculated from as many sources of data as possible.
The strategy is gaining popularity as more organizations take on digital transformation initiatives which are largely incompatible with a perimeter based security model.
Where did Zero Trust originate?
Before Zero Trust had a name, the concept of de-perimeterization was promoted as early as 2004 by the Jericho Forum. This working group of Chief Information Security Officers ultimately compiled the Jericho Forum Commandments which defined “areas and principles to be observed when planning for a de-perimeterized future.”
In the fall of 2010, the term Zero Trust was first introduced by Forrester Research Analyst John Kindervag in a series of reports, beginning with “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security.” A series of three reports were published describing the concept, architecture and case studies for Zero Trust along with a primary directive:
“In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic”
From a practical standpoint, this means that all forms of implied trust and resulting entitlements are no longer valid. Instead, organizations must rely on explicit assessments of trust which are dynamic, rooted in as many sources of data as possible before deciding whether a user should be granted access to a resource or should be allowed to perform a transaction.
Today, Zero Trust has taken on a life of its own. Multiple analyst firms regularly provide guidance on the concept, organizations like Google have published case studies on their experience transitioning to Zero Trust, and solution providers each have their own take. All parties, however, agree that the world has changed, and our approach to security must change with it.
Why is Implicit Trust Based on a Network Perimeter Insufficient?
Cloud adoption, remote users, BYOD and other trends are increasingly creating scenarios where routing traffic through a corporate perimeter (e.g. firewall, VPN) is only necessary to establish that an access request originated from a “secure” IP address.
This process, known as backhauling, reinforces the myth that perimeter based security was effective in the first place. The countless ways bad actors breach corporate networks are well understood, as is the lateral movement they take through those networks to steal data and disrupt business. Granting trust of any kind to a user who was somehow able to gain access to a network weakens an organization’s security posture in four ways:
Ignores compromised devices: Symantec's 2019 Internet Security Threat Report found that “one in 36 devices used in organizations were classed as high risk. This included devices that were rooted or jailbroken, along with devices that had a high degree of certainty that malware had been installed.” Legitimate users on compromised devices can incidentally expose sensitive resources to bad actors through their own access to the corporate network.
Ignores changes in context: IP addresses help establish that a user is requesting access from a “trusted network.” But relying on this data point alone results in insufficient protection of corporate resources, as doing so ignores other sources of risk based on the type of user (department, seniority, privilege), the context of the request (time of day, device, geo-location), as well as the risk of the resource (finance app. vs. holiday calendar) requested.
Creates a facade of security: The myth of safety behind the firewall is a dangerous one. Without the assumption that the network has already been breached, common security best practices can be delayed or ignored because “no one will access this resource externally, and in any case it’s behind the firewall.”
How does Zero Trust Improve Security?
The weaknesses of an implied or discreet perimeter based approach outlined above quickly disappear when a Zero Trust approach is taken. Compromised credentials and devices, as well as changes in context are each addressed by capabilities which should underpin any Zero Trust strategy. And when the assumption of safety behind a firewall is removed, resource owners and security teams tend to evaluate the security and risk profile of each resource quite carefully and on a regular basis to ensure sufficient protection.
Figure 2: Zero Trust shrinks network perimeters to microperimeters, which apply security measures to each class of resource based on risk.
Zero Trust ensures the right questions get asked based on the risk profile of the user, device and the resource to which they’re requesting access:
Is this user legitimate?
Was this user identified in a manner that is acceptable to the task being performed?
Is their device healthy enough for the task they are performing?
Is this user who they say they are?
Should this user have access under any circumstance?
Should this user have access given their current circumstances?
Is this session still driven by the real user?
Does the amount of trust in the user identity match the level of risk associated with this transaction?
Has the request been verified?
During Data Access
Did the user provide consent for access, and to whom?
What transactions (READ, MODIFY, DELETE) did they consent to?
Should this data be encrypted?
The Role of Intelligence in Zero Trust
Mature Zero Trust deployments go beyond removing trust in the network. They also remove the notion of binary trust (I trust you, or I don’t), and negate the idea of trust for a predetermined period of time. O’Reilly’s fifth Zero Trust principle states that “Policies must be dynamic and calculated from as many sources of data as possible,” a concept which mandates what is commonly known as the use of risk signals, or intelligence.
Zero Trust architectures assess digital risk using a variety of signals and enforce access control decisions based on the output of those signals. The variable level of confidence provided by those signals can lead a user down a number of adaptive access paths which can include:
Allow access after reauthentication
Allow access after step up authentication
Allow access, but with certain constraints
The removal of binary trust has the added benefit of improved user experience, as adaptive access paths make it increasingly likely they’ll be able to access the resources they need with less friction overall. And the evaluation of trust at the point of each access request, as well as the continuous observation of session behavior ensures that trust is never long lived, nor is it binary, improving security in scenarios where a session or valid account may have been hijacked by a bad actor.
What other Benefits does Zero Trust Provide?
The opportunities presented by replacing network trust with Zero Trust are numerous. First, organizations are free to take advantage of the full spectrum of deployment options for infrastructure, applications and data without the need to “backhaul” traffic through their network. Increased business agility can be gained by leveraging on premises data centers, private clouds, public clouds and everything in between depending on what is most appropriate for that particular resource, not what works best for security. Cost savings from optimizing hosting and management fees by resource, as well as decreased licensing outlays for VPN and other perimeter based tools can also be realized. Improved workforce productivity is another benefit seen by those moving to Zero Trust, through the standardization of access control across all resources no matter where the user needs access from and what device they happen to be using. Finally, compliance “micro-segments” can be set up to ensure everything hosted within that segment has the controls required by each compliance regime applied in a standard fashion.
What are Key Capabilities Required to Architect Zero Trust Security?
The capabilities framework below was constructed with input from industry analysts, customers, thought leaders and partners to guide conversations around Zero Trust and help organizations mature their approaches to security.
Six categories of controls are critical to architecting Zero Trust security. Together, they provide a defense in depth approach to securing corporate resources no matter where they’re deployed and who needs access to them.
Strong Identification & Authentication: Verifying and authenticating user identity from the moment of registration to each request for access is critical to improving security. These capabilities ensure that all users (privileged and not) and all resources are protected no matter where they’re deployed.
Network Security: Preventing lateral movement between segments is often the most effective way to minimize the impact of a breach. These capabilities ensure that breaches are contained with access terminated as soon as malicious behavior is detected or a risk threshold is exceeded.
Data Security: Whether its sensitive IP or user data covered by one of the many privacy regimes popping up around the globe, data security has become paramount for many organizations. These capabilities ensure that data is encrypted where it needs to be, and that users are always in control of their data.
One item to note in the diagram above is the perceived lack of a strong binding between a user and data which they own. In Zero Trust, ownership of data is paramount and access to this data should not be granted unless consent has been explicitly provided. Additionally, access to a user’s data must based on digital trust which is constantly reevaluated based on context, as well as digital risk which exists as a variable level of confidence. Both of these evaluations are ephemeral, and only exist within the context of an individual request, which complies with O’Reilly’s fourth and fifth principles:
#4 Every device, user and network flow is authenticated and authorized.
#5 Policies must be dynamic and calculated from as many sources of data as possible.
Where Should I Start My Zero Trust Journey?
Chase Cunningham, Principal Analyst at Forrester recently wrote about a question he gets asked at least weekly, and in some cases almost daily:
“Where do we start for Zero Trust?”
His response? “Fix your IAM and user side of the equation.” Unsurprisingly, starting and/or improving identity and access management programs is where many organizations begin their Zero Trust journey. The low hanging fruit most commonly taken advantage of by bad actors is a complete lack of, or misconfigured authentication and authorization controls. Just a few weeks ago this vulnerability was highlighted yet again with a breach of 885M title insurance records which could have been accessed by anyone with no authentication required.
Clearly, strong identification and authentication make the most sense as a starting point to ensure that all access is authenticated access. But identity and access management technologies also represent the control plane for Zero Trust architectures. Starting with a strategic deployment of global, adaptive authentication and using this capability as the policy administration and decision point for which all risk signals and policy decision points integrate is how many are architecting their Zero Trust environments today.
Are there any Zero Trust Case Studies?
Similar to other approaches to enterprise security, there is no finish line when it comes to Zero Trust. And putting the pieces in place to adopt just the first principle (the network is always assumed to be hostile) can take an organization years to accomplish. Luckily, there are some examples of organizations who have already spent years shifting away from the perimeter based model toward Zero Trust security.
Google’s BeyondCorp implementation of the concept isn’t just the most well known example, it’s also the best documented. To receive feedback on their implementation and support others in their move to Zero Trust, they’ve published a series of six papers which “describe the story of BeyondCorp at Google, from concept through implementation.” Others, like Netflix, are telling their stories of preparing for an open perimeter in webinars and speaking engagements at industry conferences.
There are many reasons why organizations choose to adopt a Zero Trust security strategy, but commonly it starts with digital business initiatives which require applications and data to be accessed by those outside the corporate perimeter. To learn more about Zero Trust and Digital Transformation, read the white paper: Thinking Outside the Perimeter.