Enterprises are accelerating digital transformation initiatives in response to the rapidly evolving business landscape and a remote or hybrid workforce. Greater productivity is among the core benefits of these initiatives. But to realize these efficiency gains—and the additional advantages of a digital-first culture—you need to provide your workforce with access to every application and tool they need to do their jobs. And that’s often easier said than done.
Security leaders are faced with the new challenge of securing their organizations when very few users are on the corporate network. They need to give their employees the anytime and anywhere access they need to be productive, but not at the cost of security. Striking the right balance hinges on having confidence that the people requesting access are who they say they are and that they’re granted access to only those resources and sensitive data they’re authorized to use.
An identity-centric Zero Trust approach to security provides this assurance. With Zero Trust, you depend less on static network perimeters and more on the identity and dynamic risk of each user, as well as the secure processes and technologies that can be applied directly to corporate resources, irrespective of where they’re located.
O’Reilly Media’s Zero Trust Networks provides a succinct description of the five principles underlying a Zero Trust strategy as follows:
These security tenets underscore the realities of security in a digital-first world. Identity makes it possible to ensure security without sacrificing user experience or introducing unnecessary friction. Using the Zero Trust model, you can put identity at the center of your security strategy and release your reliance on traditional (and potentially risky) network perimeter approaches.
Read on to learn:
Before Zero Trust had a name, the concept of de-perimeterization was promoted as early as 2004 by the Jericho Forum. This working group of Chief Information Security Officers ultimately compiled the Jericho Forum Commandments which defined “areas and principles to be observed when planning for a de-perimeterized future.”
In the fall of 2010, the term Zero Trust was first introduced by Forrester Research Analyst John Kindervag in a series of reports, beginning with “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security.” A series of three reports were published describing the concept, architecture and case studies for Zero Trust along with a primary directive to “verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic.”
“In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic.”
—John Kindervag, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security,” Sept. 17, 2010
From a practical standpoint, this means that all forms of implied trust and resulting entitlements are no longer valid. Instead, organizations must rely on explicit assessments of trust which are dynamic and rooted in as many sources of data as possible before deciding whether a user should be granted access to a resource or allowed to perform a transaction.
In the years since the concept was introduced, Zero Trust has taken on a life of its own. And today, it’s more relevant than ever. While consensus is often difficult to achieve in many areas of our lives, we can all agree that the world has changed. It stands to reason then that our approach to security must change with it.
In 2020, enterprises saw their offices go vacant as employees shifted to working remotely in response to the global COVID-19 pandemic. Security leaders had to quickly evaluate if their identity and access management (IAM) systems could handle remote employees accessing corporate resources while outside of the network perimeter.
Previous default options like using a virtual private network (VPN) quickly proved insufficient for many. VPNs can’t provide the assurance that the employee requesting access is who they say they are and that they are authorized to use the requested resource. In addition, they weren’t built for the scale that companies require.
In response, enterprises fast tracked digital transformation initiatives. But adapting to changing business requirements and an increasingly remote workforce is more than a short-term fix—it’s a long-term strategy as many organizations are maintaining the option for remote work whether fully or as part of a hybrid workplace post-COVID.
A Zero Trust strategy can help you support the new normal and secure remote access for your employees and other workforce users. By shifting reliance away from trusting the corporate network to always verifying a user’s identity before granting access, Zero Trust helps ensure that only the right users gain access to the right resources for the right reasons.
When it was first introduced more than 10 years ago, Zero Trust was based on the realization that the notions of a trusted internal network or trusted users were no longer relevant or reliable. Striving to fix a security model that was broken then and now, Zero Trust asserts that an enterprise should have zero trust in the user’s network as an indicator of security. In fact, assuming trust in this way can have disastrous results as evidenced by the number of breaches dominating news headlines.
Just because a user is behind a firewall doesn’t mean that user can be trusted. Whether the user entering any domain is an employee, a customer, a partner or anyone else—and regardless of the network they’re using—their identity must be verifiable beyond the traditional perimeter. Zero Trust effectively shifts the security “perimeter” to the identity of the individual user and beyond to the backend components such as microservices and/or serverless functions.
Company-wide work-from-home initiatives, cloud adoption, BYOD and other trends are creating situations where routing traffic through a corporate perimeter (e.g., a firewall or VPN) is only necessary to establish that an access request originated from a “secure” IP address.
This process, known as backhauling, reinforces the myth that perimeter-based security was effective in the first place. The countless ways bad actors breach corporate networks are well understood, as is the lateral movement they take through those networks to steal data and disrupt business. Granting trust of any kind to a user who has gained access to a network weakens your security posture and introduces risk in the following ways:
For years now, the annual Verizon Data Breach Investigations Report (DBIR) has warned of the risks of stolen credentials—and this year is no exception. The 2021 DBIR once again reveals the connection between credentials and data breaches. One in four breaches in 2020 involved stolen credentials, proving yet again that when the correct credentials are the only key one needs to unlock access to the corporate network, that network is far from secure.
Symantec's 2019 Internet Security Threat Report found that “one in 36 devices used in organizations were classed as high risk. This included devices that were rooted or jailbroken, along with devices that had a high degree of certainty that malware had been installed.” Legitimate users on compromised devices can incidentally expose sensitive resources to bad actors through their own access to the corporate network.
IP addresses help establish that a user is requesting access from a “trusted network.” But relying on this data point alone isn't enough since 30% of breaches involve internal actors. There are other more reliable indicators of risk including the type of user (department, seniority, privilege), the context of the request (time of day, device, geo-location), as well as the risk of the resource (finance app. vs. holiday calendar) requested.
The belief that there’s safety behind the firewall is a dangerous one. Without the assumption that the network has already been breached, common security best practices can be delayed or ignored. It’s all too easy to assume a resource behind the firewall can’t be accessed externally, but countless successful data breaches prove this isn’t the case at all.
The philosophy of Zero Trust networks is that you should trust no one and verify everyone. To put this into practice, the following five-part framework is suggested.
Customers are able to access your applications from public wi-fi in coffee shops and airports. Your employees and partners must also be able to do the same, using the public and private networks available wherever they might be. Digital transformation also requires applications and services in a variety of public and private clouds to interact with your business applications. Consequently, network validation can no longer exist to validate insider vs. outsider access. Every user, device and application is subject to the same rules, regardless of network locality. This means that even critical high-risk applications have to be exposed to the open Internet. After all, today’s corporate network IS the Internet.
Intelligent, strong authentication is the backbone of a Zero Trust security architecture. The use of multi-factor authentication that requires a user to present “factors” from three different categories to prove their identity—something they KNOW (like a password), something they HAVE (like a phone), and something they ARE (like a fingerprint)—is the de facto standard. Different user activities should require different levels of authentication based on risk. Reading email might only require a password, while Issuing a paycheck might require a password and proof of identity via a push notification sent to a mobile device.
Sometimes valid users can be tricked into doing work on compromised devices. If the computer or phone that the user is working on is compromised, critical enterprise data and passwords will also be compromised, even if the user has been strongly authenticated. Device identification and certificate issuance can be leveraged to check whether the user is working on validated hardware that hasn’t been tampered with.
Even if a valid user is on a registered, validated device, they might be missing a critical security patch. They might have been conned into installing a malicious browser plugin or be using an imposter application. Any of these cases could allow an attacker into a critical system. Methods of application validation vary widely. Some validation methods—like OS version—can be accomplished through device management. Others—like validity of an OAuth client registration—require newer and tougher security standards like Proof Key for Code Exchange and Token Binding.
Finally, the transaction itself must be authorized. A central authorization engine must judge whether this user is allowed to perform this transaction. The default answer should always be “no,” unless there is enough information to make a decision. This may involve static rules like “only employees can send corporate email” and a heuristic rule like “only users with a risk score below 65 can view the corporate directory.” A risk-scoring system employs a number of weighted variables like behavioral biometrics, continuous authentication, location, time and comparison against patterns of past attackers to determine how likely it is that the current transaction is malicious.
The weaknesses of an implied or discrete perimeter-based approach quickly disappear when a Zero Trust approach is taken. Compromised credentials and devices, as well as changes in context are each addressed by capabilities which must underpin any Zero Trust strategy. Furthermore, when the assumption of safety behind a firewall is removed, resource owners and security teams tend to evaluate the security and risk profile of each resource much more carefully and frequently to ensure sufficient protection.
Zero Trust ensures the right questions get asked based on the risk profile of the user, device and the resource to which they’re requesting access.
Organizations stand to gain more than just improved security by replacing network trust with a Zero Trust strategy.
Zero Trust helps you realize greater workforce productivity by standardizing access controls across all corporate resources as more and more employees shift to working outside of the network. When you’re taking into account the risk profile of the employee, device and resource accessed, rather than determining only if the employee is on the corporate network, you can feel more confident opening up access to remote employees and in doing so, empower them with the resources to do their jobs efficiently.
Adopting a Zero Trust approach gives you the ability to leverage new technologies and take advantage of the full spectrum of deployment options for infrastructure, applications and data—without the need to backhaul traffic through your network. With Zero Trust, you can choose from on-premises data centers, private clouds, public clouds and everything in between, depending on what is most appropriate for the particular resource. You can save costs by optimizing hosting and management fees and reduced licensing outlays for VPN and other perimeter-based tools. Finally, compliance “micro-segments” can be set up to ensure everything hosted within that segment has the controls required by each compliance regime and that they’re applied in a standard fashion.
Zero Trust removes the notion of binary trust (I trust you or I don’t) and negates the idea of trust for a predetermined period of time. Instead, Zero Trust architectures assess digital risk using a variety of signals and enforce access control decisions based on the output of those signals. By adapting access requirements to the risk required, Zero Trust minimizes friction for low-risk access and actions, resulting in a better user experience.
The capabilities framework below was constructed with input from industry analysts, customers, thought leaders and partners to guide conversations around Zero Trust and help organizations mature their security approaches.
This framework identifies six categories of controls that are critical to architecting Zero Trust security. Together, they provide a defense in depth approach to securing corporate resources no matter where they’re deployed and who needs access to them.
In reviewing the above diagram, the astute reader may perceive the lack of a strong bond between a user and data which they own. In Zero Trust, ownership of data is paramount, and access to this data should not be granted unless consent has been explicitly provided. Additionally, access to a user’s data must be based on digital trust which is constantly reevaluated based on context, as well as digital risk which provides a variable level of confidence. Both of these evaluations are ephemeral, and only exist within the context of an individual request, which complies with O’Reilly’s fourth principle (every device, user and network flow is authenticated and authorized) and fifth principle (policies must be dynamic and calculated from as many sources of data as possible).
Bad actors search for the most opportunistic ways to profit from malicious activities. By intelligently verifying users and devices, limiting lateral movement and enforcing least privilege at each point of access, Zero Trust minimizes the impact of insider attacks as well as those executed with compromised credentials. A Zero Trust architecture essentially makes attacks prohibitively expensive by reducing the value of each stolen credential. It also reduces the efficacy of phishing attacks because second factors must also be compromised for these attacks to succeed.
In addition to supporting access policy enforcement with increased granularity, log data produced at each point of access can help to shorten SOC response times, which can significantly minimize the impact of a breach. Zero Trust also prevents a facade of security from taking hold in an organization, with the false comfort of having a firewall in place causing a lack of proper security investment and rigor. For example, many API development teams don’t test the security of APIs that can be accessed only from inside a firewall. But this practice can leave APIs and the sensitive data they expose vulnerable to threats. Arguably, if the rigorous authentication and authorization policies required to execute Zero Trust existed in every enterprise, many threats and attacks could be mitigated.
A while back, Chase Cunningham, Principal Analyst at Forrester, reported that he got asked almost daily where an organization should start when implementing Zero Trust. His response? “Fix your IAM and user side of the equation.”
This response isn’t surprising. For many organizations, Zero Trust starts with implementing an identity and access management (IAM) program or improving the one they have. In fact, a lack of—or misconfiguration of—authentication and authorization controls is often the low-hanging fruit that presents both the biggest bank for the buck and the biggest risk. This vulnerability was evident in the 2019 breach against First American Financial Corp., where 885 million title insurance records were essentially accessible to anyone with a web browser.
Clearly, strong identification and authentication are needed to ensure that all access is authenticated access. By starting with strategic deployment of global, adaptive authentication, enterprises can use this capability as the policy administration and decision point for which all risk signals and policy decision points integrate, creating a solid foundation for a Zero Trust architecture.
In enterprise security, there is no finish line. The same is true when it comes to Zero Trust. Putting the pieces in place to adopt the first principle alone (the network is always assumed to be hostile) can take years to accomplish. Even so, some organizations are already realizing the benefits of Zero Trust security.
In modernizing their sprawling authentication systems, Gates Corporation found that using an identity-centric approach was necessary to ensure their growing mobile workforce had secure access to the resources they needed. By adopting a central authentication authority, Gates was able to give their employees secure and seamless access to resources, no matter where they resided.
Enterprises are doubling down and accelerating Zero Trust initiatives to ensure their organizations remain secure and can support a remote workforce. You can take the first step to adopting an identity-centric security by transforming your organization’s approach to workforce identity.
Learn more about how workforce identity can help you strengthen security, improve productivity and increase agility.
Which Attack Surfaces does Zero Trust Address?Digital transformation has dramatically increased the number of possible attack surfaces an enterprise has, whether it’s due to employees working from home on IoT connected devices to M&A activity with companies that don’t take cybersecurity seriously. The Zero Trust approach addresses attacks connected to credential stuffing, flaws in APIs, flaws in public clouds, data breaches by association and other attack surfaces. |
||
Can Zero Trust be used for Network Segmentation and Microsegmentation?A Zero Trust approach encompasses tools that may already exist in organizations or can be added, including those related to network segmentation and/or microsegmentation. For example, because IoT devices can be hacking targets, organizations can put IoT devices on their own segment within the network. |
||
Is Automation Part of Zero Trust?Automation can be built into Zero Trust efforts across on-prem and cloud environments. Security automation streamlines processes and helps security teams manage complex ecosystems, technologies and vendor solutions. |
||
What are some Zero Trust Use Cases?The Zero Trust use cases are unlimited, because inherent trust no longer exists. Here are a few examples. Even within an office environment with network perimeters, workers must still authenticate themselves. Companies with vendors and contractors can use multi-factor authentication and access controls to enforce the principle of least privilege policies. |
||
Is Zero Trust Better than a VPN?The Zero Trust model is based on verifying everyone, including workers using a virtual private network (VPN). Companies that want to keep proprietary information and sensitive communications secure cannot rely solely on a VPN, and will benefit from taking the more holistic Zero Trust approach to protecting data. |