Enterprises are accelerating digital transformation initiatives in response to the rapidly evolving business landscape and a remote or hybrid workforce. Greater productivity is among the core benefits of these initiatives. But to realize these efficiency gains—and the additional advantages of a digital-first culture—you need to provide your workforce with access to every application and tool they need to do their jobs. And that’s often easier said than done.
Security leaders are faced with the new challenge of securing their organizations when very few users are on the corporate network. They need to give their employees the anytime and anywhere access they need to be productive, but not at the cost of security. Striking the right balance hinges on having confidence that the people requesting access are who they say they are and that they’re granted access to only those resources and sensitive data they’re authorized to use.
An identity-centric Zero Trust approach to security provides this assurance. With Zero Trust, you depend less on static network perimeters and more on the identity and dynamic risk of each user, as well as the secure processes and technologies that can be applied directly to corporate resources, irrespective of where they’re located.
What is Zero Trust Security?
O’Reilly Media’s Zero Trust Networks provides a succinct description of the five principles underlying a Zero Trust strategy as follows:
The network is always assumed to be hostile.
External and internal threats exist on the network at all times.
Network locality is not sufficient for deciding trust in a network.
Every device, user and network flow is authenticated and authorized.
Policies must be dynamic and calculated from as many sources of data as possible.
These security tenets underscore the realities of security in a digital-first world. Identity makes it possible to ensure security without sacrificing user experience or introducing unnecessary friction. Using the Zero Trust model, you can put identity at the center of your security strategy and release your reliance on traditional (and potentially risky) network perimeter approaches.
Read on to learn:
What Zero Trust is and how to implement it to secure corporate resources
How you can take the first steps toward an identity-centric Zero Trust model
Where Did Zero Trust Originate?
Before Zero Trust had a name, the concept of de-perimeterization was promoted as early as 2004 by the Jericho Forum. This working group of Chief Information Security Officers ultimately compiled the Jericho Forum Commandments which defined “areas and principles to be observed when planning for a de-perimeterized future.”
In the fall of 2010, the term Zero Trust was first introduced by Forrester Research Analyst John Kindervag in a series of reports, beginning with “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security.” A series of three reports were published describing the concept, architecture and case studies for Zero Trust along with a primary directive to “verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic.”
“In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic.”
—John Kindervag, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security,” Sept. 17, 2010
From a practical standpoint, this means that all forms of implied trust and resulting entitlements are no longer valid. Instead, organizations must rely on explicit assessments of trust which are dynamic and rooted in as many sources of data as possible before deciding whether a user should be granted access to a resource or allowed to perform a transaction.
In the years since the concept was introduced, Zero Trust has taken on a life of its own. And today, it’s more relevant than ever. While consensus is often difficult to achieve in many areas of our lives, we can all agree that the world has changed. It stands to reason then that our approach to security must change with it.
Why Is Zero Trust Important?
In 2020, enterprises saw their offices go vacant as employees shifted to working remotely in response to the global COVID-19 pandemic. Security leaders had to quickly evaluate if their identity and access management (IAM) systems could handle remote employees accessing corporate resources while outside of the network perimeter.
Previous default options like using a virtual private network (VPN) quickly proved insufficient for many. VPNs can’t provide the assurance that the employee requesting access is who they say they are and that they are authorized to use the requested resource. In addition, they weren’t built for the scale that companies require.
In response, enterprises fast tracked digital transformation initiatives. But adapting to changing business requirements and an increasingly remote workforce is more than a short-term fix—it’s a long-term strategy as many organizations are maintaining the option for remote work whether fully or as part of a hybrid workplace post-COVID.
A Zero Trust strategy can help you support the new normal and secure remote access for your employees and other workforce users. By shifting reliance away from trusting the corporate network to always verifying a user’s identity before granting access, Zero Trust helps ensure that only the right users gain access to the right resources for the right reasons.
What is the Goal of Zero Trust?
When it was first introduced more than 10 years ago, Zero Trust was based on the realization that the notions of a trusted internal network or trusted users were no longer relevant or reliable. Striving to fix a security model that was broken then and now, Zero Trust asserts that an enterprise should have zero trust in the user’s network as an indicator of security. In fact, assuming trust in this way can have disastrous results as evidenced by the number of breaches dominating news headlines.
Just because a user is behind a firewall doesn’t mean that user can be trusted. Whether the user entering any domain is an employee, a customer, a partner or anyone else—and regardless of the network they’re using—their identity must be verifiable beyond the traditional perimeter. Zero Trust effectively shifts the security “perimeter” to the identity of the individual user and beyond to the backend components such as microservices and/or serverless functions.
Why Is Implicit Trust Based on a Network Perimeter Insufficient?
Company-wide work-from-home initiatives, cloud adoption, BYOD and other trends are creating situations where routing traffic through a corporate perimeter (e.g., a firewall or VPN) is only necessary to establish that an access request originated from a “secure” IP address.
This process, known as backhauling, reinforces the myth that perimeter-based security was effective in the first place. The countless ways bad actors breach corporate networks are well understood, as is the lateral movement they take through those networks to steal data and disrupt business. Granting trust of any kind to a user who has gained access to a network weakens your security posture and introduces risk in the following ways:
For years now, the annual Verizon Data Breach Investigations Report (DBIR) has warned of the risks of stolen credentials—and this year is no exception. The 2021 DBIR once again reveals the connection between credentials and data breaches. One in four breaches in 2020 involved stolen credentials, proving yet again that when the correct credentials are the only key one needs to unlock access to the corporate network, that network is far from secure.
Symantec's 2019 Internet Security Threat Report found that “one in 36 devices used in organizations were classed as high risk. This included devices that were rooted or jailbroken, along with devices that had a high degree of certainty that malware had been installed.” Legitimate users on compromised devices can incidentally expose sensitive resources to bad actors through their own access to the corporate network.
Trusted Access Ignores Changes in Context
IP addresses help establish that a user is requesting access from a “trusted network.” But relying on this data point alone isn't enough since 30% of breaches involve internal actors. There are other more reliable indicators of risk including the type of user (department, seniority, privilege), the context of the request (time of day, device, geo-location), as well as the risk of the resource (finance app. vs. holiday calendar) requested.
Trusted Access Creates a Facade of Security
The belief that there’s safety behind the firewall is a dangerous one. Without the assumption that the network has already been breached, common security best practices can be delayed or ignored. It’s all too easy to assume a resource behind the firewall can’t be accessed externally, but countless successful data breaches prove this isn’t the case at all.
What Are the Five Pillars of Zero Trust?
The philosophy of Zero Trust networks is that you should trust no one and verify everyone. To put this into practice, the following five-part framework is suggested.
1. Validating the Network is No Longer Enough
Customers are able to access your applications from public wi-fi in coffee shops and airports. Your employees and partners must also be able to do the same, using the public and private networks available wherever they might be. Digital transformation also requires applications and services in a variety of public and private clouds to interact with your business applications. Consequently, network validation can no longer exist to validate insider vs. outsider access. Every user, device and application is subject to the same rules, regardless of network locality. This means that even critical high-risk applications have to be exposed to the open Internet. After all, today’s corporate network IS the Internet.
2. Authenticate the User
Intelligent, strong authentication is the backbone of a Zero Trust security architecture. The use of multi-factor authentication that requires a user to present “factors” from three different categories to prove their identity—something they KNOW (like a password), something they HAVE (like a phone), and something they ARE (like a fingerprint)—is the de facto standard. Different user activities should require different levels of authentication based on risk. Reading email might only require a password, while Issuing a paycheck might require a password and proof of identity via a push notification sent to a mobile device.
3. Authenticate and Validate the Device
Sometimes valid users can be tricked into doing work on compromised devices. If the computer or phone that the user is working on is compromised, critical enterprise data and passwords will also be compromised, even if the user has been strongly authenticated. Device identification and certificate issuance can be leveraged to check whether the user is working on validated hardware that hasn’t been tampered with.
4. Authenticate the Application
Even if a valid user is on a registered, validated device, they might be missing a critical security patch. They might have been conned into installing a malicious browser plugin or be using an imposter application. Any of these cases could allow an attacker into a critical system. Methods of application validation vary widely. Some validation methods—like OS version—can be accomplished through device management. Others—like validity of an OAuth client registration—require newer and tougher security standards like Proof Key for Code Exchange and Token Binding.
5. Authorize the Transaction
Finally, the transaction itself must be authorized. A central authorization engine must judge whether this user is allowed to perform this transaction. The default answer should always be “no,” unless there is enough information to make a decision. This may involve static rules like “only employees can send corporate email” and a heuristic rule like “only users with a risk score below 65 can view the corporate directory.” A risk-scoring system employs a number of weighted variables like behavioral biometrics, continuous authentication, location, time and comparison against patterns of past attackers to determine how likely it is that the current transaction is malicious.
How Does Zero Trust Improve Security?
The weaknesses of an implied or discrete perimeter-based approach quickly disappear when a Zero Trust approach is taken. Compromised credentials and devices, as well as changes in context are each addressed by capabilities which must underpin any Zero Trust strategy. Furthermore, when the assumption of safety behind a firewall is removed, resource owners and security teams tend to evaluate the security and risk profile of each resource much more carefully and frequently to ensure sufficient protection.
Zero Trust ensures the right questions get asked based on the risk profile of the user, device and the resource to which they’re requesting access.
Is this user legitimate?
Was this user identified in a manner that is acceptable to the task being performed?
Is their device healthy enough for the task they are performing?
Is this user who they say they are?
Should this user have access under any circumstance?
Should this user have access given their current circumstances?
Is this session still driven by the real user?
Does the amount of trust in the user identity match the level of risk associated with this transaction?
Has the request been verified?
During Data Access
Did the user provide consent for access, and to whom?
What transactions (READ, MODIFY, DELETE) did they consent to?
Should this data be encrypted?
What Are the Benefits of Zero Trust?
Organizations stand to gain more than just improved security by replacing network trust with a Zero Trust strategy.
Improve Workforce Productivity
Zero Trust helps you realize greater workforce productivity by standardizing access controls across all corporate resources as more and more employees shift to working outside of the network. When you’re taking into account the risk profile of the employee, device and resource accessed, rather than determining only if the employee is on the corporate network, you can feel more confident opening up access to remote employees and in doing so, empower them with the resources to do their jobs efficiently.
Enable Business Agility
Adopting a Zero Trust approach gives you the ability to leverage new technologies and take advantage of the full spectrum of deployment options for infrastructure, applications and data—without the need to backhaul traffic through your network. With Zero Trust, you can choose from on-premises data centers, private clouds, public clouds and everything in between, depending on what is most appropriate for the particular resource. You can save costs by optimizing hosting and management fees and reduced licensing outlays for VPN and other perimeter-based tools. Finally, compliance “micro-segments” can be set up to ensure everything hosted within that segment has the controls required by each compliance regime and that they’re applied in a standard fashion.
Improved User Experience
Zero Trust removes the notion of binary trust (I trust you or I don’t) and negates the idea of trust for a predetermined period of time. Instead, Zero Trust architectures assess digital risk using a variety of signals and enforce access control decisions based on the output of those signals. By adapting access requirements to the risk required, Zero Trust minimizes friction for low-risk access and actions, resulting in a better user experience.
What Are Key Capabilities Required to Architect Zero Trust Security?
The capabilities framework below was constructed with input from industry analysts, customers, thought leaders and partners to guide conversations around Zero Trust and help organizations mature their security approaches.
This framework identifies six categories of controls that are critical to architecting Zero Trust security. Together, they provide a defense in depth approach to securing corporate resources no matter where they’re deployed and who needs access to them.
Strong Identification & Authentication: Verifying and authenticating user identity from the moment of registration to each request for access is critical to improving security. These capabilities ensure that all users (privileged and not) and all resources are protected no matter where they’re deployed.
Network Security: Preventing lateral movement between segments is often the most effective way to minimize the impact of a breach. These capabilities ensure that breaches are contained with access terminated as soon as malicious behavior is detected or a risk threshold is exceeded.
Data Security: Whether its sensitive IP or user data covered by one of the many privacy regimes popping up around the globe, data security has become paramount for many organizations. These capabilities ensure that data is encrypted where it needs to be, and that users are always in control of their data.
In reviewing the above diagram, the astute reader may perceive the lack of a strong bond between a user and data which they own. In Zero Trust, ownership of data is paramount, and access to this data should not be granted unless consent has been explicitly provided. Additionally, access to a user’s data must be based on digital trust which is constantly reevaluated based on context, as well as digital risk which provides a variable level of confidence. Both of these evaluations are ephemeral, and only exist within the context of an individual request, which complies with O’Reilly’s fourth principle (every device, user and network flow is authenticated and authorized) and fifth principle (policies must be dynamic and calculated from as many sources of data as possible).
How Does Zero Trust Protect a Network Against Common Attacks?
Bad actors search for the most opportunistic ways to profit from malicious activities. By intelligently verifying users and devices, limiting lateral movement and enforcing least privilege at each point of access, Zero Trust minimizes the impact of insider attacks as well as those executed with compromised credentials. A Zero Trust architecture essentially makes attacks prohibitively expensive by reducing the value of each stolen credential. It also reduces the efficacy of phishing attacks because second factors must also be compromised for these attacks to succeed.
In addition to supporting access policy enforcement with increased granularity, log data produced at each point of access can help to shorten SOC response times, which can significantly minimize the impact of a breach. Zero Trust also prevents a facade of security from taking hold in an organization, with the false comfort of having a firewall in place causing a lack of proper security investment and rigor. For example, many API development teams don’t test the security of APIs that can be accessed only from inside a firewall. But this practice can leave APIs and the sensitive data they expose vulnerable to threats. Arguably, if the rigorous authentication and authorization policies required to execute Zero Trust existed in every enterprise, many threats and attacks could be mitigated.
How to Implement Zero Trust
A while back, Chase Cunningham, Principal Analyst at Forrester, reported that he got asked almost daily where an organization should start when implementing Zero Trust. His response? “Fix your IAM and user side of the equation.”
This response isn’t surprising. For many organizations, Zero Trust starts with implementing an identity and access management (IAM) program or improving the one they have. In fact, a lack of—or misconfiguration of—authentication and authorization controls is often the low-hanging fruit that presents both the biggest bank for the buck and the biggest risk. This vulnerability was evident in the 2019 breach against First American Financial Corp., where 885 million title insurance records were essentially accessible to anyone with a web browser.
Clearly, strong identification and authentication are needed to ensure that all access is authenticated access. By starting with strategic deployment of global, adaptive authentication, enterprises can use this capability as the policy administration and decision point for which all risk signals and policy decision points integrate, creating a solid foundation for a Zero Trust architecture.
Are There Any Zero Trust Case Studies?
In enterprise security, there is no finish line. The same is true when it comes to Zero Trust. Putting the pieces in place to adopt the first principle alone (the network is always assumed to be hostile) can take years to accomplish. Even so, some organizations are already realizing the benefits of Zero Trust security.
For example, Netflix identified that the network perimeter wasn’t enough to meet their needs to provide secure access to corporate resources for employees and partners. The streaming service has embarked on their Zero Trust journey by adopting identity-defined microperimeters for users, devices and applications to enable corporate users secure access from anywhere.
In modernizing their sprawling authentication systems, Gates Corporation found that using an identity-centric approach was necessary to ensure their growing mobile workforce had secure access to the resources they needed. By adopting a central authentication authority, Gates was able to give their employees secure and seamless access to resources, no matter where they resided.
Ready to Start Your Zero Trust Journey?
Enterprises are doubling down and accelerating Zero Trust initiatives to ensure their organizations remain secure and can support a remote workforce. You can take the first step to adopting an identity-centric security by transforming your organization’s approach to workforce identity.
Learn more about how workforce identity can help you strengthen security, improve productivity and increase agility.