Zero Trust: The security model you should (not?) implement now
Do you trust us? Or do we trust you? Zero Trust means never trust, but always verify. This is probably only of limited use as a life philosophy, but it could look different in IT. Let’s take a look.
Behind the concept of Zero Trust security
Zero Trust is a security model. It does a great job securing IT infrastructures and data for digital transformation. This security is absolutely essential if an organization wants to survive in our modern world.
The Zero Trust model was developed in 2010 to provide an effective response to the growing pressure to better protect enterprise systems and data. Leaks and attacks are becoming more sophisticated and their impact more extensive. It’s a development that is – or should be – concerned by every CISO and IT executive.
The concept has been the talk among IT security for some time now, and the hype is not slowing down. The debate over what Zero Trust means for a modern enterprise and how to implement it is one of the most frequently discussed topics of all.
Even though things have become a bit clearer over time, there is still a lot of confusion: Why Zero Trust? How to implement Zero Trust? What are the Zero Trust benefits for an organization?
The power lies in balance
Zero Trust is about not trusting something just because it is within your network boundaries. This would be the approach of a city in the Middle Ages: you build a huge wall around it and make a few holes in it (the city gates) that are guarded. Once inside, you can move around freely.
Zero Trust turns this view around and says every time you would like to do certain things, you have to get re-verified. Even inside the city walls.
The idea behind this is not to get rid of the old-fashioned firewall, but to increase security within the network. It’s about the balance between the inside and the outside. “Bring balance to the Force, not leave it in darkness,” as Jedi Master Obi-Wan Kenobi said. It’s about making authorization and access decisions based on what you know about the users and the devices (!) that operate within the network.
The core principles of Zero Trust security model
The Zero Trust approach is holistic and relies on several principles and technologies.
Continuous monitoring and validation
According to the security philosophy of the Zero Trust model, potential attackers exist both inside and outside the enterprise network, so no users or devices should be automatically trusted, but instead, require continuous validation.
Least Privilege Access
Users and computers should only receive as much access as they really need. No more. And of course, no less. This is where Obi-Wan Kenobi’s advice often runs into difficulties when applied in practice. In order to implement the least privilege principle, careful management of user permissions is necessary, and maintaining the balance is costly. Technologies such as VPN, for example, are poorly suited to least privilege approaches to authorization.
Device access control
We’ve already touched on this: The digital identities that access infrastructures and data are no longer just users. The Zero Trust model requires tight controls on device accesses and has to ensure that every server, application, and “thing” on the Internet of Things has been authorized and not compromised. In this way, the Zero Trust approach to security helps to prevent leaks while the network’s attack surface can be significantly minimized.
This refers to a division of security perimeters into small zones to provide separate access for individual parts of the network. In this case, a user or device that has access to one of these zones cannot access any of the other zones without separate authorization.
Multi-factor authentication is considered a core principle of the Zero Trust security model and means that more than one proof is required to authenticate a user. Entering a password is not enough to gain access.
How to implement the Zero Trust model in your organization
It’s not always clear where to start. Some look at the concept and might think, “Well, we’re already doing half of that,” if they’re already using a reverse proxy, for example.
Still, others see Zero Trust as a huge task and succumb to the impression that they have to implement everything at once. Of course, this is not the case. Zero Trust is a journey, and like any journey, it consists of small steps. The first “quick wins” are surprisingly quick and easy to achieve. Cue multi-factor authentication, for example.
Dedicated organizations have their own challenges, so there is no magic checklist that will ensure a smooth implementation of Zero Trust. However, according to experts, many organizations already fulfill parts of Zero Trust. Developing a Zero Trust infrastructure is not just about implementing the individual technologies, but more importantly, it’s about enforcing the idea that nothing and no one will be granted access until it has been proven that they can be trusted. Again and again.
Is the Zero Trust Security model right for you?
Well, it’s definitely recommended for any company that works with the cloud in any way, because then things aren’t within its boundaries anyway – they simply have no boundaries. Not only cloud-first but also small businesses should consider a Zero Trust implementation since they don’t have data centers.
The Zero Trust model represents a significant departure from traditional approaches that follow the principle of “check once, trust after.” It requires organizations to continuously verify that a user and their device have the correct permissions and attributes (this is where the identity management tool comes in).
In summary, Zero Trust requires ongoing effort and there are some Zero Trust challenges to be faced along the way. As a result, organizations have not been able to fully implement it, says Kieran Norton, principal partner in Deloitte’s Cyber Risk Services Practice. But that doesn’t mean you shouldn’t try it, especially for digital long-term survival.