In the complex scenario of cyber security, where threats and vulnerabilities are constantly evolving. For this reason, the “zero trust” strategy is emerging as a guiding light in an increasingly digital world. When we look at everyday life, we notice that the idea of granting access only to those who really need it, something as common as using ID badges, finds surprising parallels with the zero trust philosophy.
This revolutionary security model is based on the principle of “never trust and always verify”. As such, it has taken the world by storm over the last three years, offering a fundamentally new approach to securing networks and applications. In this article, we will explore the essence of zero trust, from its inspiration in multiple access credentials to its evolution as a response to emerging IT trends. Discover how zero trust is redefining the way organizations approach cyber security. See also why it has become an essential guide, especially if you are looking to protect your assets in a connected and ever-changing world.
Understand the Zero Trust model
All over the world, many people wear badges.
It is used to identify people at control points such as gates and turnstiles. And usually these people only need one badge, which serves for practically all the control points that exist in a work environment.
But there are places where you can find people with three or even more badges hanging around their necks. For example, at airports and hospitals you’ll see people with various badges. Each one gives employees access to the areas they need to visit. At airports, the service desks, the boarding area, the baggage area and the runway. In hospitals, nursing wards, operating rooms, pharmacies and so on. So without all the badges, it’s impossible to work properly in an airport or a hospital.
This control model is very similar to zero trust, a security strategy that has been adopted worldwide for years. In this way, its use aims to reduce the problems of unauthorized access and use of networks and applications. It’s an approach based on the principle of “never trust and always verify”. For example, if we think of a network, zero trust restricts users’ access to only the resources they need. So those features that users don’t need will be out of their reach.
The principle is never to trust: always check
Zero trust is based on the concept that there are no implicit, legacy or assigned permissions for anything. On the contrary, there is a defined control, in varying degrees of complexity, for each instance of access granted to the user. In other words, each user needs permissions to enter the network, access a directory, run an application, access a table or view data. In short, for absolutely everything.
Do you remember when, years ago, all you had to do was turn on your computer or terminal and everything was at your fingertips? Unfortunately, the passage of time and the endless accumulation of incidents showed that the security of the system had to be guaranteed. Thus, giving accredited users access only to the resources they really needed.
Zero trust responds to new IT trends
We can consider zero trust as a response to new trends in the use of corporate networks. Currently, they need to cater for remote users, BYOD (bring your own device) policies and they also need to integrate cloud-based assets, therefore outside the boundaries of the company’s proprietary network. The method thus focuses on protecting resources rather than network segments. This is because network protection is no longer seen as the main component of security.
Although the popularization of zero trust is fairly recent, the concept is more than a decade old. It was described by analyst John Kindervag, from Forrester Research, in a study called “Build Security Into Your Network’s DNA: The Zero Trust Network Architecture“, which the consultancy published on November 5, 2010. Over the next 12 years, the adoption of zero trust network architecture was restricted to clients of Forrester and the major cybersecurity technology suppliers. However, these large suppliers were also Forrester’s clients. Part of the explanation for this delay, according to John Kindervag himself, was that the three key documents on the subject were proprietary to the consultancy. In other words, they had not been published to the information technology community.
The end of the network perimeter
Despite these restrictions, however, the concept was gaining ground among IT and security professionals until, in 2020, after two years of research, NIST, the US National Institute of Standards and Technology, published a document called “Zero Trust Architecture“, defining and detailing the subject. In this way, this document officially buried the concept of a static “perimeter” that existed for networks. It then focused security issues on users, assets and resources.
This breakdown published by NIST showed that a zero trust architecture uses “zero trust” principles to plan infrastructure and workflows. This assumes, according to the study, that there is no implicit trust granted for user assets or accounts – whether based solely on their physical or network location, or on the ownership of assets (business or personal). Because of these principles, the authentication and authorization functions (for subjects and devices) become isolated and specific to each one. In addition, they are executed before a session is established for the use of any corporate resource.
A trend on the road to cloud migration
Today, the adoption of zero trust has gained a lot of ground, especially among professionals who manage cloud resources. According to research published at the end of 2022 by Zscalermais, more than 90% of them have already started migrating to this architecture. In addition, 68% of IT leaders consider it impossible to operate securely in the cloud using legacy network security infrastructures. They therefore feel that access to zero trust networks has clear advantages over traditional firewalls and VPNs in protecting remote access to applications.
Experts point out that, despite being an effective solution, zero trust is a journey and not a destination. Organizations that decide to adopt it need to see it as an enabler of digital transformation and a driver of business results. They also need to invest in education to dispel fear, uncertainty and doubt about what zero trust means and its impact on business. Finally, they need to accept it and use it as a competitive advantage for their business.
Do you already use the Zero Trust model in your daily life? What do you think is still missing for its adoption to be extended to companies in Brazil and around the world?
Also, be sure to check out our other materials and keep up to date with the world of technology and cybersecurity.
See you next time!