As technology evolves, security systems need to evolve too. Older IT security systems relied on the castle-and-moat model. With this model, everything outside the moat is deemed unsafe and needs authentication to access the system, while everything inside the castle is considered safe. The trouble with this sort of system, however, is once an attacker breaks through the defenses, they would have access to all the data inside the “castle.”
The risks that accompany this model increase when things like cloud access are added, which increases potential points of entry as data is no longer in one place. Zero-trust security architecture aims to mitigate some of the risks posed by other security models, such as castle-and-moat. So what is zero-trust security? And how can organizations implement it?
‘Zero trust’ is a term used to describe digital-security strategy where access controls are strictly maintained through verification. In other words, a system that uses zero-trust architecture is designed so that anyone or anything attempting to access any point will first need to be properly verified. Until the network is able to reliably identify the user or device, all access is completely restricted — even for users and services operating within the security perimeter.
The concept of zero trust was originally created in 2010 by John Kindervag, who was, at the time, Vice President and Principal Analyst and of Forrester Research. He drew from the principle “never trust, always verify” in the creation of zero-trust architecture.
To draw on the castle-and-moat model, rather than trust that those within the castle were good actors, a security system based on zero trust would require users to regularly verify their authentication. In this case, even if someone did break through the initial defenses, they would not be granted unfettered access to the rest of the network.
Zero trust is also built on the idea that users should only be granted access to information they need. By prioritizing sensitive data with additional safeguards, it is more difficult for those who do breach the basic defenses to gain access to more important information.
Essentially, zero trust boils down to the need to secure the inside of a system, alongside with outer securities.
A zero-trust system first defines a “protect surface,” and then segments this surface with defenses known as microperimeters. Microperimeters are made by creating segmentation gateways, which monitor who is coming in and out of sections, as well as stop potential bad actors from entering.
In order to move between these perimeters, users would be expected to provide verification each time. What’s especially useful about a protect surface is that it isn’t tied to a specific location.This allows the data to be protected whether it’s being accessed on site or remotely.
In more practical terms, zero-trust architecture pulls from a variety of technologies to create a more secure environment. For instance, multi-factor identification — having users verify their identity on a separate device — is one way to increase security. Strict control on physical devices, increased encryption, timed sessions, and data classification are some of the other ways zero trust can be implemented into a security policy.
A robust zero-trust system will utilize many pillars of security.
It is naturally easier to implement zero-trust security into a new system, but that doesn’t mean zero trust can’t be implemented in existing security systems as well — though it should be noted that some systems work better with zero-trust architecture than others.
It starts with changing the mindset of what security is; rather than viewing it simply as a way to keep users out, a zero-trust security mindset assumes everyone is a threat until verified otherwise. With this in mind, organizations can add individual technologies, such as multi-factor identification, to augment pre-existing security features, rather than being forced to tear the entire system down and start from scratch.
Whether you’re set to rebuild, or simply remodel, your security system, implementing zero-trust architecture might seem complex, expensive, or unnecessary. But there are significant benefits that come with increased security beyond better protected data.
For example, using zero-trust architecture can actually increase business agility. Rather than slow your entire operation down when something is breached, the microperimeters set up in a zero-trust model mean only a small portion of your network will be shut down in the event of an emergency.
Zero trust also provides better organization to your cloud network, making processes more navigable and data easier to find.
Finally, the expense of a data breach is on the rise, with the average yearly cost to businesses reaching $3.92 million in 2019. Implementing a zero-trust security model might seem expensive, but reducing the number of system breaches can save your company time and money in the long run.
For more insight into network security and visibility, click on these additional readings: