The buzz around Zero Trust is picking up pace as companies shift to a remote working model. The inadequacy of traditional security models has put the spotlight on neoteric security conceptions like Software Defined Perimeter, which operationalise the Zero Trust model. But before we go about implementing a Zero Trust Model in enterprises, it is important to understand what Zero Trust Security encompasses.
With the rapid progression of digital transformation processes, and the advent of modern computing, network security has become an indispensable aspect of system design. Pioneers of traditional security technologies would never have estimated the strides that computing systems have made in the past 3 decades. The advent of the cloud has made almost every digital enterprise asset a potential threat, and there is a need to highlight and solve the inherent flaws associated with traditional security systems. This is why a Zero Trust approach to security has become important.
The Shift to the Cloud
Traditionally, the first function of the Internet was to connect systems and processes. Given a proper route and an IP address, a wide range of systems could be connected. Thus, a system of open trust was established, with authentication being a secondary priority, handled higher in the stack.
As hackers started coming into the picture and abusing the system of open trust, zones of implicit trust were created inside the network using VPNs. For remote workforces, VPNs extended the trust to remote employees by extending the network. This was again intercepted and exploited by attackers, and so were the services that moved into Demilitarised Zones when external access was required.
With the advent of the cloud, the propensity of hackers to exploit the unprecedented implicit trust within traditional systems has become all the more pronounced. With a growth in remote employees, users may be located virtually anywhere in the world. The traditional model is inadequate in facing up to these challenges.
The History of Zero Trust:
A Zero Trust model inherently distrusted all devices and users, irrespective of whether the asset was inside or outside the network. Given that traditional perimeters were rapidly evolving and giving way to increasing cloud based models that operated outside conventional perimeters, a discrimination between inside and outside could no longer be made. Simultaneously, Google sought to implement a Zero trust Architecture called BeyondCorp, in 2009.
With rapid adoption of the cloud and the increasingly mobile nature of workforces, the conversation around Zero Trust Security evolved and gained ground, with the Cloud Security Alliance developing the Software Defined Perimeter in 2014 to operationalise a Zero trust Security Model.
With increasing coverage from leading research like Gartner, Zero trust Security Models have gained ground because of their viability and the security risks and challenges they address.
What is Zero Trust Security?
In order to ensure that enterprises extend access of their critical applications to the right employees, without compromising on security, a Zero Trust Approach removes the system of implicit trust prevalent in the system. Zero Trust no longer discriminates between ‘inside’ and ‘outside’ the network, instead requiring all users and devices to be authenticated before being granted access.
The Zero Trust Approach doesn’t assume a user or device to be trustworthy by default. Instead, it relies on a system of validating the user by assessing the trust associated with the user and authenticating his identity and the context of his access request.
The Need to Know Model
A Zero trust Model uses microsegmentation to ensure least privilege access and a minimal attack surface. This means that in a zero trust model, workloads are isolated from one another, and secure data zones are created, giving security teams greater control over lateral communication within the network. The Zero Trust Model segments applications natively, and thus allows the user to access only what he is allowed to access. They aren’t allowed to see or access anything else. Even in the case of attempted lateral movement attacks, hackers won’t be able to exploit the network.
Tunnelling its way to better security
The Zero Trust Approach is relevant because it moves security from a network centric approach to a more application-centric and identity-centric approach. This is done by employing application specific tunnelling.
Given that Zero Trust Access is about specific roles and access to applications on the basis of the roles assigned, the security infrastructure is defined by end to end encrypted application specific tunnels. By doing this, ZTNA solutions ensure that employees are connected to the apps and services that they need to access. The need to know model not only ensures better security, but also allows a better, granular level control over who accesses what. The Zero Trust Model reinforces that trust needs to be earned. It needs to be established by authenticating the credentials of the user, while also validating the context, as to why access is being sought.
Zero Trust as a Corporate VPN Replacement
In the light of an increase in remote workforces, and an increasing adoption of digital transformation processes, security becomes critical. Traditional solutions are often being found to be inadequate in dealing with security challenges associated with the increase in employees working from home.
In this scenario, Zero Trust solutions are often found to be flexible, and provide an enhanced level of security without compromising on the user experience. Many enterprises have recognised the fallacies associated with traditional solutions, and have chosen to shift to a more neoteric model of security, and primarily, Zero Trust Solutions.