In the last year, the business world – particularly the tech industry – has seen a paradigm shift to remote work. While this transition has held some challenges for management, most teams have adjusted to this new model quite nicely. For security teams, the new norm has transformed access control to the point where the traditional perimeter-based model is no longer feasible as a defense-in-depth strategy.
Network deperimeterization is not a new concept. In 2005, the Jericho Forum, a group of forward-thinking public and private researchers, argued that traditional network defenses failed to keep pace with the evolution of modern IT, which is characterized by online collaboration between organizations, outsourcing, and digital commerce. They explained that future trust models would have to quickly evaluate not only the individual, but also their device, location, and organisation. Further, there were novel “transitive trust” relationships, and myriad context-specific events, that must be analyzed on the fly.
Successful cyberattacks have validated their concerns. In 2010, Google discovered Operation Aurora, where nation-state hackers used a zero-day vulnerability to gain access to Google computers. In 2011, a phishing attack against RSA led to the compromise of millions of SecurID tokens, hardware that was used for two-factor authentication (2FA). It became crystal clear that hackers could exploit trust relationships, even at the most security-conscious companies. And over the past decade, the size, scope, and severity of data breaches have only increased, with over a billion user accounts stolen in one attack alone.
What is Zero Trust?
Before we define Zero Trust, let’s consider what it is not. Zero Trust is not a new defense-in-depth model; neither is it a product. Zero Trust – which has been on nearly everyone’s mind lately – is an ongoing process.
In a Zero Trust network, every new connection is scrutinized in at least three ways:
- The device must be authenticated and authorized
- The user must be authenticated and authorized
- Decision-making is risk-based
Before approval, the device and the user/role must be on the access list. And a final decision is still dependent on the sensitivity of the particular dataset. In the world of espionage, this is analogous to the difference between having a secret clearance and having a “need-to-know”.
Advantages of Zero Trust
There are numerous benefits in adopting a Zero Trust model. Here are just a few:
- Strong authentication requirements significantly reduce the value of credential theft.
- Every connection is evaluated, which makes it much more difficult for an attacker to move laterally through a network (even when breached).
- Zero Trust raises the bar on overall ecosystem hygiene, so that well-known, easy-to-exploit vulnerabilities are a rarer occurrence.
- Zero Trust forces hackers to engage in more targeted attacks, which are more time-consuming and expensive to pull off.
Organizations Need Zero Trust in 2021
It is a sad fact that too many companies do not begin to change their defense strategies until after they suffer a data breach. Prior to the COVID-19 pandemic, only about 20% of cloud-native companies had begun to implement Zero Trust. Now that the paradigm shift has begun, many companies are eagerly seeking models that can better address current information security challenges, and Zero Trust is leading the way.
As you move toward a Zero Trust implementation, VGS is here to help. The first thing is to recognize that Rome was not built in a day, and neither will be your Zero Trust network. In future blog posts, we will dive into the technical details of 3 specific challenges relating to Zero Trust. For most cloud-native companies, these are:
- Managing user identity and access
- Securing applications
- Securing infrastructure
See you soon!