For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists.
Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps, APIs and IoT devices all clamoring to connect to networks. And from a security standpoint, the disappearance of the perimeter represents unprecedented challenges.
Back in 2009, Forrester analyst John Kindervag saw this change coming fast, and he coined the term zero trust. It centers on the belief that trust is a vulnerability, and security must be designed with the strategy, “Never trust, always verify.”
How has zero trust changed the course of cybersecurity? Let’s find out.
Operation Aurora
Operation Aurora was a series of cyberattacks carried out by advanced persistent threats (APTs) allegedly linked to China. Made public in a Google blog post in 2010, these attacks took place from mid-2009 to late 2009.
Several well-known organizations, such as Adobe Systems, Akamai Technologies, Juniper Networks and Rackspace, confirmed that these attacks had targeted them. Other companies such as Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical also reported that they had suffered from malicious actions.
In response to these attacks, Google created BeyondCorp — which became the company’s implementation of the zero trust model. In a 2014 newsletter, BeyondCorp stated:
“With the advent of a mobile workforce, the surge in the variety of devices used by this workforce and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm to the point of redundancy… One should assume that an internal network is as fraught with danger as the public Internet and build enterprise applications based upon this assumption.”
Zero trust quickly evolves
From 2014 forward, the concept of zero trust quickly evolved. In its true sense, zero trust can be considered a framework, an architecture or even a philosophy. For example, in 2018, Forrester developed seven core pillars of zero trust. However, the firm has since moved away from that stance. They more recently offered this definition of zero trust:
“Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”
In response to requirements like these, the security industry has developed tools such as identity and access management (IAM) built along with least privilege access. This means that only the minimum necessary rights should be assigned to any user (or software) requesting access to a resource. Additionally, privilege should be in effect for the shortest duration necessary.
Meanwhile, comprehensive security monitoring is accomplished by solutions such as Security Information and Event Management (SIEM). As cybersecurity threats become more advanced and persistent, it requires increasing amounts of effort by security analysts to sift through countless incidents. By leveraging threat intelligence, SIEM makes it easier to remediate threats faster with high-fidelity alerts.
Too many security concerns, so little time
A patchwork of disjointed security solutions makes the current security landscape more complicated. This leads to increased manual tasks for security teams and a lack of context to effectively minimize the attack surface. With rising data breaches and heightened global regulations, protecting networks has become increasingly challenging.
Data access has become a critical requirement for modern organizations, necessitating a robust security infrastructure. Zero trust aims to address this need. The goal is to offer dynamic and ongoing protection for all users, devices and assets. Unlike perimeter security, zero trust requires constant verification to be fully effective, enforcing security for every transaction, connection and user.
Implementing a zero trust framework provides a comprehensive view of an organization’s security posture. Furthermore, it helps security teams proactively manage threats. With consistent security policies and rapid threat response, zero trust offers a more secure and efficient solution to modern data access needs.
Further benefits of zero trust
Beyond the core security benefits, IT teams quickly recognized other advantages to zero trust models. The corollary benefits of zero trust include:
- Enhanced network performance from a reduction in traffic on subnets
- Improved ability to address network errors
- More simplified logging and monitoring process due to heightened granularity
- Shorter breach detection times.
Facing today’s threat reality
The modern cyber threat terrain is more treacherous than ever. The diversity and volume of attacks continue to increase, and multiple incidents per victim are quickly becoming the norm. We want a world where we can connect from any place, anytime. But this implies that attacks can come from any place, anytime as well. As a result, zero trust is quickly becoming the de facto security strategy.
In January 2022, the Executive Office of the President released an announcement about government-wide zero trust goals:
“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” the memo states. The White House stresses that incremental improvements will not provide the necessary security. Instead, the Federal Government seeks to make bold changes and significant investments to “defend the vital institutions that underpin the American way of life.”
The Pentagon plans to implement a zero trust architecture across its entire enterprise by 2027, according to Department of Defense Chief Information Officer John Sherman. “What we’re aiming for is by 2027 to have zero trust deployed across the majority of our enterprise systems in the Department of Defense in five years,” said Sherman.
Because zero trust implementation is not simple, the U.S. Government has set an ambitious goal. However, with current and growing adversary capabilities, there may be no other choice.
Freelance Technology Writer