visit
However, a crucial obstacle to widely adopting this security model is mass uncertainty about what exactly "Zero Trust" means. There is a lot of confusion about the definition out there. For example, a customer told me that he thought he knew what Zero Trust was, but now that everyone is talking about it and describing everything as Zero Trust, he understands less.
As is the case with IT, in general, Zero Trust "is not just technology"; it's about process and mindset as well (again, it is about People, Process, Technology — PPT). CIOs, CISOs, and other corporate executives are frequently implementing Zero Trust because:
As you may know, though, the rise of mobile devices, cloud applications, and the remote workforce have thoroughly disputed those assumptions. Organizations can't physically control every device their employees use anymore. And even if they could, the device is not just a device, but a tunnel from internal to anywhere, including the public cloud apps.
Once an attacker gets through those perimeter defenses, remotely or physically infiltrating an organization, the old security model would instantly grant them a lot of trust and freedom. Security should never be as stupid as "outside bad, inside good."
Zero Trust is a security mindset centered on the idea that organizations should not automatically trust anything inside or outside their perimeters and, alternatively, must verify anything and everything trying to connect before granting access.
Instead of trusting particular objects or connections from specific places, Zero Trust requires that people (i.e., device's user or data owner) prove they should be granted that access. Typically that means logging into a corporate account with biometrics or a hardware security key. In addition to simple usernames and passwords make it more difficult for attackers to impersonate users.
And even once someone gets through, it's on a need-to-know or need-to-access basis (conditional access). So, if you don't work with source codes as part of your job, your corporate account shouldn't bind into the R&D domain.
The best analog of "trust zero" in our daily lives is airport security (although we didn't travel due to COVID-19.) When we need to travel to another country, we need to:
When you arrive at the airport, and as far as the "system" is concerned, you are unauthenticated, unauthorized, and thus untrusted for more than access to the public areas. Then you perform an initial Identification when you check-in; this validates your identity and purpose. Next, you check your baggage in, which has its security checks (this could be analogous to having your laptop/desktop validated).
This elevation of trust permits access to the boarding lounge, which could be considered a trusted zone, and while you are in this zone, you can access certain "services" without further authentication. However, for certain transactions, you are required to show your boarding pass again.
Afterward, when you board the plane, you are rechecked as you enter a zone requiring specific authorization. At any point when you are within the trusted zones, you can be directed to re-authenticate. Some zones are not accessible to an average traveler (e.g., VIP lounges, staff areas, air-side areas, etc.). Much like a corporate environment, these would equate to management zones, database zones, etc.
For me, it is a mindset, a set of concepts, or, more extreme, a philosophy. The abstract nature of Zero Trust has its benefits. Designing from concepts and principles rather than particular products gives flexibility and potentially longevity; those specific software tools/ products don't.
Other than agreeing on what the phrase means, the biggest obstacle to zero trust's proliferation is that most infrastructure currently in use was designed under the old "moat-and-castle" security model. There's no simple way to retrofit those types of operations for Zero Trust since the two approaches are so fundamentally different.
You still have to implement things like device and software inventory, network segmentation, access controls. As an industry, we need to have more integrity in communicating, especially with all the attacks and real threats that organizations are facing.
I am not saying the Zero Trust is a security panacea (There is none, obviously). And most importantly, even the most secure environment nowadays is not 100% Zero Trust, not to mention that for most organizations. It's still easy enough to target the pieces of a victim's infrastructure that haven't yet been promoted with zero-trust concepts in mind.
Cybersecurity hasn't kept pace with this digital transformation/modernized environment. But we, at least, have to transform how you manage security. First, you want to think about ubiquitous security. Second, you want to be predictive, so you need to be thinking about it differently.
Successful implementation of ZTA should involve the CISO, the CIO, and others in the executive tier to prioritize what moves to this model and which pieces of their environment can wait.Also Published At: