It is only a recent phenomenon that threats are recognized from sources within the organization. In the past, threats was always something that was “external”, the firewalls protected the organization from the outside threats. That approach, to no one’s surprise, is now redundant.
With hybrid and remote working picking up pace, the sources for risks are location independent. They can emerge from anywhere, and hence the concept of “zero trust” is gaining wide popularity amongst security products.
It is useful as a shorthand way of describing an approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated and adapted to allow just-in-time, just-enough access to enterprise resources.
Zero trust is a way of thinking, not a specific technology or architecture. It’s really about zero implicit trust, as that’s what we want to get rid of.A complete zero trust security posture may never be fully achieved, but specific initiatives can be undertaken today.
It is important that organizations look to implement zero trust start with network-related security projects. Why start with the network?
TCP/IP network connectivity was built in a time when trust could be assumed. It was built to connect people and organizations, not to authenticate. Network addresses are weak identifiers at best. Zero trust networking initiatives use identity as the foundation for new perimeters.
Zero trust network access (ZTNA)
In the past, when users left the “trusted” enterprise network, VPNs were used to extend the enterprise network to them. If attackers could steal a user’s credentials, they could easily gain access to the enterprise network.
Zero trust network access abstracts and centralizes access mechanisms so that security engineers and staff can be responsible for them. It grants appropriate access based on the identity of the humans and their devices, plus other context such as time and date, geo-location, historical usage patterns and device posture. The result is a more secure and resilient environment, with improved flexibility and better monitoring.
The shift to a largely remote workforce during the COVID-19 pandemic has created intense interest in ZTNA, with media headlines proclaiming ‘The VPN is dead.’
Although VPN replacement is a common driver for its adoption, ZTNA typically augments, rather than replaces, a VPN. By allowing users access to what they need, and by shifting to cloud-based ZTNA offerings, you can avoid overloading your VPN infrastructure.
Longer term, this zero trust network access security posture can be continue to be used when people return to the office.
Identity-based segmentation, also known as micro or zero trust segmentation, is an effective way to limit the ability of attackers to move laterally in a network once they have gotten in.
Identity-based segmentation reduces excessive implicit trust by allowing organizations to shift individual workloads to a “default deny” rather than an “implicit allow” model. It uses dynamic rules that assess workload and application identity as part of determining whether to allow network communications.
When starting an identity-based segmentation strategy, start with a small collection of most critical applications and servers for initial implementations and expand from there.
Once you have implemented ZTNA and identity-based segmentation, move on to other initiatives to extend a zero trust approach throughout your technology infrastructure.
For example, remove remote admin rights from end-user systems, pilot a remote browser isolation solution, encrypt all data at rest in the public cloud and start scanning containers that your developers are creating for new apps.
(The author Neil MacDonald VP Analyst at Gartner and the views expressed in this article are his own)