What is the Zero Trust Model?

[harlan4096]

Never trust, always verify.

In today’s ever-evolving threat landscape, the traditional “trust, but verify” approach does not seem to be working anymore. Especially now since it has become increasingly common for threats to originate from within an organization. According to Verizon, 34% of data breaches in 2018 involved internal actors. This is the reason why more and more companies have started to implement a different security model: Zero Trust.

The “Zero Trust” concept is relatively new and was coined in 2010 by John Kindervag, a former Forrester analyst. Its architecture allows companies to map out both external and internal security threats and maximize the chances of timely mitigation.

In case you are not familiar with Zero Trust, in this article, I’m going to try to answer some burning questions such as:

* What is Zero Trust and why is it relevant for your organization?
* What principles is Zero Trust based on?
* How can you implement the Zero Trust model?

Defining Zero Trust

As indicated by its name, Zero Trust is a concept based on the notion that organizations should not trust anyone or any device by default and thus, they must verify every single connection before allowing access to their network. This model came as a response to former security approaches founded on the assumption that insider threat was nonexistent and that they were only focused on defending organizations from external threats.

Potential malicious actors aren’t the only driver for the Zero Trust initiative. As more and more companies are choosing to move their workloads to the cloud or follow the hybrid approach of using both on-premises and cloud applications, the popularity of the Zero Trust model has skyrocketed. Now, an increasing number of employees and their internal and external stakeholders are accessing resources from worldwide locations. And since the security perimeter is no longer contained within an office building and remote users are connecting to cloud applications from various locations, cyber-criminals have multiple points of access.

Therefore, the need for a different approach has grown.

According to the Zero Trust model, nothing neither inside nor outside an organization’s security perimeter should be trusted by default. Businesses that use the “traditional” security model, which implies that everything contained inside their network can be automatically trusted, oftentimes fail to defend themselves. In this case, malicious hackers, once they manage to get past a company’s firewall, are able to easily move through their systems. Their antiquated security architectures only aim to stop threats from entering an organization and once an infected network is left unsupervised, an organization’s sensitive data remains exposed.

On the other hand, the Zero Trust Model runs on the belief that one should “never trust and always verify”.

Traditional security architecture vs. Zero Trust architecture

The traditional security architecture is often referred to as the perimeter model after the castle-with-moat approach encountered in physical security. Through this model, protection is given by building multiple lines of defenses that attackers must go past before eventually gaining access, while possible insider threats are not taken into account.

The traditional network security architecture divides networks into zones within one or more firewalls. In this case, each zone is assigned a certain level of trust, that decides which network resources are allowed to reach. Through this model, high-risk resources (like web servers connected to the public internet) are put into an exclusion zone (oftentimes known as “DMZ” or “demilitarized zone”). Here, traffic can be closely monitored and controlled.

Below you can see a representation of standard security architecture:

...

Continue Reading