In the modern age of cloud-based computing, the Zero Trust model of information security is the high-water mark businesses should be striving for.
Zero Trust, as defined by Forrester Research, is, “a conceptual and architectural model for how security teams should redesign networks into secure micro-perimeters, strengthen data security using obfuscation techniques, limit the risks associated with excessive user privileges and access, and dramatically improve security detection and response with analytics and automation.”
What this model boils down to is “never trust, always verify.”
In my mind, the concept of zero trust is about removing implicit trust from the network. It is the main architectural principle of a well defined next-generation security architecture. But even though the model has been around for more than a decade, it’s fascinating that many organizations and businesses still struggle to adopt its elements into their security programs. With more organizations working in the cloud and traditional security perimeters dissolving, many businesses are susceptible to new threats.
So, to better understand the problems with this current mindset and find Zero Trust solutions for businesses, we have to look at legacy approaches and their shortcomings first.
Past Approaches
In the early days, network security architecture addressed malicious traffic by utilizing firewalls to limit malicious North/South traffic, similar to a moat surrounding a company’s network. The “moat” was a defined perimeter inside the organizational premises, with a security stack built within the “moat.” It was a fairly successful solution for the time, but the intruders were still able to find a way into the network and wander around inside the organizational premises.
Then we started to think about limiting malicious traffic laterally (East/West). Network Access Control (NAC) became a popular security solution by providing this type of network segmentation and utilizing logical separation.
Of course, NAC had challenges too. For example, users were granted access to anything in the static (predefined) VLANs being used, without any sort of encryption in transit. On top of that, the operational burden drastically increased while managing NAC because of its complexity, lack of integration, and scalability.
While it attempted to implement successfully segmentation and separation early on, NAC not only created more challenges for intruders, but also the network’s intended users rather than truly solving a problem.
These two approaches still make sense today, however the tools and tactics used to address these problems have changed.
Present Problems
As businesses implement new cloud operating models, they have to deal with new threats challenging to their security architecture from every angle.
While the cloud offers more capability for storage, collaboration, and direct access to resources, it also means security perimeters extend beyond the four walls of an enterprise. This means legacy access control approaches are inadequate, as they aren’t effective against the sophistication of modern threats.
Tom Kemp, CEO of Centrify, agreed saying, “The dissolving network perimeter is causing a complete rethink in how we approach security, taking into account a new enterprise reality defined by the cloud, mobility, and increasing demands for agility.”
If organizations want to use the cloud to its fullest extent then they can’t continue utilizing a legacy mindset. Otherwise, potential threats pose a much higher risk to their network and data. Businesses need to have continuous visibility in order to secure their ecosystem, which only comes as a direct side effect of Zero Trust security principles.
But, if it’s apparent that firewalls and legacy tools aren’t effective, then why are security departments continuing to run and implement these legacy solutions?
The Need to Adapt
Many organizations I had the opportunity to talk to had, at the very least, heard about Zero Trust as a security concept. But just as many, if not more, didn’t understand the concept or how to apply its security principles to their own programs, which raises concern.
As the advisory firm Gartner stated, “Risk is always present. It’s the lack of visibility and intell