Talk to anyone about Cybersecurity these days, and a term will likely fall into the conversation: Zero Trust. Many organizations tout that they are planning a Zero Trust project or are planning to deploy a Zero Trust architecture. Some vendors offer Zero Trust solutions.
But – what is Zero Trust? To start with – Zero Trust is NOT a product or a solution. It is a concept. There ARE products, which can be part of a Zero Trust architecture or contribute to a Zero Trust solution. Common products, technologies, and concepts, which can assist in deploying a Zero Trust architecture include things like:
- Using a risk-based assessment model.
- Multi-factor authentication.
- Device management.
- Network segmentation.
- Automation and orchestration.
Where did Zero Trust come from?
What exactly is Zero Trust? For those of you who’ve been hiding away in a cave for the past decade, Zero Trust (ZT) is a concept founded by Forrester alum John Kindervag in 2009 that centers on the belief that trust is a vulnerability, and security must be designed with the strategy, “Never trust, always verify.”1
So, what is Zero Trust?
That quote from Forrester is a bit strong, and there are many definitions, so I like to describe Zero Trust this way: every transaction should be considered an Internet transaction. We assume that the network environment is unsafe and thus requires more due diligence by verification methods. We used to “trust” all devices on the inside of our firewall. In a Zero Trust model, we do not “trust” any devices. What we really employ is a “trust but verify” concept. Some common methods to move to a Zero Trust architecture can include:
- Verification of identity by using Multi-factor Authentication.
- Verification of device by enforcing device management standards (examples might include things like only Active Directory joined workstations can connect OR workstations must have certificates installed).
- Validation of device security posture. Devices may need to reach a security minimum regarding OS, patch level, and/or endpoint protection tools, before being allowed access to the network.
- Applying the principle of least privilege for access to important data repositories. This means that all files and folders are configured on a “need to know” basis.
- Isolation of systems on the network based on risk-based assessment criteria.
- Constant, real-time evaluation of user and device access to data through automation and orchestration tools.
Cybersecurity is fast, furious, and complex. Understanding and starting to adopt important new concepts like Zero Trust are and will be important!
Good luck and be safe,
Allen Jenkins, Chief Information Security Officer