The zero-trust security model is a cybersecurity approach that denies access to an enterprise's digital resources by default and grants authenticated users and devices tailored, siloed access to only the applications, data, services and systems they need to do their jobs. Gartner has predicted that by 2025, 60% of organizations will embrace a zero-trust security strategy.
This guide goes in-depth into the origins of zero trust, its principles, the technology and products that enable a zero-trust model, as well as how to implement and manage it.
Historically, enterprises have relied on a castle-and-moat cybersecurity model, in which anyone outside the corporate network perimeter is suspect and anyone inside gets the benefit of the doubt. The assumption that internal users are inherently trustworthy, known as implicit trust, has resulted in many costly data breaches, with attackers able to move laterally throughout the network if they make it past the perimeter.
Instead of focusing on user and device locations relative to the perimeter -- i.e., inside or outside the private network -- the zero-trust model grants users access to information based on their identities and roles, regardless of whether they are at the office, at home or elsewhere.
In zero trust, authorization and authentication happen continuously throughout the network, rather than just once at the perimeter. This model restricts unnecessary lateral movement between apps, services and systems, accounting for both insider threats and the possibility that an attacker might compromise a legitimate account. Limiting which parties have privileged access to sensitive data greatly reduces opportunities for hackers to steal it.
The concept of zero trust has been around for more than a decade, but it continues to evolve and grow. John Kindervag, a Forrester analyst at the time, introduced the revolutionary security model in 2010. Shortly thereafter, vendors such as Google and Akamai adopted zero-trust principles internally, before eventually rolling out commercially available zero-trust products and services.
Zero trust interest and adoption have exploded in recent years, with a plethora of high-profile data breaches driving the need for better cybersecurity, and the global COVID-19 pandemic spurring unprecedented demand for secure remote access technologies.
Traditionally, enterprises relied on technologies such as firewalls to build fences around corporate networks. In this model, an off-site user can access resources remotely by logging into a VPN, which creates a secure virtual tunnel into the network. But problems arise when VPN login credentials fall into the wrong hands, as happened in the infamous Colonial Pipeline data breach.
In the past, relatively few users required remote access, with most employees working on site. But enterprises now need to support secure remote access at scale, magnifying the risks associated with VPN use.
Additionally, the perimeter-based model was designed for a time when an organization's resources resided locally in an on-premises corporate data center. Now most enterprises' resources lie scattered across private data centers and multiple clouds, diffusing the traditional perimeter.
In short, the legacy approach to cybersecurity is becoming less effective, less efficient and more dangerous. In contrast to perimeter-based security, zero trust lets enterprises securely and selectively connect users to applications, data, services and systems on a one-to-one basis, whether the resources live on premises or in the cloud and regardless of where users are working.
Zero trust adoption can offer organizations the following benefits:
A zero-trust model also includes microsegmentation -- a fundamental principle of cybersecurity. Microsegmentation enables IT to wall off network resources in discrete zones, containing potential threats and preventing them from spreading laterally throughout the enterprise. With zero-trust microsegmentation, organizations can apply granular, role-based access policies to secure sensitive systems and data, preventing an access free-for-all and limiting potential damage.
In a 2021 action that may put the federal government in the lead in terms of zero trust deployment, the White House issued an executive order calling on federal agencies to move toward a zero-trust security strategy, citing cloud adoption and the inevitability of data breaches as key drivers. Later that year, the U.S. Office of Management and Budget (OMB) published a draft strategy for executing on the presidential directive, and the Cybersecurity and Infrastructure Security Agency (CISA) released additional guidance in its Cloud Security Technical Reference Architecture and Zero Trust Maturity Model (ZTMM).
A major element of the zero-trust model, zero-trust network access (ZTNA) applies zero-trust concepts to an application access architecture.
In ZTNA, a controller or trust broker enforces an organization's preestablished access policies by facilitating or denying connections between users and apps, while hiding the network's location (i.e., IP address). The software authenticates users based on their identities and roles, as well as by contextual variables such as device security postures, times of day, geolocations and data sensitivity. Suspicious context could prompt a ZTNA broker to deny even an authorized user's connection request.
Once authenticated and connected, users can see only the applications they are authorized to access; all other network resources remain hidden.
Experts agree that a zero-trust approach is critical in theory but often difficult to implement in practice. Organizations planning to embrace a zero-trust model should bear in mind the following challenges:
Explore how to negotiate these and other zero-trust challenges by running trials, starting small and scaling slowly.
Enterprises planning zero-trust transitions should also consider creating dedicated, cross-functional teams to develop strategies and drive implementation efforts. Ideally, a zero-trust team will include members with expertise in the following areas:
Team members can fill any knowledge gaps and gain specialized expertise via a variety of zero-trust training courses and certifications from organizations such as Forrester, (ISC)2, SANS and the Cloud Security Alliance.
As with any new technology, use cases should drive zero-trust adoption decisions. The following are four clear examples of how zero trust can help protect the enterprise:
The zero-trust framework lays out a set of principles to remove inherent trust and ensure security using continuous verification of users and devices.
The following are five main principles of zero trust:
The continuous aspect of zero trust also applies to the principles themselves. Zero trust isn't a set-it-and-forget-it strategy. Principles must be addressed via a continuous process model that restarts once a principle is achieved.
The cybersecurity industry is rife with technologies, strategies and policies. It can be difficult to keep track of what's what. This is especially true in zero trust, which is not a technology but a framework of principles and technologies that apply those principles.
Let's look at how zero trust and other terms compare.
Like zero trust, a software-defined perimeter (SDP) aims to improve security by strictly controlling which users and devices can access what. Unlike zero trust, SDP is an architecture comprised of SDP controllers and hosts that control and facilitate communications.
Many experts and vendors use the terms zero trust and SDP interchangeably. That said, the terms are evolving, and some now refer to ZTNA as SDP 2.0.
Zero trust and VPNs both share the goal of ensuring security, but the efficacy of legacy perimeter security technology has come under scrutiny over the past decade.
VPNs, which have long been used to connect remote users and devices to corporate networks, have faced difficulty securing increasing numbers of remote workers and cloud services used in the modern enterprise. Zero trust is expected to supplant aging VPN technology because it can better secure perimeter-less enterprises.
Don't tear out those VPNs yet, however. Zero trust and VPNs can be used in tandem. For example, zero-trust microsegmentation, in conjunction with a VPN, can reduce a company's attack surface -- although not as much as a full zero-trust initiative would -- and can prevent damaging lateral movements and attacks, should a breach occur.
While they may sound the same, zero trust and zero-knowledge proof overlap only slightly in terms of technology.
Zero-knowledge proof is a methodology that can be used when one party wants to prove the validity of information to a second party without sharing any of the information. Cryptographic algorithms based on zero-knowledge proof enable the proving party to mathematically show the information is true.
Zero-knowledge proofs can be used to authenticate users without divulging their identities. Some two-factor (2FA) and multifactor authentication (MFA) methods use zero-knowledge proofs. The overlap with zero trust is that 2FA and MFA are critical technologies in a zero-trust strategy.
The principle of least privilege (POLP) is a security concept that gives users and devices only the access rights required to do their jobs and nothing more. This includes access to data, applications, systems and processes. If a device's or user's credentials are compromised, least privilege access ensures a malicious actor can only access what that user has permission to access and not necessarily the entire network.
Zero trust and POLP are similar in that they both restrict user and device access to resources. Unlike POLP, zero trust also focuses on user and device authentication and authorization. Zero-trust policies are often based on POLP, yet they continuously reverify authentication and authorization.
A defense-in-depth security strategy involves multiple layers of processes, people and technologies to protect data and systems. The belief is that a layered security approach protects against human-caused misconfigurations and ensures most gaps between tools and policies are covered.
Defense in depth may be stronger than zero trust, in that if one layer of security fails, other layers pick up the slack and protect the network. Zero trust is often more appealing, however, because its never-trust, always-verify stance ensures that if attackers infiltrate a network, they won't be there for long before they need to be reverified, and that zero-trust microsegmentation will limit what they can access.
Including defense-in-depth principles in a zero-trust framework can make the security strategy even stronger.
Vendor messaging around zero trust can be confusing -- even downright incorrect. No one-size-fits-all, out-of-the-box zero-trust product or suite of products exists. Rather, zero trust is the overarching strategy involving a collection of tools, policies and procedures that build a strong barrier around workloads to ensure data security.
That said, several existing zero-trust-enabled products are available to include in a zero-trust deployment. ZTNA offerings make up many of these products. In order to qualify as a true ZTNA product, it must be identity-centric, have default "deny" responses and be context-aware.
ZTNA has two basic architectures:
Enterprises can opt for as-as-service offerings or self-hosted ZTNA deployments. ZTNA as a service is popular due to its scalability and manageability. On the other hand, self-hosted ZTNA can offer organizations greater control.
Learn more about the ZTNA market, including questions to ask when evaluating potential vendors and a list of products available today.
A successful zero-trust implementation requires considerations around what the Forrester Zero Trust eXtended (ZTX) model coined as the "seven pillars of zero trust":
OMB, in its 2021 document complementing the executive order requiring federal agencies achieve zero-trust goals by the end of 2024, and CISA, in its ZTMM, align with the ZTX pillars, adding "governance" as an eighth pillar.
ZTX and ZTMM are just two approaches to adopting zero trust. Both aim to help organizations establish and execute on a zero-trust strategy. While ZTX is for any organization, the ZTMM was designed for federal agencies, although any company can use the information to implement a strategy.
The CISA ZTMM also outlines the three layers of zero-trust adoption:
Once an organization is ready to adopt zero trust, it is highly beneficial to approach it in phases. The following are seven steps to implement zero trust:
Read more on the zero-trust on-ramps and implementation steps.
Remember: Zero trust is a journey, not a destination. Run trials, start small and then scale deployments. It takes a lot of planning and teamwork, but in the end, a zero-trust security model is one of the most important initiatives an enterprise can adopt, even if it hits bumps along the way.
20 Oct 2022