This content is part of the Essential Guide: How best to secure cloud computing in this critical era
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Top 5 reasons for a zero-trust approach to network security

As network perimeters disintegrate and enterprises adopt cloud computing, discover the top reasons organizations are opting for a zero-trust approach to network security.

Zero trust may seem like just another security buzzword, but organizations are increasingly finding reasons to take the zero-trust approach to network security.

In the early days of the internet, network security professionals borrowed medieval terminology to describe network defenses: Moats, bastion hosts, perimeters, firewalls and gateways all figured into the network defender's vocabulary. In those days, the baseline network infrastructure was as simple as organizations dividing hosts into two categories: internal and trusted vs. external and untrusted.

The world has moved on from this model, where internal users are considered trusted employees and everyone else who accesses resources externally is deemed untrusted. Now, users accessing resources both internally and externally can run the gamut: employees, consumers, contractors, vendors and other trusted or untrusted third parties. The prevalence of BYOD, cloud computing and remote workers also means secure network access can no longer be reliably and securely funneled through firewalls or other security gateways.

Reflecting the increasing complexity of making network security choices, the concept of zero-trust network security was first articulated by a Forrester analyst in 2009. It has gained acceptance in recent years as Google created -- and migrated to -- the BeyondCorp zero-trust security framework.

Here are the top drivers behind the move to the zero-trust approach to network security:

  • The network perimeter is no longer defensible. Even when enterprises hid all their digital assets behind a firewall and bastion network, authorized users and attackers used dial-up connections and firewall exceptions to bypass the perimeter protection. The challenge has only grown as more enterprise infrastructure enables employees, customers, contractors, vendors and other trusted third parties to access network resources through the cloud, BYOD devices and other means. Zero trust flattens the access landscape and enables defenders to grant access more securely.
  • Trust levels can no longer be pegged to prior access. The zero-trust approach enables defenders to revalidate access decisions every time an access is requested. This eliminates the threat of insiders being granted more access than required or from employees whose access needs change due to changed job responsibilities. It also provides protections after updates to affiliations with contractors or other third parties and from devices or applications that should be revalidated every time they request access.
  • Network security threats keep escalating as attackers find more vectors to exploit. Taking a zero-trust approach to network security means removing what is sometimes called residual trust from the network -- for example, the trust that is granted to users or systems that access restricted resources from within the enterprise perimeter or the access granted to external users for specific systems that may have been removed. Zero trust means none of those vectors can be meaningfully exploited.
  • Zero trust enables greater resilience to ongoing attacks. Since the default security stance of zero-trust architecture is to deny access by default, attackers who do manage to find a way into the enterprise network will still be stymied when they attempt to utilize their access by pivoting once inside.
  • Zero trust gives internal threats the same scrutiny as external ones. The increasing numbers of users with legitimate reasons to access network resources, coupled with the increasing deprecation of the perimeter by the use of BYOD and cloud, means designating users as being internal or external is increasingly meaningless. Given the prevalence of attack strategies that depend on gaining unprivileged access to an internal system in order to pivot to juicier targets means that an internal threat may just be an extension of an external one. Using a zero-trust approach to network security means there is no need to differentiate between the two types of threat; every potential threat is treated in the same way.

While there are many pressing reasons to adopt a zero-trust approach to network security, the primary reason to adopt this approach is because it works. However, just as firewalls were once considered the sine qua non of securing an internet-connected enterprise, zero trust should be viewed as a transitional state rather than an end goal for security. Defenders need to continue to be vigilant as attackers continue to develop ways to exploit or bypass security solutions.

This was last published in April 2019

Dig Deeper on Information security policies, procedures and guidelines

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is your organization adopting a zero trust approach to network security? Why, or why not?
We have been advocating this approach for at least 15 years. In 2006 we had a major client lose 7-figures in an ACH banking scam. Fancy firewall and etc meant nothing, the attack came via a combo of social engineering, spoofed email, and good old port 80. A keylogger was installed on a clerk’s computer as the result of her previewing (not even opening) what she thought was an email from her local bank. The hackers then used the keylogger - on port 80 - to capture both her computer credentials and her actual banking credentials. They then logged into the company operating account nightly and transferred funds to Romania in $100,000 increments. Because this was a common nightly transaction nobody discovered it for two weeks. The FBI was called in but because we have no reciprocity with Eastern Europe the money was gone, period, end. The bank was harmless because it was not breached - the transfers occurred on a legit user account. This happens more than anyone is willing to talk about. Had there been even 2-step authorization at the time, it would have stopped the hackers cold.

A lot of that attack would still work in 2019, despite:
  • embrace of HTTPS over HTTP (port 80)
  • increasing use of 2FA/MFA
  • safer preview modes for email readers
I mean, we've known RDP has been a car crash since forever, but attackers are still using it to make bank.
@font-face{ font-family:"Times New Roman"; } @font-face{ font-family:"宋体"; } @font-face{ font-family:"SimSun"; } @font-face{ font-family:"Calibri"; } @font-face{ font-family:"SimSun"; } @font-face{ font-family:"sans-serif"; } p.MsoNormal{ mso-style-name:Normal; mso-style-parent:""; margin:0pt; margin-bottom:.0001pt; font-family:Calibri; mso-fareast-font-family:SimSun; mso-bidi-font-family:'Times New Roman'; } span.msoIns{ mso-style-type:export-only; mso-style-name:""; text-decoration:underline; text-underline:single; color:blue; } span.msoDel{ mso-style-type:export-only; mso-style-name:""; text-decoration:line-through; color:red; } @page{mso-page-border-surround-header:no; mso-page-border-surround-footer:no;}@page Section0{ } div.Section0{page:Section0;}

Thanks for sharing this information. Glad you shared it! Read alot about Network Security. As an IT consultant , if you want to know more about network security and its process in IT field. Hope you would get more clarity about it. Thanks