Light Dark
April 21, 2022 By Mike Elgan 4 min read
Zero Trust
Network
Risk Management

The remote work era makes the zero trust model critical for most businesses. The time has come to use it. But first, let’s understand what it really is and why the hybrid and remote work trend makes it all but mandatory.

What Is Zero Trust?

Zero trust is not a product or a service, but an idea or a strategy. Instead of relying on a perimeter (for example, a firewall), every user, device and app must be verified for every instance of access.

Other ideas connected with this idea include strong user identity, machine identification, network segmentation, policy compliance and others.

A student at the U.K.’s University of Stirling named Stephen Paul Marsh coined “zero trust” in his doctoral thesis in 1994. Later, the concept was briefly called de-perimeterization and perimeterless network architecture. In the end, the phrase zero trust became the most widely accepted term. Industry guidelines like Forrester eXtended, Gartner’s CARTA and NIST SP 800-207 further refined ideas and definitions around it.

Why Remote and Hybrid Work Demands Zero Trust

When the pandemic began, employees started working from home in their millions. It didn’t take long for threat actors to realize that the best way to break in was to enter through remote workers’ virtual private network (VPN) connections.

Each work-from-home employee, hybrid worker and digital nomad represents an expansion of the attack surface and new openings for attackers. An organization might be looking at dozens, hundreds or thousands of such employees. So, the attack surface becomes too large for older security models.

How to Think About Zero Trust

Zero trust replaces an outdated idea. That idea? The assumption that everything ‘inside’ is trustworthy by default and that only outsiders pose threats. First, the solution was firewalls to create a perimeter. Then, VPN enabled remote employees to ‘tunnel’ into the perimeter.

This perimeter-centric view is outdated for many reasons. The rise of arbitrary mobile and wearable devices, cloud computing and the Internet of Things trend have eroded it. Now, above all, the hybrid and remote work trend have, too. It also accepts that threats often start inside the walls. Plus, cyberattacks are becoming more high-tech all the time. (There’s still a place for firewalls in zero trust networks — just not for perimeter security.)

At a high level, zero trust best practices start with several elements. They are the identification of critical assets, the establishment of strong identity systems for users, devices and apps and the use of micro segmentation. First, you need to create micro-perimeters on the networks and restricted access zones inside data centers and cloud environments. These control which people, devices and applications have permitted access to each segment, zone and resource. Beyond access restrictions, the hunt for intrusions and malware takes place thorough ongoing encrypted traffic inspection and analysis.

Process or Policy?

The zero trust methodology enforces what used to exist in policies. In the past, company policies might say that only employees should access company resources. These employees had to use approved devices and apps. Policies might also call for employees to avoid rummaging through data beyond their purview.

Policies are great. The trouble is that this only guarantees security to the extent that people follow those policies.

Zero trust puts all-day, everyday enforcement of those policies into practice. The right people access the right resources using the right devices and applications. After all, only they have permission to do so. The default is every person, device and app is blocked from accessing every part of the network and everything on those parts until the person, device and app are all authorized.

Attackers are stymied at every turn in a zero trust network. If they can trick or work around user authentication, their device will be denied access. It narrows employee behavior. If one staff member decides to use an insecure app, that app won’t be allowed, even if they’re an authorized user on an authorized device.

The zero trust network architecture also helps with compliance auditing. It allows for improved visibility into user activity, device access and location, credential privileges, application states and other key factors. It also provides more data on which specific network resources have and have not been breached. Both of these are important for success.

Outsourced or In-House?

A zero trust network architecture represents a pretty radical departure from perimeter security. The decision over which parts to outsource and which to keep in-house depends on whether staff has experience with the elements of zero trust. It also depends on how well you’ve staffed in general.

It’s reasonable to outsource many parts of the transition. Then, after learning more, bring some parts in-house, depending on what makes sense for your needs. But even if you’re inclined to keep security work in-house, you might want to consider outsourcing to help with the transition.

The Human Element

Express the move to zero trust as part of the wider conversation about the new workplace. As we continue to adapt to remote and hybrid work, employees should be included as partners in this transition. Zero trust security is part of that.

Zero trust will impact all employees in multiple ways, including inconvenience in their workday and a learning curve up front. That’s why it’s super important to express the benefits, the link to hybrid and remote work and the impracticality of sticking with yesterday’s perimeter security mindset.

For many organizations — especially those fully embracing remote and hybrid work — zero trust is no longer an option. It’s time to trust it.

 |  |  |  |  | 
Mike Elgan

More from Zero Trust
October 5, 2023

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

April 27, 2023

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

April 17, 2023

How zero trust changed the course of cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature