The term zero trust refers to a cybersecurity approach that challenges the "traditional", perimetric security model. It is based on the principle of never trust, always verify, requiring verification and authorization for every user, device, and application attempting to perform a transaction, regardless of their location or prior authentication. This proactive strategy reduces an organization's attack surface, spanning from on-premises to cloud environments, and constrains potential breaches and latteral movement.
Zero Trust is not one single piece of technology but a combination of several principles and technologies, such as identity access management (IAM) and strong identity verification, continuous monitoring and validation of connections, device security and compliance checks, mutual and multi-factor authentication, microsegmentation for breaches containment and latteral movement prevention, least privilege access and attribute-based access control (ABAC), setting access policies based on the attributes of the data, user identity and environmental information, and several more.
Remember that the transformation of your cybersecurity architecture, from perimeter-based to zero trust, will not be a single project but an iterative process, incorporating several smaller projects, each one dealing with a specifc use case.
The first occurrence of the term can be traced back in April 1994, when "zero trust" was conceived by Stephen Paul Marsh in his PhD thesis on computer security, who considered trust as something finite that can be described mathematically, asserting that the concept of trust transcends human factors such as morality, ethics, lawfulness, justice, and judgement.
In 2003, the challenges of defining the perimeter to an organisation's IT systems was highlighted in a presentation by Paul Simmonds of Jericho Forum, discussing the trend of "de-perimeterisation".
In 2009, Forrester's research analyst John Kindervag publicized the term in his well-known article, No More Chewy Centers: The Zero Trust Model Of Information Security, presenting the idea that all traffic should be considered untrusted, irrespectively of location, users and applications and that a least privilege strategy along with strict access controls, continuous traffic inspection and logging should be enforced.
The zero trust initiative starts with the definition of the zero trust strategy. It is the guiding document which describes the principles and relevant actions to fullfil it. Since zero trust is a transformative procedure, there is always a risk of resistance or failure to the realization of benefits. A zero trust strategy requires:
The execution of the zero trust strategy requires a roadmap. The assessment of the current and target state provide such a roadmap, using widely accepted maturity assessment frameworks, consisting of the following activities:
Contrary to the conventional approach to perimetric network security which focuses on the attack surface at a macro level, setting granular controls to protect Data, Apps, Assets and Services (DAAS) is part of the the definition of a protect surface. In that way, controls can be placed as close as possible to the assets belonging to that protect surface, resulting in micro-perimeters. Discovery and mappign of transaction flows is a core activity of this phase, since it allows to identify interaction points and information flow paths across the network, so tha controls are designbed and appliced properly. The attack and protect surface can be considered the 2 sides of the same coin; the attack surface reduces as the protect surface gets more defined.
In a zero trust arhitecture, access and visibility to resources is controlled by policy enforcement, since continuous validation of the user and the device is made, prior to allow any access. It is obvious that policies will govern implementation; thus, proper planning and maintenance are required. Following a proven and structured method, our specilists can assist with the definition of all required policies.
The transformation of the current architecture towards the zero trust paradigm is achieved during this phase, by defining target considerations pertaining to the 5 pillars (Identity, Devices, Networks, Applications and Workloads, Data) and the 3 cross-cutting capabilities(Visibility and Analytics, Automation and Orchestration, Governance), driven by the underlying business case and the wider business objectives.
Our Zero Trust consultants provide regular oversight, assessment and adjustment of your Zero Trust state. Since Zero Trust is not a destination but a journey that involves a radical shift in the perception of security, the ultimate objective is to transform your organization's staff to Zero Trust practitioners.
Our ZT specialists are more than happy to discuss about your ZT journey!
START HERE
