Few enterprise security technologies have garnered as much attention and hype as Zero Trust over the past decade. Yet, despite all the buzz, there remains a great deal of confusion and uncertainty in the market – is Zero Trust a framework, a reference architecture, or an actual technology? Does the Zero Trust model match the reality of today’s increasingly hybridized computing environments? And perhaps most salient of all: is the promise of Zero Trust fully warranted or is yet another overhyped technology that will never live up to its potential?
Further compounding the confusion is the fact that a burgeoning ecosystem of software vendors and solution providers have latched on to the Zero Trust bandwagon all claiming to help customers design and implement a bulletproof network security system centered around the principles of least privileged access. But before we dive into what Zero Trust is or isn’t, let’s take a step back to understand how we got to this point in the first place.
A Brief History of Zero Trust
On its face, Zero Trust is a simple yet powerful concept – to eliminate the assumption of trust within a network. Yet this idea runs in stark contrast to the founding ideals of the internet which was intentionally designed as an open and dynamic network that would allow anyone to share anything. But as with any promising new way of doing things, there always seem to be some unintended consequences. In this case, the flip side to the democratized exchange of information is our current state of network insecurity: a broadening swath of network ports, devices, applications, and users that have become ripe targets for opportunistic threat actors.
As Dr. Chase Cunningham, one of the leading authorities and proponents of Zero Trust explains, “what happened is that with the explosion of the online world being the area we all live and breathe, speed to revenue outpaced planning and strategy for security and we all collectively created this giant interconnected network of weakness – and we built the whole thing where the password is the one lynchpin in almost everything. For nearly half a century we have been clawing at gaining ground here, but it’s all been for naught because speed trumps strategy in security and tools trump tactics.”
This is the fine line that the enterprise is hoping to balance as they look to modernize their approach to network access: how do you provide the frictionless access users demand without introducing unnecessary risk to your network environment?
Unlike the conventional castle-and-moat approach that prioritizes the defense of the network perimeter while assuming that everything inside didn’t pose a threat, Zero Trust demands that everything that connects to a company’s infrastructure – whether it’s a device, a document, or a person, should be regarded as untrustworthy, until proven otherwise.
The Crumbling Network Perimeter
It’s easy to see why the notion of a well-defined and tightly controlled network perimeter now seems like a quaint relic from a bygone era. Applications are now served from a combination of public/private cloud environments and on-premise data centers. Global enterprise organizations increasingly rely on legions of distributed suppliers, remote employees, and third-party contractors to run their business. Devices of all types have proliferated at an exponential rate which in turn have created a fertile and expansive attack surface for cybercriminals.
As if that wasn’t enough, there’s also the ongoing COVID-19 pandemic which has fundamentally transformed how we work and connect – and it’s become increasingly clear that even after the pandemic itself subsides, the way we work and connect won’t ever quite be the same. One survey from Pew Research Center found that more than half of employees, if given the option, would prefer working from home post-pandemic. Many organizations are also looking at hybrid models that support a mix of at-home and in-office arrangements which promise to bring more challenges to resource-strapped security teams.
For the better part of the last two decades, Virtual Private Networks (VPNs) were the cutting edge technology of the day, providing users with a relatively simple and straightforward way to securely access data and resources from outside the fortified confines of the corporate network. While VPNs remain synonymous with secure remote access for many, they are among the most vulnerable components of network security and are being aggressively targeted by threat actors who can piggyback on a compromised connection. While VPNs served a purpose for a time, they were never designed to meet the challenges of today’s hybridized work environments.
Then there is the Bring Your Own Device (BYOD) trend which began in earnest well over a decade ago and has since been further hastened by the pandemic and the sudden need to accommodate millions of remote workers. For many of these workers who connect using their personal devices, onerous corporate security policies have proven frustrating and more prone to taking shortcuts that leave them vulnerable to exploitation.
A Roadmap to Zero Trust Success
The overall objective of a Zero Trust framework is to challenge everyone and anything attempting to connect to the network. Just like you wouldn’t let a stranger into your house and then ask them what they want, Zero Trust directs you to treat the network as hostile until proven otherwise. And it accomplishes this through a software-defined approach to network security whereby bits and bytes are given primacy as a first line of defense versus the unwieldy network appliances that were simply never designed to meet the challenges of today’s distributed network.
A Zero Trust software-enabled framework provides a number of advantages to enterprise organizations looking to wrest back control of their network through:
- Simplified Micro-segmentation: Zero Trust provides a superior framework for facilitating micro-segmentation at the workload or device level, enabling network administrators to restrict devices to specific segments, prevent over-entitlement, and limit lateral threats regardless of device type, network, or location
- Automated Access Control: According to the Verizon DBIR report, human-based network configuration errors continue to be one of the leading causes of data breaches. A software-driven Zero Trust approach can mitigate these avoidable mistakes by automating how, when and where devices are connecting to the network.
- Unified & Seamless Policy Extension: Instead of having to define new rules as devices are added to the network, Zero Trust enables organizations to unify their security policies and extend the principles of ‘least privilege’ access to specific devices independent of underlying architecture.
- Context Aware: Most critically, a Zero Trust Network Access (ZTNA) framework provides contextual access to ensure that the right person, according to the correct conditions, can access the resources they need to do their job and nothing more.
While we are currently living in a time of great uncertainty, there are also opportunities to be found if you are willing to invest the time and effort. In today’s borderless digital reality, adopting a Zero Trust approach enables organizations to dynamically extend and enforce their security controls — and do so on a continuous basis without causing needless frustration to the people who run your business.
Tina Gravel is the Senior Vice President of Channels and Alliances for Appgate, the secure access company that provides cybersecurity solutions for people, devices, and systems based on the principles of Zero Trust security