These days, many enterprises and organisations are putting 'Zero Trust' at the forefront of their cyber security strategy. Therefore, it is hard to assert that a proper security strategy can be established without Zero trust. So, is this a new trend? Or is this a new standard that you must follow?
Most people will agree that zero trust is now regularly discussed in regard to cyber security globally. However, it is not a new concept. It already exists in cyber security and has done for a long time. Rather, the recent attention of zero trust is due to the reckless use of trendy keywords by organisations trying to preoccupy them. It would be great if it was used for a positive change in cyber security strategy, but unfortunately zero trust has become a marketing keyword that you must add to your products if you work in cyber security, which has resulted in the term losing its principal direction or original purpose.
Vulnerabilities in Traditional Security Policy Raised by Zero Trust
When IBM computers were used in the 1980s, computer security meant that you should maintain a very secure network with strict network access control through user identification. As the Internet spread widely across the globe, organisations divided their internal networks from external networks to protect their mission-critical systems. As a result, external networks became a lawless zone dominated by gangsters.
Even today, most organisations have been using this castle-and-moat security model to protect their internal data. Security solutions such as a firewall, IPS, IDS, and anti-virus are installed in front of the gate to allow only permitted users to cross the bridge to the castle – aka, internal system. It would be fantastic if the castle-and-moat could completely block external threats, but one should acknowledge that this model can't prevent threats by insiders or security breaches through email.
Here comes zero trust. It asserts that all access is not secure, so blocks all risks in advance by providing limited privileges based on various system elements such as users, networks, and workflows. NIS defines zero trust and zero trust architecture as follows:
Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.
7 Principles of Zero Trust
Does zero trust equate to narrowing the bridge connected with the castle - internal networks? No, rather the opposite. Many definitions and discussions of zero trust highlight the concept of removing wide perimeter security (e.g., corporate firewalls). A zero trust architecture is designed and deployed in compliance with the 7 basic principles of zero trust as follows:
1. All data sources and computing services are considered resources.
2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioural and environmental attributes.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
Misconceptions and Understanding of Zero Trust
Many organisations who have it engraved in their minds to protect the existing traditional security model are unfamiliar with zero trust, which insists that the moat must be filled and the gates open to protect the castle. In fact, it is difficult to find a case where even one of the 7 principles is properly implemented and operated in reality. It is because, in order to fulfil any of the 7 principles, it is inevitable that company-wide investment and efforts will follow, and above all, a change of Copernican mindset is required to accept zero trust.
So, is zero trust just fool's gold? Absolutely not. Zero trust is real but successfully implementing it’s core principles requires a lot of time, money, and organisational change in advance, and thus there seems to be a significant gap between expectations and reality. However, in today's open IT environment where cloud and DevOps are commonplace, we’ve continued to block the main gate, whilst becoming acutely aware now there are too many other open doors that are not even monitored.
Existing security policies that only focus on confidentiality and integrity are severely undermining business availability, and will only get worse with the advent of new threats in cyber security. As the limitations of the existing security model are gradually becoming clearer, zero trust has sufficient qualifications to become the saviour of the dying security model. Now, how to materialize abstract and broad concepts into reality is of utmost importance.
