The term Zero Trust originated with Forrester Research, a leading industry analyst group, in 2009 and the strategy has gained increasing acceptance and adoption amidst the recent torrent of publicly visible cyberattacks. The core of Forrester’s hypothesis was that the fundamental basis of current network architectures and cyber defense thinking was no longer viable. The idea that all internal networks should be considered trusted while external networks should be untrusted was fundamentally wrong. Forrester’s baseline assertion was that all networks and, by implication, all users should be considered untrusted.
Evident in 2009 and increasingly more so today, is the fact that current cyber defense strategies seemed to be failing at an increasing rate. Today we know that cyberattackers are able to penetrate just about any enterprise, and they often spend many months within the networks, performing reconnaissance and planning their attacks. The key assumption has been that you can keep attackers out - but this just won’t work anymore. You should instead assume that attackers will successfully penetrate the perimeter defense and will gain complete access to your internal networks.
The move to the cloud has also accelerated the movement to Zero Trust. It has extended our vulnerable attack surfaces in many ways; too much is outside of our control, often depending on the security and management of outside vendors. The wide variety of these platforms extends our expectations for security protection to the providers of platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS). Each of these cloud environments bring additional vulnerabilities to your extended enterprise, including unauthorized access by cloud personnel, misconfiguration through to complex vulnerabilities in application program interfaces, Java containers, and much more.
Zero Trust best practices and the technologies that support them can be added to your defense in depth deployment, to harden and support your current ecosystem. With a Zero Trust strategy, there is no need to replace your existing infrastructure, only to complement it. Zero Trust also enables your security operations center (SOC) team to focus on the important threats and eliminates much of the noise that distracts them in their day-to-day activity.
Zero Trust is straightforward to implement. You need to define and adopt key Zero Trust policies that align with your current defense in depth deployment. You then need to make decisions about operations, procedures, and best practices and then select and deploy the new technologies required.
This is a partial example of a core set of Zero Trust policies that might fit your organization. It is summarized and abbreviated for purposes of illustrating this article:
You can see that building out a Zero Trust strategy results in an environment which is much more robust and capable of stopping many of the attackers that seek to compromise your on-premises networks and clouds. Further, when cyberattackers do successfully penetrate your networks, Zero Trust will help reduce the time to breach detection, substantially limit or eliminate their ability to cause damage or steal data and help to promptly mitigate the attack so you can resume normal operations. It enables you to expand incrementally upon the frameworks you have deployed with defense in depth and to build in the protections and resiliency required to meet the growing and challenging cyberthreats that you face, both today and in the future.
To learn more about topics like this and others, mark your calendars for April 1 as the InfoSec World Conference & Expo returns to Orlando, Florida.
Pravin Kothari is CEO at CipherCloud, Inc., a cloud security firm headquartered in Silicon Valley.