‘Endpoint security’, ‘Perimeter security’, ‘Security by obscurity’, ‘Layered security’ – these are some approaches that are present till date to safeguard business and personal networks. In spite of the different approaches, data breaches, ransomware attacks and other novel ways to gain personal and corporate data is at an all time high. 2019 was supposed to be the worst year for data breaches with 15.1 billion records being exposed. (In 2019, a total of 7,098 reported breaches exposed 15.1 billion records)We can see personal data for sale on the ‘dark web’ or corporate networks being exposed all the time.
In addition, there is a digital transformation also sweeping across the workspace. Employees working from home, employees accessing their work from multiple devices (BYOD) and cloud technologies entering the corporate scene are some of the ways in which digital transformation is taking place.
The need of the hour hence is a new strategy that will take into the account the transformation and create paradigms that will mitigate the attacks and reduce the number of cyber incidents.
‘Zero Trust Security’ and ‘Zero Trust architecture’ has evolved because of this thought and is being gradually accepted by different corporations.
What is ‘Zero Trust Security’?
‘Zero Trust Security’ moves away from the traditional thinking of only securing the perimeter of a network. It involves securing the resources in addition to the network. It takes a ruthless approach to reducing the number of cyber attacks by not trusting anybody inside the network and making it a perimeterless network.
Normally, once a firewall is erected at the perimeter of the network with appropriate rules, it was deemed fit to keep the bad actors out. What if the bad actors, do indeed penetrate the network? Will they be able to roam freely inside the network accessing all the resources? Unfortunately, yes.
Zero Trust Security and its core concepts solves this problem.
What are the ‘Zero Trust ideals’:
‘Zero Trust security’ is based on the ideals of authentication, authorization, access control and least privilege.
‘Authentication’ is probably the oldest concept in Information security and the foundation for all InfoSec domains. It is proving you are indeed who you are. This is normally done by the traditional username-password combination.
Once you present the right username-password combination, you are said to be “authenticated”.
Authorization is another fundamental concept in Information security that lets you access the resources after verifying your role. Once your role is verified, you can access the said resources (like a file or a printer)
An individual must be first authenticated before he/she is authorized.
‘Access Control’ as the name suggests is restricting access to the various resources based on their role. The process of authentication and authorization are some of the components of access control.
‘Principle of least privilege’, ensures that professionals have the least permission to access the resources. This ensures that even if a hacker gains access to an organization’s network, he/she will not be travel laterally and access other resources within the organization.
If they need access to more resources, they will need to be authenticated again with the appropriate credentials.
The principle of least privilege goes a long way in enforcing ‘Zero Trust security’.
Having seen what is meant by ‘Zero Trust Security’ and its ideals, let’s next move onto see what is meant by ‘Zero Trust Architecture’.
Zero Trust Architecture:
‘Zero Trust architecture’ is a model for computer networks and this model is based on ‘Zero Trust’ concepts. It involves changing the entire infrastructure from perimeter based model into ZT model. The ZTA “encompasses component relationships, workflow planning and access policies” (Zero Trust Architecture)
Even as ‘ZTA’ or Zero Trust Architecture might be touted as the ideal model for computer systems today, the transformation from traditional perimeter based systems to ZTA cannot happen overnight. For quite an amount of time, both types of systems will work in tandem and the transformation to the new system will be gradual.
A practical example of Zero Trust:
Many organizations might still be trying to have a grip on ZT and pondering how they will be trying to convert their businesses to ZTA.
However, ‘Zero Trust security’ has already been implemented by Google after Chinese hackers breached its servers in 2010. Google started BeyondCorp which is internal Google initiative based on the zero trust approach. BeyondCorp enables Google employees to work without the use of a VPN either in a coffee shop, home, airport or anywhere else. Here, every user accessing the corporate network is considered to be an untrusted agent and they are given appropriate rules and policies to access the application.
In wake of the current pandemic, BeyondCorp’s Zero Trust strategy has worked out very well for 100,000 Google employees, 100,000 contractors and Google cloud.
With Google paving the way with its ZT approach, more organizations will definitely move to Zero Trust approach soon and enhance their security posture.
We hope this article ‘Zero Trust Security’ shed new light on another illuminating concept in Information Security. Do stay tuned for more articles and for more on InfoSec train latest certifications, do visit us at this link.