Zero Trust security has recently reached new heights of significance with a series of endorsements from corporate giants and government bodies alike. This move signals further validation in the wide-scale adoption of the Zero Trust model.
Verizon – one of the world’s largest telecommunications conglomerates – inaugurated its own Zero Trust architecture in late 2019. By embedding a Software-Defined Perimeter over its private IP networks, Verizon created a Zero Trust architecture for its private IP and ethernet customers. The company’s Vice President of product management and development, Vickie Lonker, said that with this development, “all users are isolated from the corporate network but are still able to directly access their authorised applications. It’s all about protecting corporate data, but also enabling people to do their job.” The announcement signifies a resounding endorsement of Zero Trust, but it was just one among a growing number.
Even more recently, the National Aeronautics and Space Administration (NASA) announced that it would be pursuing Zero Trust Principles in part to secure the connections between its systems and its satellites.
In August 2020, the US National Institute of Standards and Technology (NIST) published its own Zero Trust architecture, which doesn’t just endorse but shows enterprises the way towards building their Zero Trust deployment models and use cases.
The examples go on. A 2020 Pulse Secure Survey found that 72% of organisations were planning on implementing Zero Trust security in their environments. These trends signal a broader migration to Zero Trust principles, and these endorsements may accelerate it further.
While there are multiple potential paths, an enterprise can take towards achieving Zero Trust, there is no one piece of technology or vendor that can bring you there. In short, it is both an architectural model for networks, and a framework for setting security policies.
Zero Trust security draws a lot from the Principle of Least Privilege (POLP) a policy in which end-users are given the minimum amount of access they need to carry out their jobs. This helps reduce pathways and exposure to malware, attackers, and the chances of data exfiltration. In IT, we allot privileges based on trust. Hence, Zero Trust is a network that does not automatically grant trust to any entity, user, device, and network.
In traditional perimeter networks — the kind that we’ve relied on for years — users authenticate at the perimeter edge and are then commonly granted wide-ranging access to the data and systems inside: “Permit the good and deny the bad” as the saying goes. Yet these networks were built at a time when we could build strong walls and rigorously control and watch who and what came in. With IoT proliferation, increased remote workforce, cloud adoption, and digital transformation, those walls are no longer so solid.
When Forrester first published its concept of Zero Trust in 2010 they declared that the architects of the current enterprise network thought about infrastructure and neglected data, “Networking professionals built legacy networks from the outside in.” That is to say, those architects built from the internet-connected network edge inwards, and focused on connectivity as opposed to security.
That process, they added, “is untenable today. Cyberthreats have increased, while various laws and regulations track security postures more closely than ever. Shifting traffic flows and threats are forcing changes to the way we build and operate networks. We must build tomorrow’s networks securely from inception.”
The Zero Trust model promises to overhaul those tired concepts and protect the data at the level of the data while analyzing and authenticating connected entities throughout their interaction with the network and the systems within.
The global pandemic is also likely to speed along the adoption of Zero Trust security. Covid-19 forced companies the world over to batten down the hatches and send their workforces home. As a result, many had to enable mass remote workforce capability and functionality directly from their living rooms, kitchens, and home offices for hundreds, sometimes thousands of staff.
Zero Trust trusts no entity by default and is constantly authenticating that entity throughout their network sessions so it seems a good fit when dealing with potentially insecure networks, users, and home devices – flung far from the security of the traditional network perimeter.
Remote working was on an upward trend before the pandemic and is likely to continue for long after. So will Zero Trust security.
Zero Trust implementation is on an upward trajectory – The Zero Trust market in the US is expected to grow to $38.6 billion by 2024 and the wider world is taking notice. The adoption of Zero Trust by bodies like Verizon may yet do much to endorse Zero Trust security in the minds of smaller companies – it’s up to them to follow through.
Written by Mike Riemer, Global Chief Security Architect for Pulse Secure.
