{"id":2130,"date":"2025-02-28T09:00:00","date_gmt":"2025-02-28T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2130"},"modified":"2025-02-28T09:00:00","modified_gmt":"2025-02-28T09:00:00","slug":"what-is-zero-trust-the-security-model-for-a-distributed-and-risky-era","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2130","title":{"rendered":"What is zero trust? The security model for a distributed and risky era"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

What is zero trust?<\/h2>\n

Zero trustis a cybersecurity model or strategy in which no person or computing entity is considered inherently trustworthy, regardless of whether they are inside or outside the organization\u2019s network. It\u2019s distinct from a more traditional way of thinking about computer networks that considers everything inside some defined boundary \u2014 everyone on a corporate network, say, or everything on the right side of a firewall<\/a> \u2014 was allowed access to data or resources. In organizations where zero trust reigns, users must be authenticated and authorized whether they\u2019re inside corporate HQ or logging on from a Starbucks public Wi-Fi network.<\/p>\n

In zero trust, the principle of least privilege prevails: Systems and data are locked down by default, and access is granted only to the extent necessary to meet defined goals. While traditional security might be summed up by Ronald Reagan\u2019s motto \u201ctrust, but verify,\u201d the rallying cry of the zero trust infosec warrior is \u201cnever trust, always verify.\u201d<\/p>\n

The term zero trust was introduced into the cybersecurity world by Forrester analyst John Kindervag in 2010<\/a>, though he was building on existing ideas. The idea took the better part of a decade to go mainstream, but more and more organizations<\/a> have been getting on board with zero trust over the course of the 2020s<\/a>. \u201cZero trust architecture is becoming more popular as organizations face increasingly sophisticated cyberthreats,\u201d says Kevin Kirkwood, CISO at Exabeam. \u201cThe general concept for the model is to find ways to limit the blast radius of damage that could be caused by a bad actor, as well as slowing down that bad actor across the known network of systems.\u201d<\/p>\n

How zero trust works<\/h2>\n

To visualize how zero trust works, consider a simple case: a user accessing a shared web application. Under traditional security rules, if a user was on a corporate network, either because they were in the office or connected via a VPN<\/a>, they could simply click the application and access it; because they were inside the security perimeter, they were assumed to be trustworthy.<\/p>\n

Zero trust takes a different approach. In a zero trust environment, the user must authenticate to use the application, and the application must make sure the user\u2019s credentials match with someone who has the right access privileges. This ensures that someone who has managed to slip onto the corporate network can\u2019t access restricted data or functionality. Moreover, the lack of trust goes both ways: The user should be able to authenticate the application as well, with a signed digital certificate or similar mechanism. This ensures the user doesn\u2019t accidentally encounter or activate malware.<\/p>\n

Given the number of interactions with systems and data a typical user encounters in a day, the scope of what zero trust must cover is considerable. \u201cAll requests for access [must] meet the standards of the zero trust architecture,\u201d says Jason Miller, founder and CEO of BitLyft, a leading managed security services provider. \u201cCommon attributes for verification include geographic location, user identity, and type of device. As you might guess, this requires continuous monitoring. This is the only way to validate a specific user and their device.\u201d<\/p>\n

How to build a zero trust architecture<\/h2>\n

\u201cThe core architecture of a zero trust model \u2014 using a building as a foundation for the description of the architecture \u2014 is defined by your willingness to control the access of folks at the front door, and then by ensuring that they are authorized to enter any room in the house,\u201d says Exabeam\u2019s Kirkwood. \u201cBy requiring continuous authentication and strict access controls, zero trust ensures that all users and entities are verified before accessing critical resources, making it harder for attackers to penetrate deep enough into the network to cause major damage.\u201d<\/p>\n

One important thing to keep in mind about zero trust architecture: You can\u2019t just go out and buy it. \u201cThere are no \u2018zero trust products,\u2019\u201d says Darren Williams, founder and CEO of exfiltration and ransomware prevention firm BlackFog. \u201cZero trust architecture is an approach to managing your existing network infrastructure. It is not a rip-and-replace solution for improving cybersecurity.\u201d<\/p>\n

Instead, you could implementing a zero trust architecture by adapting your existing architecture or rolling out new systems. The important thing is that you adhere to important zero trust principles:<\/p>\n

Least privilege: <\/strong>Users should have only the access they need to do their jobs and no more. This minimizes the exposure of sensitive data or applications.<\/p>\n

Multifactor authentication: <\/strong>The zero trust philosophy extends to user logins: Someone might have the right username and password, but what if those credentials have been compromised? Multifactor authentication<\/a>, which requires a credential beyond the password, is a good way to make sure someone is who they say they are.<\/p>\n

Microsegmentation: <\/strong>Instead of thinking of a corporate network as a big safe playground, you should be dividing it into a number of smaller zones<\/a>, each of which requires authentication to enter. This can prevent an attacker from moving laterally<\/a> if they do gain a foothold on the network, limiting the \u201cblast radius\u201d of a successful cyberattack and restricting them to a microsegment where they can be quarantined.<\/p>\n

Continuous monitoring, verification, and context collection. <\/strong>To make these principles possible, your infrastructure must constantly monitor network activity, verify users (both human and automated), and collect information from the entire IT stack to spot anomalies.<\/p>\n

Implementing these principles in practice is no easy task, and require an array of tools, including:<\/p>\n

Comprehensive identity management<\/a><\/p>\n

Application-level access control<\/p>\n

User and entity behavior analytics<\/a><\/p>\n

Network detection and response (NDR) tools<\/p>\n

Endpoint detection and response (EDR) solutions<\/a><\/p>\n

Ashish Shah, co-founder at Andromeda Security, adds that artificial intelligence tools are helping more organizations move toward zero trust, which in turn is boosting the model\u2019s popularity. With AI, you can \u201cautomate high-risk requests with intelligence to improve access without slowing down operations,\u201d he says.<\/p>\n

In 2021, the US Federal Government issued NIST SP 800-207<\/a>, a document laying out one version of a zero trust architecture. This is the framework used by US government agencies, and you can use it as a resource for your own organization as well. You might also want to check out CSO\u2019s \u201c5 practical recommendations for implementing zero trust<\/a>.\u201d<\/p>\n

Zero trust and VPNs<\/h2>\n

One venerable security technology that isn\u2019t on the list of potential zero trust elements: virtual private networks<\/a>, or VPNs. In a pre-zero trust world, a VPN offered a secure connection between a corporate network and a computer outside that network, allowing access to internal resources. From the corporate network\u2019s perspective, a computer connected by a VPN is inside the network.<\/p>\n

But because zero trust moves beyond being \u201cinside\u201d or \u201coutside\u201d a secure network, it replaces VPNs with an array of granular tools for authenticating and authorizing users, and for assessing the potential threat posture of user devices based on a wide array of signals, of which the user\u2019s network location is just one.<\/p>\n

Zero trust benefits and drawbacks<\/h2>\n

Hopefully many of the benefits of the zero trust model are clear at this point. It represents a heightened security posture adapted to a world where \u201cinside\u201d and \u201coutside\u201d are meaningless from a network security perspective. Between distributed workforces and an increasing reliance on cloud computing and SaaS applications, it makes more sense to assume a legitimate \u2014 or illegitimate \u2014 connection could come from anywhere and assess risks accordingly. The zero trust mindset also assumes that a breach is a matter of when, <\/em>not if \u2014 and by mandating segmented networks, zero trust prepares you to minimize the effects of those breaches.<\/p>\n

Zero trust also lays a solid foundation for security expectations in the modern age. \u201cZero trust isn\u2019t just another buzzword,\u201d says Bryan Hornung, CEO of Xact IT. \u201cIt\u2019s one of the quickest ways for companies to tick those compliance boxes. More and more IT leaders are realizing that if you set up zero trust correctly, dealing with all regulations will be easier. It\u2019s becoming a no-brainer for modern security.\u201d<\/p>\n

But, he adds, there are drawbacks, too: \u201cIt\u2019s not all smooth sailing. Companies need to brace themselves for a ton of alerts and tighter controls on computers and devices. That means you\u2019ll need more IT resources to help employees or improve processes with automation.\u201d<\/p>\n

Exabeam\u2019s Kirkwood concurs. \u201cIt can reach a point where it may slow down the business too much and trade-offs will have to occur to ensure the flexibility and viability of business operations while ensuring the integrity goals of systems are met,\u201d he says. \u201cIt should be the goal of every company or sector to determine what the risk tolerance is and define zero trust that will fit into the tolerance level. You can define a system that is as safe as Fort Knox, but you might also build something so inflexible that you can\u2019t get the gold (or your data) out.\u201d\u00a0<\/p>\n

You should also keep in mind that zero trust isn\u2019t a security panacea. CSObreaks down \u201c5 areas where zero trust can\u2019t protect your organization<\/a>.\u201d<\/p>\n

Zero trust best practices<\/h2>\n

Thinking about transitioning to a zero trust model for your organization\u2019s IT security? David Redekop, founder and CEO of ADAMnetworks, suggests the following best practices to guide you as you plan your rollout:<\/p>\n

\u201cKnow what you are trying to protect and start with the crown jewels. Build policies that align with what those particular systems require.\u201d<\/p>\n

\u201cTake a methodical approach with your policy engine and ramp up slowly.\u201d<\/p>\n

\u201cUtilize test devices and users to ensure a policy won\u2019t disrupt the business prior to moving whole business units into a new policy.\u201d<\/p>\n

\u201cMoving to a zero trust architecture organization takes time and patience,\u201d he says. But he believes the move is worth it: it will \u201ctake you from a reactive security posture to a proactive security posture.\u201d Good luck on your journey!<\/p>\n

More on zero trust:<\/strong><\/p>\n

7 tenets of zero trust explained<\/a><\/p>\n

5 practical recommendations for implementing zero trust<\/a><\/p>\n

6 zero trust myths and misconceptions<\/a><\/p>\n

5 steps toward real zero trust security<\/a><\/p>\n

5 areas where zero trust can\u2019t protect your organization<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

What is zero trust? Zero trustis a cybersecurity model or strategy in which no person or computing entity is considered inherently trustworthy, regardless of whether they are inside or outside the organization\u2019s network. It\u2019s distinct from a more traditional way of thinking about computer networks that considers everything inside some defined boundary \u2014 everyone on […]<\/p>\n","protected":false},"author":0,"featured_media":2131,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2130","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2130"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2130"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2130\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2131"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}