The Zero Trust Security Library
Everything you need to know about Zero Trust Security
On Google, there are over 2 million results for Zero Trust security and that’s not including all of the related topics. Every security vendor seems to be talking about Zero Trust, it’s the vogue term right now. However, there’s no single point of truth on the subject, there’s A LOT of content being produced and quite simply, it is confusing.
We’ve set up the Zero Trust Security Library to make it as easy as possible to learn about Zero Trust. We’ll be curating the best articles from around the web, some we’ve produced, some from other experts, and we’ll continue to add new content as and when we find new pieces.
"For a broad overview of Zero Trust, Gartner published their Market Guide for Zero Trust Network Access (ZTNA), which gives an introduces the core concepts, why companies are shifting to this approach to security and recommendations for IT leaders.” - Gartner, Market Guide for Zero Trust Network Access
Zero Trust Security 101
What is Zero Trust Security?
Zero Trust is a network security model designed to handle the challenges of modern IT environments. The way businesses operate has changed; data is stored beyond corporate walls and limitless connections have given rise to remote working. The notion of having a fixed perimeter to protect IT assets is no longer effective, security needs to be dynamic and shift to where data, applications, users and devices are.
The purpose of Zero Trust is to eliminate implicit trust from the network, taking a deny-by-default position instead. Everything that requests access to a corporate service must undergo a strict verification process. There are no exceptions. It doesn’t matter whether a user is on-site or working remotely, if they’re using a corporate-owned device or personal smartphone, Zero Trust is about enforcing consistent security and access controls.
What's the difference between Zero Trust Security, Zero Trust Network Access, Zero Trust Networking etc?
Every cybersecurity vendor wants to be the Xerox, Google or Photoshop of Zero Trust and have their term become the one everyone uses for the category.
Confusion arises when you look at the types of vendors using Zero Trust in their marketing. Different providers include identity, remote access solutions like VPN, VDI, DaaS, device security, DLP, CASB, the list is exhaustive, and there is no real common theme other than Zero Trust. As a result, Zero Trust has become hit with the stigma of another buzzword, much in the same way that ‘digital’ and ‘next-gen’ have been tainted.
It’s important to note that, right now, you can’t go out and simply buy Zero Trust. Zero Trust is a layered security model that requires a drastic tweak in mindset and methodology for IT professionals from the traditional perimeter-based approach. This is why there are so many different types of Zero Trust products available, as they all contribute to building a Zero Trust architecture in various ways.
Why would you adopt Zero Trust?
There are many business, consumer and technology trends that are driving the need for Zero Trust. The workplace is becoming more decentralized both in terms of users and services, which is breaking the existing security model.
Migration to the cloud is a key driver behind the adoption of Zero Trust methodology. Even before the pandemic, 88% of companies were using some form of cloud infrastructure. As digital transformation initiatives continue to accelerate, security is typically left to play catch up.
With data and services moving beyond the corporate perimeter, security and access become more complicated. Companies can’t just create a fixed perimeter to keep the bad guys out anymore; infrastructure has become decentralized and users are remote. With SaaS applications exposed to the public internet, companies need a way of brokering connections to ensure that access is only provisioned to authorized users who are compliant with security requirements.
The COVID pandemic put business continuity plans to the test, and any existing remote access solution was likely scaled to react to the office exodus.
The reality is traditional remote access solutions like VPN aren’t a great fit for modern IT environments and have probably felt the pressure of sustained remote work. They’re insecure, offer a poor end-user experience, are difficult for administrators to configure and manage, but most importantly, they’re incredibly expensive.
Gartner predicts that by 2023, 60% of companies will phase out their VPN in favor of ZTNA. Despite VPN being a trusty mainstay of many companies’ remote access strategy, there is a need to modernize to provide consistent access and security across applications, device types and user groups.
BYOD is a bit of a dirty word in the IT community, but whether you like it or not, your end-users are probably using personal devices to access applications. In fact, 53% of businesses say that staff in their organization regularly use personal devices. The danger of BYOD is companies don’t have control over the device, and no way of ensuring it meets security requirements.
This goes for third parties like contractors, partners, agencies, and so forth making sure they are given the appropriate level of access. It shouldn’t be a matter of having to set up each third party with a VPN connection or the business unit handing over login credentials.
Visibility is needed as to how these users and devices are interacting with your environment. This is where Zero Trust can play an important role, using Conditional Access to ensure that every device goes through rigorous vetting and providing detailed, real-time analytics on behavior.
How are you ensuring that the Finance team only has access to the applications Finance needs? Enforcing least-privilege access is challenging, particularly when businesses are using hundreds of applications, and corporate services aren’t isolated to on-premises environments. What services a user can see and access should be directly tied to their identity and permissions should be dynamically adjusted according to contextual risk factors.
Pressure is on IT teams to enable growth while optimizing costs, supporting a remote workforce and improving business resiliency. Employees expect a consistent experience across all their devices, regardless of where they are, and if security controls get in the way, they’ll often take the path of least resistance.
End users don’t want to go through laborious authentication procedures that have to repeated every time their session drops. The whole purpose of Zero Trust is to provide a security model that doesn’t impinge on productivity by providing a unified security and access experience across all applications (cloud and on-premises), devices (mobile, tablet, laptops) and user groups (employees, contractors, partners etc) all managed from one portal, not multiple point solutions strung together.
Components of Zero Trust
Zero Trust & Identity
Identity is a central component of Zero Trust security, mandating that every user goes through a strict verification process, a username and password will not suffice. Many businesses start Zero Trust projects by deploying identity services such as a cloud-delivered directory, single sign-on (SSO) and multifactor authentication (MFA).
Nothing found.
Zero Trust & Devices
As well as identity, device risk posture is an equally important component of Zero Trust. Just because Dave from HR is who he says he is, it doesn’t mean that he hasn’t inadvertently downloaded malware or is using a risky connection. Understanding the health of a device needs to be factored into the access decision to ensure that it meets minimum security requirements.
Nothing found.
Zero Trust, Applications, Infrastructure & Data
The ultimate goal of Zero Trust is to better protect your data, and therefore controls need to be placed across the entire application stack. Zero Trust moves access to an application-centric model, rather than network-centric, reducing overprivileged access to resources irrelevant to a user’s role. Workloads need to be categorized and divvied up based on purpose, users who need access as well as criticality. Microsegmentation can then be used to isolate workloads limiting lateral movement.
Nothing found.
