The Origins of Zero Trust
The Zero Trust model was established in 2010 by Forrester analyst John Kindervag and has enjoyed a fascinating and somewhat tumultuous 10-year history. It was born out of a period of increased and sustained breach activity combined with a growing frustration that existing security approaches were falling short of addressing these new challenges. Organizations were struggling to deal with attackers once they had crossed the traditional network perimeter and entered the later stages of the attack lifecycle, where the intent was to perform reconnaissance, obtain more and more powerful credentials and move laterally.
The model was forward looking for the time, in many ways. It can be considered the effective inception of an interesting viewpoint that had long lasting reverberations throughout the information technology and security communities. The view was that the traditional network perimeter, so long depended on by organizations, was starting to become less relevant. It shouldn’t be viewed, by itself, as a fundamental protection an organization can rely on.
What is Zero Trust?
The fundamental precept of the Zero Trust model is that no user or device should be trusted implicitly, regardless of the organizations network perimeter. Whether you are inside or outside of that perimeter, you must prove your authenticity before being able to access sensitive resources.
Having been born out of a time where the network was largely the focus of security, one can definitely see that in the model’s recommendations. The three basic concepts of Zero Trust involve trust at the network level:
- Eliminating the idea of an internal trusted network
- Utilizing the concept of network segmentation to restrict access to parts of the network you deem sensitive to only those who need it
- A requirement that all network traffic be logged and inspected at all trust boundaries set up through your segmentation.
Is Zero Trust Model Still Relevant Today?
Fast forward 10 years: we now know that the traditional network perimeter is not only fading, it has completely shattered. While a “perimeter” based mindset is still relevant to a security architect or analyst, the intervening 10 years since the models creation has experienced a tectonic shift in the way we do business. While many will argue “digital transformation” has been relegated to buzz term status, one must remember that buzz terms are often rooted in reality. Digital transformation is not just a buzz term: organizations are literally, and rapidly, transforming the way they operate. They are moving internal business operations and external lines of business, as well as their supporting data, to the cloud. Such a fundamental shift in business operations brings monumental new challenges, as businesses engage more with each other and ultimately more closely with the end users that constitute their customer base.
With this also comes a fundamental change in the architecture that makes up our organizations. The isolated “four-walled” design is gone, and organizations today are often a hybrid of on-premise and cloud resources. We must also be careful not to limit our focus to web-based applications. The workforce and the rapidly growing consumer base are demanding access in an increasingly mobile marketplace and across a variety of devices.
What does this all mean? It means that identity is now the glue that binds modern organizations together. It is not just an element of modern security; it defines modern security. Across all devices, across all resources, across all data stores: identity must be protected as attackers increasingly turn their attention towards it. The beauty of all this: many of the concepts that the Zero Trust Model puts forth fit into identity-defined security perfectly. It is absolutely relevant today.
What’s Next in the Evolution of Zero Trust Security
We know the concepts are still relevant, but does the Zero Trust Model need to evolve? One could argue that Forrester has tacitly acknowledged the need for the model’s evolution. In 2018, Forrester released the Zero Trust Extended Framework (ZTX), which incorporated a number of additional initiatives addressing the protection of data, acknowledging the need for control of identity across multiple planes of existence, and acknowledging the power of automation, orchestration and analytics in security.
Other frameworks have come into existence giving a similar view of the world, such as Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) model. These advances in security frameworks are certainly exciting and important to furthering our understanding of information security. They are also making IT-decision makers even more uneasy in their day to day life as they struggle to plot a way forward.
We’re also living in a world of increasing user frustration over security controls that are constantly being put before them. Identity has seen some great advances in user experience in the last few years, and any evolution of a traditional security model should take note. Introducing too much friction into an environment may have the opposite effect of that which is intended, hindering adoption or in some cases leading to all out revolt.
Redefining Zero Trust in “Identity” First Terms
A major advantage of taking an identity-defined approach to security is that it helps the IT decision maker plot their roadmaps to align with frameworks such as Zero Trust or CARTA. Over the next few months, the IDSA will be considering these challenges and offering guidance on how identity at the center of security can help you achieve these very important models. Stay tuned. In the meantime, read about Adobe’s real world journey to zero trust and contribute to the conversation through our on-line community.
About the Author: Stephen Cox, Vice President and Chief Security Architect at SecureAuth and IDSA Executive Advisory Board Member, is a technology veteran with nearly 20 years in the IT industry, including 10 years experience leading software development teams in the security industry. A key player in some of the most influential IT security firms in the world, he is recognized as an expert in identity, network and endpoint threat detection, as well as an accomplished software architect.