This is the fourth commentary in the series “Defining Zero Trust Security.”
In the early 2000s, cyberattacks -- though comparably fewer in number to those occurring today[1] -- were no less threatening. Some caused disruption, others led to financial loss for victims.
Within this context of increasing threats to business systems and operational continuity, zero trust emerged as a set of security principles based on the idea that reducing granted trust for access would lead to greater assurance of authorized identity. In zero trust theory, cybersecurity would be attuned to the way people worked -- security would become data-centric, and authorization would be based on identity and context instead of being tied to device.
So what exactly is zero trust? Zero trust is the idealized philosophical conceit that all data moving within a system should be viewed as potentially hostile, that nothing is “trustable,” and that access should never be granted based on the assumption of trust.[2]
Zero trust is characterized by four key tenets:
- Any level of authentication requires least-privilege access for all entities, including users, devices, and workloads.
- Whether joining user to application, application to application, or workload to workload connectivity is direct and ephemeral, relying on microsegmentation at the application level without network segmentation.
- Applications, users, and corporate systems remain obscured from the open internet.
- The internet becomes the new corporate network.
1. Zero trust enforces least-privilege access.
Zero trust principles assume all data represents a potential threat, and any authorization to progress forward with work (be it access permission or data transit between systems) requires thoroughly disproving the premise that the data was already compromised. This ideal contrasts with legacy security infrastructure and standard processes that extend privileges based on (fallible) machine identification (like say, IP address)
2. Connectivity is direct, ephemeral.
Direct connectivity is a hallmark of zero trust theory: Users connect directly to the application or resource they need to use at that moment. Once the utility is served, the connection is discarded. Each use of the application or resource requires subsequent reconnection and reauthorization (based on user identity and context). In this way, connectivity can be considered almost disposable, a means to an end rather than the end itself.
That ideal can be achieved through microsegmentation at an application level: Applications or workloads can be divided into small segments based on the communication requirements of each.
3. Corporate systems remain obscured from the open internet.
Hackers attack what they can see. Most enterprises still expose IP addresses to the open internet. In a zero trust environment, systems (including and especially IP addresses) are not visible to the outside world: Zero trust mandates inside-to-outside connections and blocks outside-to-inside connections. In this way, zero trust dramatically reduces attackable threat surface.
4. The internet becomes the new corporate network.
Zero trust leverages the internet as a communications backbone: Users connect via the internet to applications or resources, with cybersecurity delivered immediately at the cloud edge. Zero Trust dissociates connectivity from the physical network: The internet supplants the corporate network, reducing corporate reliance on costly network infrastructure.
Zero trust in practice: once ahead of its time, now cloud-enabled
As security terms go, “zero trust” is an attractive proposition: If hackers exploit trust, security leaders minimize the issuance of trust (“to zero!”) to reduce cyberattack risk. But when first introduced in 2010, the zero trust concept was ahead of its time, and its commercial adoption was slow to take off.
In its original form, zero trust espoused a philosophy of minimizing trust -- the less trust conferred, the better. But zero trust clashed with a damning indictment of legacy network security models: that security based on machine identification and network access could still protect an enterprise. (It couldn’t then, and it definitely can’t now.)
Legacy security architectures could not easily scale (nor could they be easily reengineered) to accommodate a dynamic, follow-the-data security model. In that type of (still common) environment, access is granted via hardware gateways. More “challenges” means more (expensive) hardware stacks housed close to users, applications, and data-processing.
Dynamic challenges of trust weren’t possible because infrastructure couldn’t scale to support it. Now, more than a decade later, the cloud -- the scalable, "abstractable," secure, SSE-enabled cloud -- makes zero trust practical in the form of a Zero Trust Architecture (ZTA).
Zero trust security protects the ephemeral, direct connection between user and application (or resource, or data): cloud-served security is immediate, and proximate to every user. There is only an inside-to-outside connection between user and app. Contrast that with a corporate network, where access is granted to all the pathways connecting corporate systems, introducing the risk of lateral movement if a hacker breaches the firewall.
[1] This is admittedly based on anecdotal evidence. For instance, of the 63 pages in the September 2021 update to the Center for Strategic & International Studies “Significant Cyber Incidents Since 2006” report, only seven-and-a-half pages are devoted to cyberattacks before 2011. Roughly eight-and-a-half pages document attacks in just the first eight months of 2021 alone. It’s fair to say that attacks have increased dramatically since 2010, but detection capabilities have matured in the years since. Any accurate comparison is speculative since there were undoubtedly more attacks that were never discovered (or perhaps never publicized by victims).
[2] The United States Department of Commerce’s National Institute of Standards and Technology defines zero trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Related Content
The history, context, and co-opting of zero trust