A Practical Guide to Zero-Trust Security
Employees are demanding that employers enable flexible workstyles. Apps are moving to the cloud. A company’s device and application mix are increasingly heterogeneous. All of these factors are breaking down the enterprise security perimeter, rendering traditional security approaches obsolete, and paving the way for zero-trust approaches.
Traditional security methods broadly classify everything (users, devices and applications) inside the corporate network as trustworthy. These models leverage legacy technologies, such as virtual private networks (VPNs) and network access control (NAC), to verify the credentials of users outside the network before granting access. The focus therefore is on strengthening the network perimeter and then granting full access to corporate data once credentials are successfully validated. This is sometimes referred to as the “castle and moat” approach, in which the castle refers to the enterprise holding valuable data and applications, while the moat refers to layers of protection aiming to keep potential threats out.
However, in today’s complex IT world, in which users access all types of apps (software-as-a-service, on-prem, native, virtual) from all types of devices (mobile, desktop, internet of things) and from many locations both inside and outside the corporate network, organizations need a security model that is dynamic, flexible and simple. Perhaps the most notable of the emerging security models is zero trust.
“Zero trust” is a phrase first coined by John Kindervag of Forrester in 2010 to describe the need to move security leaders away from a failed perimeter-centric approach and guide them to a model that relies on continuous verification of trust across every device, user and application. It does this by pivoting from a “trust but verify” to “never trust/,always verify” approach. In practice, this model considers all resources to be external and continuously verifies trust before granting only the required access.
This all makes sense in theory, but what does implementing zero trust look like in practical terms? When talking to customers about steps they can take to build a zero-trust security architecture, I focus on five main pillars – device trust, user trust, transport/session trust, application trust and data trust.
Let’s take a closer look at each of these pillars and the underlying technology required to establish trust in each one.
Device Trust: For zero trust, as an IT administrator, you need to know your devices before you can trust them. You must have an inventory specifying which devices are owned and thereby controlled by your company. You must have a solution that monitors, manages and controls these devices. By interrogating the device posture, you can determine if the device can be trusted and if the device is compliant, based on pre-determined security policies. A unified endpoint management (UEM) solution enables IT teams to manage, monitor and control all devices – mobile, desktop, rugged and IoT – across all platforms from a single console. And, integrating endpoint detection and response (EDR) technology can further improve device security posture by further enabling the detection of possible malicious endpoint activities.
User Trust: Time after time, password-based user authentication has been proven inefficient and ineffective.
