Americas

  • United States

Asia

Oceania

Mary K. Pratt
Contributing writer

What is zero trust? A model for more effective security

How-To
07 Mar 20238 mins
Access ControlIdentity Management SolutionsNetwork Security

As the security model becomes the preferred security strategy, it’s worth looking at what it is and what it takes to achieve.

Conceptual image of a network labeled 'Zero Trust.'
Credit: Olivier Le Moal / Shutterstock

Security leaders are embracing zero trust, with the vast majority of organizations either implementing or planning to adopt the strategy. The 2022 State of Zero-Trust Security report found that 97% of those surveyed either have or plan to have a zero-trust initiative in place within 18 months.

In fact, the percentage of organizations with zero trust already in place more than doubled in just one year, jumping from 24% in 2021 to 55% in the 2022 survey issued by identity and access management technology provider Okta.

And that 55% is more than three times the figure it was four years ago; when Okta first asked security leaders whether they had a zero-trust initiative in place or were planning one within the following 18 months for its 2018 report, only 16% answered yes.

[ Download our editors’ PDF Zero Trust network access enterprise buyer’s guide today! ]

The growing use of zero trust mirrors the increasing security challenges faced by enterprise leaders. Organizations have seen their attack surfaces grow, especially as they have enabled widescale remote work policies and extended the number of endpoint devices residing outside corporate walls. At the same time, the volume and velocity of cyberattacks have skyrocketed.

“The technology landscape is evolving, and as organizations adopted cloud and with more mobile devices and more bring-your-own devices, remote and hybrid work, and adversaries becoming more sophisticated, it all led to changes in the threat landscape. As a result, the old security model is no longer scalable,” says Imran Umar, who as a senior cyber solution architect at Booz Allen Hamilton spearheads zero-trust initiatives in support of the US Department of Defense, federal civilian agencies, and the intelligence community.

The old perimeter security model is dead

That old security model focused on perimeter defenses, an approach that earned comparisons to creating a moat around the castle, working to keep out dangers while allowing everyone and everything within the castle walls to move around with few, if any, impediments.

That model, though, falsely assumed users and devices within the corporate environment could be trusted. It discounted insider threats and the potential for bad actors to successfully penetrate the perimeter and disguise themselves as trusted entities that belonged within the environment.

Moreover, that model became incompatible with a 21st-centuryst century IT architecture that, with cloud computing and an explosion of endpoint devices requiring access to enterprise systems from outside the corporate IT environment, obliterated the perimeter. Security leaders started shifting their security strategies in response to those changes. They moved away from relying mostly or solely on perimeter defenses and instead began implementing controls such as data-level authentication and encryption to secure enterprise assets at a more granular level.

In 2010, John Kindervag, then a Forrester Research analyst (and now senior vice president of cybersecurity strategy and group fellow at ON2IT Cybersecurity), promoted the idea that an organization should not extend trust to anything inside or outside its perimeters. In that process, he created the concept of zero trust. Interest in and adoption of zero trust principles have grown steadily since.

The White House gave zero trust an additional boost in May 2021, when in an executive order it declared that the federal government “must adopt security best practices” and “advance toward zero-trust architecture.”

What is zero trust?

At its core, zero trust is a way to think about and structure a security strategy based on the idea of “trust no one and nothing, verify everything.”

“Zero trust is saying: don’t assume anything. Allow agents and users the least privilege and the least access they need to get their jobs done. And don’t assume any privilege without verifying,” says Steve Wilson, principal analyst at Constellation Research.

Often called the zero-trust security model or the zero-trust framework, it is an approach to designing and implementing a security program based on the notion that no user or device or agent should have implicit trust. Instead, anyone or anything — a device or system — that seeks access to corporate assets must prove it should be trusted.

“It’s a philosophy. It’s a mindset. It’s an evolution of defense-in-depth,” says Ismael Valenzuela, senior instructor at the SANS Institute, which provides security training, certifications, and research. He notes that this approach when properly implemented, not only helps prevent bad actors from gaining access to networks, systems, and data but also shortens detection and reaction times if anything nefarious gets through.

This security model calls for implementing controls that remove implicit trust and instead require verification across multiple pillars. The number of pillars varies among the different frameworks, with most identifying either five or seven.

The pillars of zero trust

The five-pillar framework typically lists the individual pillars as:

  1. Identity,
  2. Device,
  3. Network,
  4. Application workload and
  5. Data.

The US Cybersecurity & Infrastructure Security Agency, better known as CISA, uses five pillars in its maturity model.

Others list seven pillars. Forrester, for one, introduced its Zero Trust eXtended Ecosystem concept in 2018, identifying the seven core pillars of zero trust as:

  1. Workforce security,
  2. Device security,
  3. Workload security,
  4. Network security,
  5. Data security,
  6. Visibility and analytics, and
  7. Automation and orchestration.

Others, including security technology vendors, offer additional variations on these pillars, some listing six and others giving alternative names such as “monitor and remediate” and “endpoint protection.”

Some also describe various areas as specifically “zero trust,” as in zero-trust architecture (ZTA) and zero-trust network access (ZTNA) — terms that indicate that zero-trust principles have been applied to those parts of the IT infrastructure. Regardless of such differences, experts stress that the objective remains the same: to remove implicit trust throughout the environment and instead use processes, policies, and technologies to continuously authenticate and authorize entities as trustworthy before actually granting access.

The zero-trust journey

Removing that implicit trust takes time, according to experts, and most organizations are far from accomplishing that objective. “It’s a journey of change,” says Chalan Aras, a member of the Cyber & Strategic Risk practice at Deloitte Risk & Financial Advisory.

Zero trust is also a collection of policies, procedures, and technologies. Organizations that want to implement an effective zero-trust strategy must have an accurate inventory of assets, including data. They must have an accurate inventory of users and devices as well as a robust data classification program with privileged access management in place, Valenzuela says.

Other components include comprehensive identity management, application-level access control, and micro-segmentation (which helps control access and limit movement within the IT environment).

Another important element is user and entity behavior analytics, which uses automation and intelligence to learn normal (and therefore accepted and trusted) user and entity behaviors from anomalous behaviors that shouldn’t be trusted and therefore denied access.

Other technologies for zero trust include network detection and response (NDR) tools, endpoint detection and response (EDR) solutions, and multifactor authentication capabilities.

Challenges to implementing zero trust

This plethora of policies, procedures and technologies required to enable a zero-trust strategy can be an obstacle for many organizations, Valenzuela says. Another challenge to success: legacy technology, as older systems often can’t work with or support the elements of a zero-trust security model.

Financial constraints and resistance to change are additional barriers. Organizations generally can’t afford to replace existing security technologies and modernize legacy tech all at once, nor can they successfully manage to move workers to new policies and procedures in one fell swoop. “There are a lot of investments that have been made over the years that you cannot just throw away,” Valenzuela says.

Yet another challenge is the user pushback that zero trust will inevitably bring into the environment, Wilson says, adding that “zero trust raises friction, and friction is the enemy of the user experience.”

Wilson cites one more challenge to overcome: the additional complexity that zero trust brings. Most organizations are in the earlier stages of implementing the controls required to enable this approach and few have reached full maturity. The 2022 Okta report, for example, indicates that only 2% of all companies worldwide have implemented passwordless access indicating that their zero-trust maturity is “evolved,” or the highest maturity level of the five levels listed by Okta.

Implement zero trust in stages

Given the scope of work that zero trust involves, and the challenges that come with it, experts advise moving forward in steps. “The goal should be: What can I do today, this week, this month to implement less implicit trust?” Valenzuela says.

Similarly, Aras says he advises enterprise leaders to break down their zero-trust journeys into three buckets: do now, do next, and do later. He puts, for example, identity initiatives into the “do now” category as well as ZTNA, “where depending on how old the tech stack is, it could be a minor change or it could be a major change.”

He says network segmentation and application segmentation could be “do now” or “do next” activities, depending on an organization’s existing security and tech maturity. “It’s important to start with where am I now? The better that [analysis] is performed, the more likely the ‘do now,’ ‘do next’ and ‘do later’ recommendations will be accurate.”