The term zero trust has become the next in a long line of popular terms used by cybersecurity companies to associate their offerings with a more sophisticated, next-generation approach. The notion of zero trust has existed for decades, however, and the concept is not, in and of itself, a technology advancement, single architecture, or technological enhancement such as artificial intelligence (AI)/machine learning (ML), behavioral analytics, or other new approaches. Zero trust is instead a mindset where organizations treat all users and devices as potentially compromised, minimize access to resources, compartmentalize that access using fine-grain controls, and leverage strong authentication to explicitly verify users when access is requested, and to continuously monitor that access and re-verify when needed. One private company with which cybersecurity analyst Jonathan Ho spoke passed along an analogy from one of its large customers: Zero trust was essentially a North Star guiding its decisions as a long-term aspirational goal. “Moving forward,” Ho stated, “this hybrid model, combining a legacy perimeter world view with a modern zero trust approach, is what we expect to be the dominant form of zero trust.”
To understand zero trust, it is necessary to understand some basic concepts in networking and security. The historical model of security focused on something referenced as “castle and moat,” or treating any user that is outside a network as hostile but any user inside the network as largely safe and therefore able to access resources without further challenges. For example, the U.S. government has long promoted the National Cybersecurity Protection System (with its EINSTEIN set of capabilities) and Trusted Internet Connection 3.0 (TIC 3.0) as two major programs designed to defend federal government networks using a broad array of cybersecurity tools to detect anomalous behavior.
Yet these tools often could be bypassed by attackers who had stolen legitimate user credentials or insiders who were considered trusted but acted maliciously. Attackers only had to find a way inside the network (e.g., stealing user credentials, insider threats, certificate/key compromise); once inside, they were largely free to roam networks and compromise more assets. Some basic security tools were used, such as usernames and passwords to verify identity, but these elements are easily stolen and exploited, and they remain valid credentials for long periods. Once hackers have stolen these credentials, they are free to “move laterally” within an organization to try to compromise more resources via the new account credentials they capture.
At the same time, traditional network security such as firewalls were used to segment networks to seal off access to sensitive assets. However, once attackers gained access to these network segments, they were again free to try to expand their reach. As a result, attackers often looked to find and compromise privileged user accounts that would bring them more network and resource access until they finally found a way to capture the data they were looking for. According to Ho, traditional models of cybersecurity focus on preventing users from gaining access, but then once legitimate user credentials or network access are obtained, most defenses are rendered ineffective. This conundrum has led to large numbers of breaches in organizations where attackers could persist for years without being detected, while quietly siphoning IP, valuable data, and critical assets.
Primary Benefits and Challenges to Vendors in the Shift to Zero Trust
Ho believes the shift to zero trust does not obsolete network security, endpoint security, identity access management, or other traditional security technologies that are used in a traditional defense-in-depth strategy. “Instead, traditional players that sold hardware or virtual solutions will now need to deploy these solutions using new modalities and as part of a broader zero trust ecosystem,” Ho said. More than ever, we believe zero trust provides a catalyst for vendors to consolidate multiple siloed and disparate functions into a single operating platform that spans multiple disciplines of cybersecurity. The fragmentation and de-perimeterization of traditional environments does not mean that network security will no longer exist, but instead it will be moved to SASE for distributed workers, firewalls/ACLs (access control lists)/workload-native controls in public cloud environments as data centers are replaced, container-based security for DevSecOps efforts, and cloud access security broker solutions for SaaS applications.
Why Should Organizations Adopt a Zero Trust Architecture?
Zero trust has become critical because it addresses the fundamental weakness in traditional security mindsets, which is that users on IT networks are automatically trusted because they have presented a set of acceptable credentials. Vulnerabilities found in virtual private networks (VPNs), remote desktop protocols, and remote access technologies—even before COVID-19—have highlighted the challenges of trusting users/devices on networks implicitly.
SaaS Adoption; Identity as the New Perimeter
While traditional IT infrastructure was undergoing a process of cloudification over the past decade, enterprises were also starting to shift their buying behaviors away from traditional on-premises license software to SaaS-delivered models. From a security standpoint, we believe this effectively shifted the location of critical data that needed to be protected from on-premises environments under the control of IT departments to third-party SaaS providers that were leveraging the public cloud or their own private cloud data centers. In this world, hackers could steal critical corporate data from SaaS applications like Salesforce and Workday, or infrastructure like Amazon S3 buckets that were under the control of third parties.
How Far Along Are Enterprises in Their Adoption of Zero Trust Models?
“We believe most enterprise security organizations have come to accept zero trust as the future direction for security, but implementation of zero trust has so far been slow,” according to Ho. In part, this effect has been because there are multiple types of products that span many disparate enterprise teams that need to be used in coordination to make a zero trust implementation possible. Integration between different infrastructure environments like AWS, Azure, and Google Cloud Platform is complex enough before including private cloud, virtual, and legacy physical environments. The technologies themselves are also just starting to mature, allowing enterprises more choice on how to implement zero trust and what to prioritize. In addition, Ho believes zero trust adoption requires the development of a strong set of policies and best practices to effectively implement. The notion of buying a product or product set and achieving continuous strong authentication, micro-segmentation, or limiting lateral movement likely will require a coordinated effort across multiple IT teams, including security, risk, IT operations, networking, cloud, data center, user constituents, and compliance teams.
How Does COVID-19 Affect the Rate of Adoption of Zero Trust?
With COVID-19 and the subsequent shift to work from home, Ho sees the drivers of zero trust as only accelerating. IT organizations have been forced to reckon with a mass migration of users and devices from on-premises environments to now having corporate devices and access to corporate data sitting in unknown and potentially compromised networks. Work from home is also driving accelerated lift-and-shift of applications to the cloud, as well as adoption of SaaS applications, which further drive home the need for zero trust–based implementations.
How Is Zero Trust Affecting Existing Security Companies?
The zero trust security model has risen significantly in popularity in recent years, as network security companies begin to integrate zero trust principles into their product lines. Zero trust adoption was accelerated by the worldwide switch to working from home, as employees around the world are now using desktop-as-as-service, virtual desktop infrastructure, and VPNs to gain access to company databases. Zero trust practices will remain at the forefront of security infrastructure improvements as users continue to work from outside the office.
For a copy of the “Cybersecurity 2020: Trust No One, Verify Everyone” report mentioned in this article or information on any of the companies in Jonathan Ho’s research coverage list, please contact your William Blair salesperson.