It seems like Zero Trust technology is the silver bullet to solve all security challenges in a corporate network. But what exactly is Zero Trust, why should it be used, and how does it protect the assets?
First, Zero Trust is not technology at all. John Kindervag coined the term in 2010 when he described a way to optimize security architectures by getting away from the purely perimeter-based defense model.
The perimeter-based model builds layered defenses – like multiple firewalls – around the assets to protect. Therefore, it is hardly effective against insider threats or when an attacker manages to get into the network. Traffic originating from inside these protected zones is implicitly trustworthy because this traffic did pass through the firewalls or comes from a known source.
This security architecture also requires boundaries between these protected zones and the outside (untrusted) world.
Zero Trust acknowledges that this implicit trust relationship is a vulnerability attackers can exploit. Instead of concentrating defenses on the perimeter, using sophisticated VPN (Virtual Private Network) technologies, and centralizing assets, it focuses on verifying interactions. Kindervag proposes to use what he calls the “Kipling method” (after the author Rudyard Kipling) to define the answers to the following questions:
- Who wants to access an asset? (subject)
- What mechanism does the subject use for the access?
- How is the access defined? (Limitations in place)
- When does the access take place?
- Where are the subject and asset located?
- Why is access granted?
Making sure to answer these six questions and enforce restrictions for all interactions is complicated and requires preparation. An organization needs a combination of technical and organizational controls to achieve this:
- Traffic analysis to answer Who, What, When, and Where
- Policies and concepts to answer How and Why
- Access control and other measures to block interactions that are not allowed
While the enforcement is a technical challenge that solution providers can easily support, the organization itself must create policies and concepts.
That is also what makes introducing Zero Trust harder than just flipping a switch.
But these efforts can be worth it when the business case does not work with the traditional perimeter-based defense model. Assets are now distributed to multiple locations worldwide, and access happens from outside of an organization’s internal network. The increase in people working from home during the pandemic and the move to more cloud-based services show us that there is a need to rethink the approach to security. Adopting Zero Trust is one aspect of dealing with these challenges.
Like many things in security, however, it will not magically solve all problems on its own and make an organization secure. Zero Trust must be one element among others to build a holistic security strategy.