What's all the fuss about zero trust?

If you’ve been in cybersecurity, IT, or operations for a minute, you’ve surely heard the term "zero trust." If you’ve been paying attention, the first time it came into use was in 2009. Although the term was defined at that point, it did not come into play in any significant way until nearly a decade later. And that fuss was driven, predominantly, by security vendors. Businesses, and in particular, security teams, were slower to evaluate and adopt zero trust.

First off, it took some time for everyone to agree on what zero trust really meant, what it entailed, and what it would accomplish. Although the term "zero trust" was first coined by a Forrester analyst and was based on ideas set in motion by the Jericho Forum, different individuals and entities tinkered with the meaning to best suit their situation and needs. So before we dive in too deep, a quick level set is appropriate here.

What is zero trust?

Zero trust is a strategy, principle, or framework predicated on the fact that the traditional network perimeter no longer exists. As such, the "internal" network should be treated as equally (potentially) hostile as the open internet. In other words, no network traffic, user, or access control is safe just because the network on which it communicates is managed by an organization with security technologies and processes implemented. Zero trust as a concept was invented to help organizations managing the risk of an ever-increasing attack surface due to digital transformation.

How does zero trust work?

Zero trust treats every asset -- every device, user, service, software, host, cloud, workload, etc. -- as if it is coming from an untrusted source and is potentially compromised. Zero trust requires continuous authentication and authorization verification for every asset access request. Further, the verification process must analyze a set of real-time identity attributes (vs. a simple set of credentials) to ensure that the asset requesting access has not been tampered with before or during transit. Granular, risk-based access controls are issued on a one-time basis and carry the provision of least privilege.

What’s the motto?

Never trust; always verify.

On paper, this looks easy enough, right? Of course! But in practice, adapting a network built on the idea of trust (as most networks built more than, say, 5 years ago were) to one that trusts nothing is extremely complicated. To start, most networks were architected with trust inherently baked in -- an asset inside the perimeter (which is protected with firewalls and other north-south controls) has been checked as "safe" at the gateway and can therefore run as trusted. The tools and technologies created to protect networks also worked on a trust-based system. "Inside" security technologies like intrusion detection systems, network access controls, network traffic analysis tools, and more operated based on the idea that, "check once → validate → allow" was sufficient. The problem? Trust. Which assumes risk. And the fact that exploits were growing and the number of breaches reported were not stopping. A one-time security check just wasn’t cutting it, but this is how organizations managed their networks… because there wasn’t much choice. Or the choices were too hard.

As the realization of maliciousness throughout the entire internet-connected ecosystem caught on, and companies started to accept the idea of zero trust, they pondered how to implement zero trust. Ripping and replacing an entire architecture was (and remains) impractical. But where do you start? How do you start? Is it all or nothing? Is access the right place to start? Is it data, since the data is what attackers are generally after? Or is it identities?

The fact is, there is no right answer. And this, along with myriad architectural challenges, has made adoption of zero trust slow from the mid 2010s until the present.

Why Zero Trust Now?

While the adoption and implementation of a zero trust strategy has been historically slow, there are several forces that have recently accelerated acceptance:

This is not your traditional network. There is no traditional network: Organizations’ networks are not hub-and-spoke, nor do most organizations operate with one type of network. Hybrid and multi-platform networks are now the norm, and cloud and application usage is astronomical. Using traditional security and access methods that verify once then allow access introduce tremendous cyber risk. 

Threats are on the rise: With more and more assets internet- and inter-connected, cybercriminals have an ever-expanding attack surface. The lack of geographic boundaries in cyberspace means that cyber criminals can operate anywhere, at any time, and compromise any organization, given the right tools and enough time. Furthermore, the barrier to entry is low; cyber criminals make exploit tools easily and inexpensively available to anyone who knows where to look. This confluence of events not only presents a threat, but increases business risk, too.

Work from anywhere is more than a location challenge: The COVID-19 pandemic brought on a sudden need to accommodate employees, contractors, and systems working from their (often insecure) homes. For most companies, this was a wholesale change. But they quickly adjusted their strategies. This meant, however, an increase in devices, device types, access needs, services, applications, and more all needing to (safely) access corporate resources.

As we move out of the pandemic, the "new normal" is work-from-anywhere, which means businesses must continue to support all of the above, but now also support constantly fluctuating user and device locations and connection needs. This creates a lack of baselines and predictability that almost scream, "NEVER TRUST!"

DevOps is leading the way: A great deal of companies’ revenues are generated by software development teams, most of which use third-party resources to build and test. Ephemeral environments like cloud and containers, which operate on a "shared responsibility model," necessitate a new way of securing assets. What’s more, the speed of development waits for no security tool. Software and applications with bugs and vulnerabilities get placed in production all the time because security can’t keep up. As such, additional precautions need to be implemented to ensure that a code flaw doesn’t turn into a wholesale breach.

Compliance and industry standards say so: The National Institute of Standards and Technology (NIST) first declared zero trust an imperative in 2020 with its issuance of special publication (SP) 800-207. This 59 page document details how "complexity has outstripped legacy methods of perimeter-based network security" and how and why a zero trust model must be adopted "to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications and other nonhuman entities that request information from resources)." Zero trust principles, say the authors, are "designed to prevent data breaches and limit internal lateral movement."

The following year, the Executive Order on Improving the Nation’s Cybersecurity specifically called out zero trust for its ability to prevent unauthorized access to assets. The EO mandates that the Federal Government must adopt security best practices, including advancement toward and planning for zero trust architectures. Much of the EO is designed around the need for the Federal Government to improve cloud, infrastructure-as-a-service, software-as-a-service, and platform-as-a-service security as agencies adopt and implement such services and technologies. Though the EO is written for Federal agencies, it is a great guideline for enterprises, as well.

You and Your Organization

Zero trust adoption is on the rise. In the last two years, organizational acceptance and implementation has taken off. According to a 2021 Zero Trust Adoption report by Microsoft, 96 percent of security decision makers state that zero trust is critical to their success. Maybe more importantly, the same report says that "76 percent are in the process of [zero trust] implementation."

A similar study by Cybersecurity Insiders says that "Seventy-eight percent of IT security teams are looking to embrace zero trust network access in the future. 19 percent are actively implementing zero trust, and 15 percent already have zero trust in place."

If you’re in the process of implementing zero trust or want to start, look for skilled people and the right processes and technologies (PPTs) that provide foundational support for a zero trust program. This means beginning with ways to accurately identify and assess your entire attack surface (including the assets running on them), and then applying adaptive controls that enforce continuous verification, least privilege, and conditional access (based on a collection of immutable asset attributes).

Implementing zero trust will be a stepwise process involving many different, always-moving parts. But if you set the foundations now, lean on basic cybersecurity hygiene, and accept that zero trust is a risk control strategy, you will be well positioned to start reducing your attack surface and organizational risk.

Katie Teitler is Senior Cybersecurity Strategist, Axonius.