Assuming everyone and everything is a potential threat, until proven otherwise. That is the core principle of the Zero Trust security model. In other words, it requires every single person and device to be fully authenticated before accessing a private network or its data, regardless of whether they are in or outside the network perimeter.
Let’s put it this way: while traditional IT network security denies access to anyone outside the network and trusts, by default, anyone who is already inside the perimeter (which can be problematic if an attacker finds a way to get inside the network once), the Zero Trust approach trusts no one by default and requires verification of everyone’s identity before granting any type of access.
This security framework has, however, been dividing opinions: on the one hand, some organisations still believe that implementing Zero Trust is too expensive and time-consuming; on the other, several influential companies believe it is crucial in the modern world and can actually save money in the long run, since it has been proven to prevent data breaches and cyberattacks.
Before jumping to any conclusion, let’s get to know the details behind the Zero Trust approach.
The history of Zero Trust
Despite having its roots still in 20th century – namely in the doctoral thesis of Stephen Paul Marsh, in 1994 – the “Zero Trust” term was coined and popularised by John Kindervag, an analyst of the global market research company Forrester Research, in 2010. At the time, he introduced this idea that an organisation should not trust anyone or anything that’s either outside or inside its network.
It helped greatly that Google, a few years later, announced that they had implemented Zero Trust within their network, which led to a booming interest from the tech community and organisations around the world.
Kindervag and Forrester Research kept studying and perfecting this concept for the next 10 years and, in 2020, published several reports on how organisations could implement it.
5 pillars of Zero Trust
Here’s what differentiates Zero Trust from traditional security approaches:
- Periodic identity validation
When you log into a Zero Trust network, that connection will time out periodically, in order to force users and devices to be re-checked and re-validated.
- Principle of Least Privilege (PoLP)
Users will only be granted as much access as they need, which helps to minimize exposure of sensitive data. This strategy rules out the use of VPN, because it gives users access to the whole network, once they’re connected.
- Microsegmentation to prevent lateral movement
It consists of dividing the network into smaller and isolated segments. This practice helps to contain the spread of a breach, as it prevents an attacker from moving laterally within the network – that is, to access and compromise several parts of a network.
- Multi-Factor Authentication (MFA)
For a user to be authenticated, entering a password is not enough. Zero Trust follows the Two-Factor Authentication (2FA) approach, which is an extra layer of security broadly used by companies like Google and Facebook. In addition to the password, it requires a security token (usually a six-digit code sent to another device, like a mobile phone).
- Continuous monitoring and encryption
The Zero Trust approach is supported by real-time monitoring tools to identify and react to suspicious activities. It also prioritises encrypting sensitive data, as a way to make it unreadable to unauthorised users.
What are the benefits?
According to Microsoft’s Zero Trust Adoption Report 2021, 96% of security decision-makers state that Zero Trust is critical to their organisation’s success.
But what specific benefits does Zero Trust bring to the table?
- Reduced attack surface and potential damage (due to microsegmentation);
- Reduced impact caused by credentials theft or phishing attacks (by requiring MFA);
- Quicker breach detection times;
- Reduced risk of exposure to vulnerable devices (like IoT);
- Enhanced network performance;
- Cost savings in the long term (in 2022, the average cost of a data breach reached a record high of US$4.35 million / €4.015 million).
What is Zero Trust Network Access (ZTNA)?
It’s like a VPN, but optimised for the Zero Trust model. Basically, it’s the technology that enables organisations to implement the Zero Trust security framework.
As opposed to a VPN, ZTNA only grants access to the specific applications or data requested, and denies access to all applications and data by default.
Top companies following the Zero Trust principles
Among the biggest players incorporating Zero Trust practices into their service offer, we find:
One of the first companies to publicly endorse Zero Trust. Their very own zero trust model is called BeyondCorp.
The Cisco SecureX platform offers a variety of security resources, including ZTNA.
Its Azure Active Directory (AAD) platform provides identity and access management capabilities, which is a zero trust practice.
According to Microsoft’s report, the majority of organisations expect their Zero Trust strategy to increase in the short term – 73% of respondents expect their Zero Trust budget to increase.
The shift to hybrid work is one of the factors contributing to the acceleration of Zero Trust adoption, because it’s a fundamental step towards maintaining security within this context.
In conclusion, there is a clear progress in Zero Trust adoption across markets and industries, and considering that organisations face increasingly sophisticated cyber threats, this tendency is here to stay.