Zero Trust is not a brand-new approach to cybersecurity. Back in 2020, we shared an article about “Ten Years of Zero Trust.” It took a while, but Zero Trust has now definitively caught on as the best approach to protecting digital assets and infrastructure, as well as the organizations that depend on them. In that article, just three years ago, we shared Gartner predictions that no major Infrastructure-as-a-Service provider would offer a Secure Access Service Edge (SASE)/Secure Service Edge (SSE) solution, a comprehensive approach to Zero Trust, before 2025. But the market has been much more agile than they anticipated: SASE/SSE offerings from companies large and small are already here and organizations are snapping them up. In fact, in their 2022 Market Guide for Single-Vendor SASE, Gartner predicts:
- By 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services and private application access using a SASE/SSE architecture, up from 20% in 2021.
Before we delve into the current state of the art in Zero Trust security, we’ll review some of the basics, including the fundamental Zero Trust principles.
What is Zero Trust Security?
Zero Trust cybersecurity is a radically different approach than earlier, perimeter-based approaches. In the old model, the digital world was divided into inside and outside. Those on the inside, on the corporate network, were assumed to be trustworthy. The outside world, the internet, was the dangerous place where threats originated.
The Legacy Approach to Cybersecurity
The old approach was similar to a castle with a moat. Once you were inside the castle, you could wander around where you wanted. But outsiders were kept out until they were carefully scrutinized and deemed safe. Once they were in, however, they were in.
The old approach protected the perimeter with passwords for users and a firewall supported by detection-based malware and virus detection.
There are several problems with the detection-based perimeter approach to cybersecurity:
- Many users are lazy. They tend to reuse passwords. All too often, the passwords they use are simple and easy to guess. As computing power has gotten cheaper, brute force attacks have grown more accessible and likely to succeed, especially for passwords that are not sufficiently complex.
- Poor defense against phishing attacks. Relying on user training to protect against phishing attacks is like relying on a windbreaker to keep you warm on a -40° day: Not very effective. Some studies have shown that a sophisticated phishing attack can fool 26% of users who have undergone anti-phishing training.
- No protection against “trusted insiders.” If an employee “goes rogue” they can wreak great havoc within the perimeter. And not just employees – if vendors have access to your network, your exposure is much greater.
- Detection has improved, but zero-day exploits are more common than ever before. Cybercriminals can often figure out ways to defeat even AI-driven detection schemes that are not based on known signatures.
- The COVID pandemic-driven move to remote work coupled with the expansion of cloud-based resources has rendered the idea of a perimeter obsolete.
Zero Trust Principles
Zero Trust security takes a completely different approach. Zero Trust is not a specific technology. Rather, Zero Trust is a set of principles that can be applied via a variety of different implementations. The US National Institute of Standards and Technology’s (NIST) Special Publication, NIST SP-800-207, provides excellent guidance for Zero Trust architecture.
As the name implies, Zero Trust treats every user, every packet, with suspicion. Fundamental Zero Trust principles include:
- Never trust, always verify
- Treat all traffic, whether coming from inside or outside, as potentially dangerous
- Consider all websites and downloaded files potentially dangerous
- Assume there will be a breach; minimize any potential losses by minimizing access
- All users are subject to verification regardless of whether they are on the internal network or outside
- All assets are protected, whether they are on company servers or in the public cloud
Typical Elements of a Zero Trust Security Environment
Many different components may be included in Zero Trust cybersecurity solutions. Some typical components include:
- Robust Identity and Access Management (IAM). IAM includes authentication of users – typically requiring more than just a password. Multi-factor Authentication (MFA) is standard. But more than simply verifying users, IAM is also concerned with verifying each user’s authorization to access every particular resource.
- Least Privilege Access and Microsegmentation. In the event that a user’s credentials are compromised – or if a “trusted insider” turns out to not be so trustworthy – it is important to minimize any damage. By limiting users to accessing only the information and resources they need to do their jobs, and limiting the flow of packets laterally within the network, damage can be minimized. Many companies use role-based access control, but granting access on an individual basis is better.
- Remote Browser Isolation (RBI). RBI applies Zero Trust to web browsing and file downloads. With RBI, users connect to websites through an isolated container in the cloud. They interact with a rendering of the website, not the website itself, so if the user did click on an infected link it has no access to the user’s device or network. Any files downloaded are neutralized with Content Disarm and Reconstruction before being passed to the user.
- Secure Access for Unmanaged Devices (Clientless ZTNA). Clientless ZTNA is the flip side of RBI. It air gaps your private, web and SaaS apps from malware that may be lurking on unmanaged user BYODs or 3rd party contractor devices. Users get the access they need, and your organization’s applications are protected from malware and access via stolen credentials.
- Cloud Access Security Broker (CASB). A CASB provides Zero Trust cloud security. It’s not enough to take a Zero Trust approach to the IT assets on your own network. With the shift to Software-as-a-Service and other cloud-based resources, it is equally important to make sure your cloud-based apps and assets have the same level of security as your internal resources. A CASB makes it possible to enforce the same security policies in the cloud that you apply on premises.
Zero Trust Cybersecurity Today
Vendors are continually adding to the arsenal of Zero Trust technologies. While a company can try and piece together a Zero Trust approach to cybersecurity in bits and pieces from multiple vendors, it’s much easier, and generally more effective, to use the state-of-the-art in Zero Trust security: a comprehensive Security Service Edge (SSE) platform such as ZTEdge.
ZTEdge provides all the key elements of a Zero Trust architecture – IAM, Zero Trust Network Access including microsegmentation, RBI, WAI, CASB, secure remote access, secure virtual meetings – in an easy to deploy, cloud-based solution. ZTEdge was designed from the ground up to meet the needs of midsize enterprises in a cost-effective manner. It provides all the protection a company needs without unnecessary complexity.
About Gerry Grealish
Gerry Grealish, ZTEdge CMO, is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity, cloud, analytics, and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he led the product marketing and go-to-market activities for the company’s broad Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed Cloud Access Security Broker (CASB) innovator, Perspecsys, where he was Chief Marketing Officer.