The Zero Trust model can enable more seamless collaboration between organizations, as the added control over data access means businesses can more confidently allow access to specific programs and applications.
In recent years, the term “Zero Trust” (occasionally referred to as perimeterless security) has become increasingly prevalent in the realm of cybersecurity. Assuming the mantra of “never trust, always verify”, Zero Trust is now the default IT security model for many organizations in today’s largely cloud-based digital environment. But what does Zero Trust really mean for your business? Where did the notion of Zero Trust come from? And how can it be leveraged to provide additional layers of security for your networks and your data?
The Background
The term Zero Trust is the brainchild of Stephen Marsh, an associate professor who coined the phrase in his 1994 doctoral thesis on computer security. In his thesis, Marsh argued that trust had “suffered from an imperfect understanding, a plethora of definitions, and informal use” and aimed to provide a clearer understanding and a more unambiguous definition of human trust. In 2009, John Kindervag went a step further when he used the same term to describe the need for stricter cybersecurity programs and access controls.
By 2010, the internet colossus Google had implemented its own version of a Zero Trust model (named BeyondCorp) which considered both internal and external networks to be untrusted, and restricted access to services using a tiered approach. However, it wasn’t until the end of that decade that Zero Trust security architectures became commonplace, driven largely by a move to mobile and cloud-based services. In 2019, the UK’s National Cyber Security Centre (NCSC) began to recommend that all network architects adopt a Zero Trust approach to IT infrastructure, particularly where cloud computing is concerned.
What Is Zero Trust?
A Zero Trust security model works on the assumption that no request (or individual) should be trusted or afforded any kind of privilege over another, at least until explicit verification has taken place. Even internal network requests (which traditionally carried a lower perceived security risk) don’t get preferential treatment over requests from external sources. It asserts that those inside the network (a disgruntled employee with malicious intent, for example) pose just as much threat as those from outside – particularly in the case of an external actor using stolen network credentials to pose as a legitimate internal user.
It’s important to understand, however, that Zero Trust is not a “product”. A successful Zero Trust model combines a set of multiple security principles and methods designed to enhance the overall security posture of an organization’s IT infrastructure. The key principles of a Zero Trust approach encompass the need for explicit, continuous verification (always authenticating based on all available data), adoption of a “least privilege” access method (which grants and limits access based on the individual needs of the user) and mitigation of the potential “blast radius” (the level of damage likely to be caused by a cyber attack) by always assuming that a breach is possible.
Given its complexities, there is evidently no quick-fix approach to Zero Trust; it requires comprehensive planning, meticulous implementation and extensive training (as well as a highly-skilled and adaptable team) to construct and maintain a robust Zero Trust strategy.
Why Zero Trust?
The concept of Zero Trust largely replaces the traditional network security notion of “trust but verify”, which focused on protecting networks from untrusted external traffic (often labeled “North-South” or “Client-Server” traffic) but took a more lenient approach with “trusted” internal requests. This overlooked a significant vulnerability, and by the late 2010s this approach was further complicated by the advent of cloud services as these perimeter firewalls did not apply to hybrid or fully cloud-based models.
When a massive rise in remote, globally-distributed teams (particularly in light of the global pandemic) led to the widespread adoption of these cloud systems, the necessity for a sterner, more robust security solution quickly became apparent, and the Zero Trust approach was first coined by Marsh (and later popularized by Kindervag) was increasingly adopted by security-savvy organizations. Indeed, in 2021 the US Department of Defense announced that it was launching an office specifically dedicated to Zero Trust security.
This isn’t to say that the average cloud system is fundamentally defective, it bears noting. Modern full-service solutions are increasingly investing in cybersecurity as a core feature, as evidenced by Cloudways (which offers managed cloud and eCommerce hosting services) recently agreeing on a no-added-cost integration with Cloudflare’s CDN. But when you’re talking about government-level security, there’s an element of rigor that inevitably results in the commissioning of custom systems, and it’s those that are taking the Zero Trust route.
Advantages and Disadvantages of a Zero Trust Model
In a cyber environment where threats continually evolve and the types of attacks faced by modern enterprises become more elaborate, a Zero Trust approach makes it easier to contend with the shifting dangers of today’s landscape. In a Zero Trust model, every action performed by a user (or a device) is contingent on some degree of authentication, so any attempt to access company data or resources is monitored, analyzed and verified before even basic access is granted.
Furthermore, with many businesses moving toward a hybrid or remote working model in response to the COVID-19 pandemic, Zero Trust provides an added layer of security when employees are accessing company programs and data outside of the traditional office environment (often connecting via their own personal networks) and reduces the need for organizations to extend their corporate networks out into their staff members’ homes.
The Zero Trust model can also enable more seamless collaboration between organizations, as the added control over data access means businesses can more confidently allow access to specific programs and applications (and share data) in the knowledge that only the intended user(s) will be able to access those resources.
However, given that Zero Trust is still a relatively modern concept, it’s likely that a Zero Trust approach is not a feasible solution for every organization, as it may not be compatible with all the products and services they employ. If those services are no longer receiving active developments (such as legacy systems that remain business-critical) these are unlikely to support a more modern approach to authentication.
And of course, the journey towards adopting a Zero Trust model will not come without significant cost, the likelihood of overburdened resources and potentially severe disruption to services. As with any major infrastructure transition, there will be new tools and services to invest in, training to administer and possibly new talent to recruit, although the cost (financial and reputational) of a major security breach would likely be more significant in the long run.
In summary, while a Zero Trust approach to cybersecurity might not be a viable option for every business, its adage of “never trust, always verify” provides a vital added layer of security in an age where remote (even cross-border) working and cloud-based computing are increasingly becoming the norm.
Rodney is an eCommerce expert with over a decade of experience in building online businesses. Check out his reviews on EcommercePlatforms.io and you’ll find practical tips that you can use to build the best online store for your business.