The traditional approach of fortifying the network perimeter and implicitly trusting anything inside is dangerous.
Even with outstanding security policies and controls, there is no way to prevent 100% of attackers from gaining access. Once inside, assumed trust allows attackers to move around the network and escalate privileges with relative ease. This leads to substantially worse outcomes.
The NIST Special Publication on Zero Trust Architecture (NIST SP 800-207) puts it like this:
“Traditionally, agencies (and enterprise networks in general) have focused on perimeter defense, and authenticated subjects are given authorized access to a broad collection of resources once on the internal network. As a result, unauthorized lateral movement within the environment has been one of the biggest challenges for federal agencies.”
Organizations need an alternative security approach that reflects the realities of today’s cyber landscape. Some attackers will inevitably gain access to privileged assets or resources, so cybersecurity controls must be designed to minimize the impact of such a breach.
This is where Zero Trust comes in.
Defining Zero Trust
While Zero Trust hype has exploded in recent years, the concept isn’t new. U.S. Federal agencies have been urged to adopt Zero Trust principles for over a decade by programs such as the Federal Information Security Modernization Act (FISMA), Federal Identity, Credential, and Access Management (FICAM), Trusted Internet Connections (TIC), and Continuous Diagnostics and Mitigation (CDM).
Despite this, Zero Trust is still poorly understood—partly because it’s often vaguely defined. This is how some of the leading cybersecurity analysts and organizations define Zero Trust:
“[...] a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. Zero Trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and non-person entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.”
— NIST SP 800-207, Zero Trust Architecture
“[...] an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”
— Forrester, The Definition of Modern Zero Trust
“[...] an approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated and adapted to allow just-in-time, just-enough access to enterprise resources.”
— Gartner, New to Zero Trust? Start Here
So… What is Zero Trust?
Coming to any of these definitions cold would leave most audiences feeling uninformed about precisely what Zero Trust is—or what it might look like in practice. However, these definitions do cover some of the foundational components of Zero Trust, including:
- Zero Trust is a strategy, not a solution.
- Trust—and the privileges associated with it—is never assumed, but continuously verified.
- Users, devices, and workloads should always receive the least privileges needed to function—and only for the minimum necessary duration.
- Zero Trust principles should pervade all parts of an organization’s IT infrastructure, including identity and access management, operations, endpoints, hosting environments, etc.
While these components are undoubtedly important, a true Zero Trust strategy is broader than the above definitions suggest.
In this next article, we’ll cover the three fundamental principles of Zero Trust, and how they improve over traditional, perimeter defense cybersecurity strategies.
The Missing Components of Zero Trust
Our new report, ‘The Missing Components of Zero Trust,’ explains what Zero Trust really is, examines some significant gaps in existing guidance, and details the most important concepts and capabilities required for an effective Zero Trust Architecture.
Download the report to learn:
- The core principles and 7 tenets of Zero Trust.
- How the Zero Trust strategy and architecture eliminate implicit trust.
- How to elevate your security posture and avoid making the most common Zero Trust mistakes.
- The answer to the question, "Does Zero Trust actually work?"
Download your free copy today:
June 23, 2022