Break the Trust and Stop the Breach: The Zero Trust Security Model

As 2018 is upon us, it’s time to take stock of our new realities and commit to better behavior that benefits us and our companies.

The discussion of the perimeterless enterprise is not new. In fact, the term “de-perimeterisation” was coined by Jon Measham, a former employee of the UK’s Royal Mail in a research paper, and subsequently used by the Jericho Forum back in 2005. The concept is easily understood. Are your employees using their mobile phones to access business data? Do they use SaaS apps like O365, Salesforce, or ServiceNow? If so, then your organization is a perimeterless enterprise. Access to your enterprise data no longer travels through your network perimeter. It goes directly from the user’s mobile phone to the data contained in the cloud.

If your enterprise is perimeterless, then what happens with all your traditional network perimeter security tools? The more of your data that moves into the cloud, the less value your network-centric tools provide. Credit Suisse has been monitoring the firewall market and has a series of cybersecurity research on The Cloud Has No Walls. It is not only equity researchers; even Gartner agrees the market is being disrupted in their December 2017 research, Is Public Cloud Adoption Making Traditional Firewall Solutions Less Relevant?

Rethink Your Security with Zero Trust Security

We acknowledge the dissolution of the traditional network perimeter, but what does it mean for your enterprise? It means you need to re-think security to protect your data.

Both Google and Forrester have been promoting the concept of Zero Trust Security to address de-perimeterization. Security needs to remove trust in the network and move from network-centric to an application and identity-centric approach. Each and every access decision must be made dynamically based on what you know about the user and what you know about their device, and then allowing “just enough” access. Google’s BeyondCorp initiative was all about de-perimeterization with a mission to enable “every Google employee to work successfully from untrusted networks without use of a VPN.”

Zero Trust means moving from implicit trust when users are inside the network to explicit trust that is gained through increasing forms of knowing the user and their device. Only a certain amount of explicit trust can be gained with a validated password, but increased trust can be obtained through multi-factor authentication (MFA). The first time a particular device is used, trust is low. But if that device is managed and its integrity is validated, then explicit trust is higher.

Even as a certain level of trust has been gained through validation, it is still critical to give “just enough” access. Proper authorization should be dynamic based on the sensitivity of data, the implicit trust gained, and the action the user is requesting to perform. Least privilege has been around a long time in the systems management space and is just beginning in the application access space, fueled by Zero Trust Security.

It doesn’t matter if you’re accessing applications or infrastructure or what type of user is requesting access (employees, contractors, sys admins or customers), Zero Trust Security should be on your radar now. The benefits of the cloud are no longer debated, the security market is being disrupted and the companies that employ Zero Trust Security, like Google, are the ones that are taking the greatest advantage of the new perimeterless enterprise and allowing their organizations to move faster.

Learn best practices and more about Zero Trust Security.

This article first appeared in Security Current on 2/16/18.