November 4, 2022
Beyond almost any other industry, cybersecurity is a magnet for hype.
If you’re a regular at industry conferences, you’ll have seen countless new tools and concepts that seemed hugely important when first unveiled… only to quietly disappear and be replaced by the next ‘essential’ trend.
Right now, some of the biggest waves in the industry surround Zero Trust.
So today, we’ll tackle a simple question: is Zero Trust just another hyped up idea that will quickly fade… or is it something more?
The ‘Why’ of Zero Trust
The first thing most people hear about Zero Trust is the phrase “never trust, always verify” — an adaptation of the translated Russian proverb “trust, but verify,” which was frequently used by Ronald Reagan when discussing relations between the U.S. and the Soviet Union.
In this case, “never trust, always verify” refers to the distinction between traditional network architecture and the Zero Trust approach.
In traditional architecture, businesses built a fortified perimeter around their network, similar to the moat and walls around a castle. Users and services had to authenticate before gaining access to the network—but once inside, they were trusted implicitly.
In the past, this approach was logical. Most applications were hosted internally, and the vast majority (if not all) personnel had to be physically on-site to access the network. Under these conditions, where remote access to the network and its applications was by far the exception rather than the rule, a perimeter defence strategy was logical and reasonably effective.
However, this network model is no longer realistic. Modern business networks have been disrupted by a host of innovations, technological advancements, and challenges, including:
- Distributed workforces (particularly following the COVID-19 pandemic)
- Hybrid cloud and multi-cloud environments
- Bring Your Own Device (BYOD)
- Distributed connected devices and 5G adoption
- Rapid changes to IT infrastructure
Combined, these trends have forced businesses to radically alter network architectures to address two facts:
- The network perimeter has expanded beyond all recognition—not just to include a range of cloud services but also laptops and mobile devices located anywhere from employees’ homes to cafes, rented offices, train carriages, and hotel rooms anywhere in the world.
- Even if the network perimeter could be fortified, it’s no longer acceptable to implicitly trust users or services. Legitimate credentials and services are regularly hijacked by cybercriminals, making it dangerous to assume that a single authentication per session is enough to ensure security.
Addressing these facts is precisely what Zero Trust is all about—it’s intended to replace outdated perimeter defence strategies with something that makes sense for today’s world.
At this point, you may be wondering:
“Isn’t That What VPNs are for?”
It’s true that VPNs are intended to address the challenge of remote access and are currently used by a high proportion of businesses to enable en-masse remote working. However, VPNs do an imperfect job.
Leaving aside the various high-profile vulnerabilities in VPN solutions that have arisen in recent years, VPNs suffer from a deeper problem. VPN solutions were developed to address the challenge of remote working while keeping traditional network architecture intact. As we’ve seen, this architecture—and the perimeter defence strategy that went with it—is no longer viable. And, as businesses move away from traditional architectures, they will naturally favour security approaches and tools designed for their new environments.
So it should be no surprise that Gartner predicts 60% of enterprises will replace VPNs with alternative Zero Trust-based solutions by 2023.
What is Zero Trust?
Despite the sales messaging you may have been bombarded with, Zero Trust isn’t about any specific tool. Instead, it’s a network design and implementation strategy intended to address the challenges explained above.
Like any good strategy, Zero Trust is based on a handful of principles that help businesses design, build, and secure network architectures that are resilient to today’s challenges and cyber threats. Depending on who you ask, these principles may be expressed slightly differently—but in simple terms, they boil down to three things:
1. Continuous verification
One-time authentication or validation won’t cut it anymore—too many modern cyberattacks are designed to exploit legitimate accounts, services, devices, and credentials. Instead, Zero Trust forces users and services to authenticate each time they make a request using a combination of multi-factor authentication (MFA), behavioural analysis, and assessments of device hygiene.
For this to be possible, businesses must have real-time visibility of all user and service attributes, including:
- Credential types
- Normal/known behaviour patterns
- Firmware and software versions on devices
2. Assume breach (and limit the damage)
One of the most valuable things a business can do is assume its network has already been breached.
Why? Two reasons:
- There’s a good chance it has, and making this assumption is the first step in identifying and remediating the breach.
- It forces them to design their network in a way that minimises the damage an attacker can cause.
In a traditional network architecture, a breach was often catastrophic. Successfully compromising one application, account, or device might allow an attacker to move laterally across the network, increasing their access as they went. By contrast, Zero Trust encourages businesses to design their networks (and implement security controls) in a way that limits the scope of credentials and access paths so that—at the very least—defenders have more time to identify and respond to a breach.
3. Least privilege
The principle of least privilege is fundamental to effective cybersecurity, so it should be no surprise that it should be a part of any Zero Trust strategy. The idea is simple. Whenever credentials are used—whether for a human user or an application or service—they should only grant access to the minimum capabilities needed to perform the required task.
Many cyber attacks take advantage of over-privileged user and service accounts to achieve their objectives. Service accounts, in particular, are a common target because they have historically not been heavily monitored. By systematically reviewing and minimising the privileges associated with all active credentials (and, of course, deactivating credentials that are no longer needed), businesses can dramatically reduce cyber risk with a comparatively small investment of time and resources.
How Does Zero Trust Work?
While no individual tool can claim to ‘deliver’ Zero Trust, one category of tools has become an expectation in most Zero Trust implementations: the Zero Trust Network Access (ZTNA) solution.
Instead of requesting access to the network, ZTNA solutions force users and services to go through a trust broker and ask to be connected to a specific application. If granted, the user or service can access the application per its permissions. However, it is not allowed access to the network itself. Essentially, a new network segment is created for each session, removing applications from public visibility and significantly reducing the attack surface.
Beyond ZTNA, a Zero Trust strategy generally includes some or all of the following tools and capabilities:
- Next-generation endpoint security
- Multi-Factor Authentication (MFA)
- Cloud Workload Protection Platforms (CWPP)
- Wide use of encryption
Get Started with Zero Trust
If your business is considering moving away from legacy network design and towards Zero Trust alternatives, CyberOne is here to help.
From reviewing your infrastructure and helping you to build your cybersecurity roadmap to implementing Zero Trust-ready solutions such as ZTNA, we’ll guide you through the process of modernising your infrastructure and cybersecurity program.
For more information or to arrange a consultation, get in touch today.