In the past 10 years, the network has changed, and security has changed. Both consumers and businesses consume and use cloud services. We’re all mobile, using multiple devices from multiple locations, which in turn kicked off an explosion of very real security risks. First coined in 2010 by an Analyst at Forrester Research Inc., a Zero Trust Network provides a new approach to network security, fit for today’s complex cloud/mobile/hybrid networks.
So what was wrong with the ‘old’ approach to network security?
Firstly, a Zero-Trust Network is not a specific technology or service. Rather, it is a holistic network security approach in which every person and device trying to access resources requires strict identity verification, whether seated inside the network perimeter or outside.
To put zero trust security into context, traditional network security adopts a “castle-and-moat” principle. Everyone inside the “castle” is trusted (by default), with the “moat” making it hard to gain access from the outside.
By default, no one is trusted in a zero–trust network, whether inside or outside the network. Verification is required to gain access to network resources, typically with Multi-Factor Authentication (MFA).
The primary problem is that with a castle, once an attacker has scaled the wall (unpatched software), or broken a window (hacked password), they have a free reign to walk around unchallenged. How often have you heard hackers say they’d been inside the network for over 6 months, undetected (as with Travelex)? Today’s corporate network is not a castle. Data is both in the data centre and the cloud. Employees access data from multiple locations, using various devices.
Today, managing and maintaining network security controls has become much more difficult. The advent of 5G will only accelerate this change. Therefore, IT must protect an increasingly complex and porous security perimeter, perhaps supported by security monitoring technologies (SIEM) and a dedicated security team (SOC)to detect and isolate unauthorised activity.
Rather than hardening your security defences, a Zero-Trust Network assumes that no users or devices should be automatically trusted. The principle of least privilege ensures that only the minimum required access level is provided to an individual. Access is only provided to the permitted files, applications, or services on an individual, granular level. To explain the difference, consider when you visit a company.
Traditional “Castle-And-Moat” Security |
Zero Trust Security |
| You visit Reception and they assign you a “visitor” pass.
After a quick bathroom freshen-up, you give yourself a guided tour of their offices. Of course, the server room is (probably) locked, but you can freely enter any room, talk to anyone, and sit down at any PC. The only question is whether any ‘security-minded’ individual challenges you? |
You visit Reception, and they assign you a “visitor” pass, uniquely identifying “YOU.” Your pass provides granular access to specific rooms, facilities and services, which, as a visitor, does not give much access at all!
Wherever you wandered in the building, the door would be locked, unless you entered the specific meeting room you had been given access to. In that room, you could only access the services you had been granted. |
Zero Trust provides an additional layer of trust protection and is a better fit for today’s cloud and mobile-enabled networks, which are, by nature, much more complex, porous and harder to protect.
With so much emphasis placed on verified user identity, it is natural that Multi-factor authentication (MFA) is also a core value of Zero Trust Security to provide sufficient evidence that the user is who they claim to be. In addition to Identity Management, a Zero-Trust Network also requires strict Device Access Management to ensure only authorised devices are used.
“Remove inherent trust from the network, treat it as hostile and instead gain confidence that you can trust a connection” – NCSC, November 2019. www.ncsc.gov.uk/blog-post/zero-trust-architecture-design-principles
The journey to a Zero Trust may seem like a sizeable change from established strategies. Several security technology providers already support Zero Trust principles, often using Multi-Factor Authentication (MFA) and Identity Access Management (IAM) and implementing micro-segmentation in parts of their environment. But Zero Trust isn’t just about implementing individual technologies. Zero Trust is a new way of thinking, requiring an ongoing strategy. And as such, it is more of a journey than a destination - but a worthwhile journey, nonetheless.
CyberOne is the UK’s leading Zscaler partner, providing our clients with fully managed services and 24x7 support. No one knows Zscaler like CyberOne does. Our dedicated team of experts is always on hand to answer any questions. Contact us today...