Zero trust: You’ve heard of it, now make it a reality
Eight years ago, a new security strategy called “zero trust” was introduced to the world by a well-known analyst at Forrester. At the time, the strategy seemed to one-up its predecessor, the “least privilege” security model, and forced traditional network-centric approaches to walk the proverbial plank. While the “zero trust” name certainly had some creative flare, and an equally interesting value proposition—to trust no device or network—there was just one problem. No one really knew how to make it happen. As a result, it lost a bit of steam and was placed on the backburner of security priorities.
Years later, and following several headline-making mega breaches, zero trust security seems to have once again permeated the minds of network security engineers around the world. Google created BeyondCorp, Forrester has revitalized its focus on zero trust, and security vendors have begun to bandy about the sector’s newest buzzword with breathtaking frequency.
But why now?
The challenge of getting to zero trust security
In spite of widespread cloud adoption and user mobility, security teams have continued to rely on 30-year-old network-centric technologies. But those technologies had no ability to deliver zero trust. How could they? They were developed 20 years before zero trust had even become a concept.
Why zero trust has been virtually impossible:
- Too much trust – Legacy technology required employees and third-party users to have network access just to access an app. It also exposed IP addresses to the internet, increasing the chance of DDoS or man-in-the-middle attacks.
- Not enough granularity – Network segmentation was as good as it got, making lateral movement across the net unavoidable. Creating a segment of one between a user and app was a foreign idea.
- Lack of visibility into user activity – Users were treated as IP addresses and ports, so it was impossible to determine which specific users accessed which apps. Viewing user data in real time was difficult and so too was streaming them to a SIEM provider to minimize mean time to remediation.
- Complex as h*ll – Managing ACLs, firewall policies, and security groups was way too manual and constantly felt like a losing battle. Not to mention one that executives would never hear or care about.
The emergence of modern security solutions—those built around the understanding that cloud adoption and mobility have created a perimeter-less world—has led to a renewed focus on zero trust security. Gartner calls these solutions software-defined perimeter (SDP) services.
Who’s making zero trust security a reality right now?
Now that zero trust is finally achievable, it can take many forms. The IT champions at National Oilwell Varco (NOV), one of the world’s largest oil and gas industry manufacturers, are using it to not only boost security for 7,500 internal apps, but also to accelerate M&A activities and enable secure cloud migration. Perdue Farms, the world’s number one producer of organic chicken, uses zero trust security to enable its remote workers to access SAP seamlessly and securely from their Chromebook devices. MAN Energy Solutions, a subsidiary of VW Group and producer of large-bore diesel engines at sea, uses zero trust security to secure access to the 7,000 internal apps on cargo ships floating off the sea of Copenhagen. TriMedX, a leading healthcare technology provider, has embraced zero trust security as a way to retire its remote access VPNs.
What will your story be?
Your mission: zero trust
In many cases it will be up to you to evoke the change required to get to zero trust. You’ll encounter the server huggers worried about changing the status quo. The individuals who have grown complacent with network-centric technologies that can never, and will never, deliver zero trust security. In the end, your actions will define the future of security within your organization.
The only question now is, do you accept the mission?