Since mobile users began connecting via unmanaged devices to business applications over the internet, there’s been growing need for zero trust. When you can’t trust the connection, device, or network, zero trust sounds like a great idea. But in the last few years, there’s been a lot of confusion about what the term actually means.
Zero trust is an ideology, a security model meant to eliminate excessive implicit trust from the enterprise by establishing an initial security posture of default deny. However, at some point trust must be established to allow connectivity, but unlike network-centric methods, this trust must be dynamic, shifting with changes in context based on user, device, location, and app.
The purpose of a zero trust strategy is to eliminate excessive risk. It starts with never granting trust by default, and it requires trust to be contextual and adaptive. The level of privilege or access depends on the established trust, which must be continually monitored and adapted to risk.
The concept of zero trust was created 10 years ago. John Kindervag conceived of the idea to prevent enterprise teams from granting too much trust to users and devices accessing the network. This idea included adopting a default-deny security posture. But, due to the technology available at the time, it was created solely in the context of network-centric security. Such security requires users to be placed onto a network and tunnels to be driven through firewalls and DMZs, exposing apps to the internet to make them accessible. It’s taken 10 years to turn the idea of zero trust into reality.
With the adoption of cloud and mobility, IT professionals have come to the realization that network-centric security strategies have become ineffective. Networks and user devices are no longer owned by the enterprises, and over half of employees are accessing apps remotely. By rethinking the network-centric security approach in the cloud-first era, enterprises are opening the door to adopting a true zero trust strategy.
Cybersecurity Insiders found that 72 percent of enterprises are in the midst of implementing identity and access management (IAM) technology. IAM is a prerequisite when looking to achieve zero trust, but a true zero trust strategy doesn’t stop there.
Among those same enterprises, 59 percent are looking to take the next step in creating a holistic zero trust ecosystem by adopting a zero trust network access (ZTNA) service in the coming year.
ZTNA technology, also known as the software-defined perimeter (SDP), creates an identity- and context-based access boundary around private enterprise applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of authorized entities. Essentially ZTNA enables adaptive and secure private application access by eliminating the perimeter around the network and, instead, creating virtual perimeters around user, device, and app
While identity providers (IDPs) and IAM services focus on authenticating the identity of users, ZTNA consumes this data to create the microsegmented, secure connections between only the authenticated users and the enterprise’s private applications. These apps can run in private, multi-cloud, or hybrid cloud environments.
Gartner says, “By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA.” The majority of enterprises have already adopted some kind of IDP service (Okta, Ping, Azure AD, Active Directory, and so on). The next step is to begin testing the ZTNA services on the market and identifying initial use cases, such as securing partner access to private apps.