What is Zero trust?
Since mobile users began connecting via unmanaged devices to business applications over the internet, there’s been growing need for zero trust. When you can’t trust the connection, device, or network, zero trust sounds like a great idea. But in the last few years, there’s been a lot of confusion about what the term actually means.
Zero trust is an ideology, a security model meant to eliminate excessive implicit trust from the enterprise by establishing an initial security posture of default deny. However, at some point trust must be established to allow connectivity, but unlike network-centric methods, this trust must be dynamic, shifting with changes in context based on user, device, location, and app.
The purpose of a zero trust strategy is to eliminate excessive risk. It starts with never granting trust by default, and it requires trust to be contextual and adaptive. The level of privilege or access depends on the established trust, which must be continually monitored and adapted to risk.
The Myth of Zero Trust Security
Zero trust security is a term commonly used—and usually misused—in the security industry to describe the concept of protecting a network by using a zero trust model. There is no specific technology or solution known as “zero trust security” and it actually moves security off the network, instead focusing on protecting users and internal applications.
However, companies in increasing numbers are using the principles of zero trust to bolster security and enable a variety of use cases, including secure remote access to internal applications, extending partner and third-party application access, simplifying mergers and acquisitions, and more. Gartner’s zero trust network access (ZTNA) provides a framework for organizations to follow to provide access that’s precise and context-aware while reducing the attack surface and providing a fast user experience.
Zero trust is being misused as a marketing term. Vendors are applying the term ‘Zero Trust’ to market everything in security, creating significant marketing confusion.Gartner, 2019
With remote work becoming increasingly common, employees are leaving the corporate network and accessing internal apps and company data over the internet, using myriad devices, and connecting from anywhere. As employees disconnect from the corporate network, traditional perimeter-based security defenses become ineffective, putting your organization, users, and data at risk. Zero trust is a security strategy that inherently trusts no one, where trust must be “earned” and continually reassessed. At the same time, by making applications invisible to all except those specifically authorized to access them and using inside-out connections, it shields your internal resources from attack.
A zero trust architecture is built upon a deny-by-default security posture, which automatically denies system access to unknown sources, both inside and outside the network. To gain access, users must meet specific requirements. Organizations can dictate, customize, and adjust access requirements based on their specific needs and risk level. These requirements can also be customized based on user, device, location, and application.
Adding a zero trust approach, such as Gartner’s ZTNA model, to your security strategy will help your organization meet the needs of an ever-changing, work-from-anywhere world, while staying ahead of new and evolving threats.
Zero trust had to evolve
The concept of zero trust was created 10 years ago. John Kindervag conceived of the idea to prevent enterprise teams from granting too much trust to users and devices accessing the network. This idea included adopting a default-deny security posture. But, due to the technology available at the time, it was created solely in the context of network-centric security. Such security requires users to be placed onto a network and tunnels to be driven through firewalls and DMZs, exposing apps to the internet to make them accessible. It’s taken 10 years to turn the idea of zero trust into reality.
With the adoption of cloud and mobility, IT professionals have come to the realization that network-centric security strategies have become ineffective. Networks and user devices are no longer owned by the enterprises, and over half of employees are accessing apps remotely. By rethinking the network-centric security approach in the cloud-first era, enterprises are opening the door to adopting a true zero trust strategy.
Zero trust in a cloud-first world is based on these four key principles:
- Application access should be adaptive, contextual, and independent of network access
- Microsegmentation should occur at the application level without network segmentation
- Applications and network must be invisible to the open internet
- The internet becomes the new corporate network via encrypted microtunnels
By 2022, 80% of new digital business applications opened up to ecosystem partners will be accessed through zero trust network access (ZTNA).Gartner, 2019
Achieving zero trust requires a new mindset and modern technology
Cybersecurity Insiders found that 72 percent of enterprises are in the midst of implementing identity and access management (IAM) technology. IAM is a prerequisite when looking to achieve zero trust, but a true zero trust strategy doesn’t stop there.
Among those same enterprises, 59 percent are looking to take the next step in creating a holistic zero trust ecosystem by adopting a zero trust network access (ZTNA) service in the coming year.
ZTNA improves flexibility, agility and scalability, enabling digital ecosystems to work without exposing services directly to the internet....Gartner, April 2019
ZTNA technology, also known as the software-defined perimeter (SDP), creates an identity- and context-based access boundary around private enterprise applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of authorized entities. Essentially ZTNA enables adaptive and secure private application access by eliminating the perimeter around the network and, instead, creating virtual perimeters around user, device, and app
While identity providers (IDPs) and IAM services focus on authenticating the identity of users, ZTNA consumes this data to create the microsegmented, secure connections between only the authenticated users and the enterprise’s private applications. These apps can run in private, multi-cloud, or hybrid cloud environments.
Where your enterprise should start when it comes to zero trust
Gartner says, “By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA.” The majority of enterprises have already adopted some kind of IDP service (Okta, Ping, Azure AD, Active Directory, and so on). The next step is to begin testing the ZTNA services on the market and identifying initial use cases, such as securing partner access to private apps.