The Zero-Trust Security Model: The Future of Cybersecurity
The way that we live, work and play has changed in today’s mobile, internet and cloud-first world. With the rapid adoption of cloud services and infrastructure, organizations can no longer approach security the way it’s traditionally been done. The modern approach to enterprise security has to accommodate for the increasingly mobile and remote workforce. The future of cybersecurity is Zero-Trust security.
Changing the way that we think about and do security is not a choice but a necessity in this cloud-first world where highly skilled cybercriminals are working to steal information from businesses and individuals. Attackers have shifted their focus and tactics away from servers in your enterprise data center to your users and web browsers.
Cyberattacks have been, and will continue to be, designed to elude traditional signature-based security methods. The only way to better protect your organization is to adapt your security and defense tactics to meet these new challenges and technological developments.
Enterprises that fail to innovate, update and protect their systems and networks to keep pace with the increasingly cloud and mobile centric workplace are exposing themselves to cyber and business risk.
Zero-Trust Security Defined
Zero trust security is a fundamentally different approach to providing secure access to applications. The term zero-trust was first coined by Forrester Research in a 2010 publication which discussed how the zero-trust security model is built around the idea that enterprises should not inherently trust any user or network.
The concept of “Zero Trust” security is based on the view that organizations should not automatically trust anyone regardless of whether that someone or something is inside or outside an organization. Any attempt to access a business system or application must first be verified before any level of access is granted.
A Zero Trust security architecture abandons the idea of a trusted network inside a defined corporate perimeter. Zero Trust requires visibility and the creation of micro-perimeters of control around an enterprise’s sensitive data assets. The network design is data-centric, and by putting micro-perimeters around specific data or assets, more-granular rules can be set and enforced. Zero Trust networks help prevent attackers from moving undetected inside corporate networks.
Why Move To Zero-Trust Security?
The way that users are connecting to networks is changing. The growing mobile workforce is forcing enterprises to rethink how they can securely provide users with access to enterprise networks and business-critical applications. Agencies that currently focus on perimeter-based security offer insufficient protection against today’s advanced persistent cyber threats.
What’s the problem with the traditional approach to security? With a perimeter-based defense, anyone inside the network is trusted and once attackers are inside, they can move freely around the network, gaining more access to data. By the time an intruder gets discovered in the system, it’s already too late.
Zero trust, on the other hand, treats all traffic the same traveling over an organization’s network the same. The default assumption is that all traffic is threat traffic and the strategy is to restrict sensitive information to only those authorized to access each piece of discrete information.
Zero trust architecture limits the attacker’s ability to move within an enterprise network and thereby restricts access to segmented sensitive data.
Adopting A Zero-Trust Approach
Google led the charge when it came to adopting a Zero-Trust approach and creating zero-trust networks. What started as an internal Google initiative to connect employees to internal applications led to BeyondCorp. The BeyondCorp enterprise security model allows employees to work more securely from any location without the need for a traditional VPN.
This is enabled by shifting access controls from the network perimeter to individual devices and users. BeyondCorp provides user and device-based authentication and authorization for Google’s core infrastructure and is now used by most Google users every day. This increasingly popular approach to enterprise network security is called the Software-Defined Perimeter (SDP).
The Software-Defined Perimeter
The software-defined perimeter is the new model of enterprise network security. This approach is a fundamentally different in terms of providing secure access to applications. With a software-defined perimeter (SDP), enterprises can move away from traditional perimeter-based network security solutions like VPNs.
SDPs provide zero-trust access using cloud-based technology, not appliances, to deliver consistent and granular security for all users, applications, devices, and locations.
Zero Trust is For Everyone
Zero Trust is the future of security. Any enterprise can adopt a zero-trust security approach within their organization. It is applicable to all organizations across all industries, from government to non-profits, retail businesses, healthcare, agriculture, manufacturing, etc. every organization can improve IT security by implementing a zero-trust strategy.
A Cautionary Tale Of Lax Security
In the wake of the 2015 U.S. Office of Personnel Management (OPM) breach, the US House of Representatives Committee on Oversight and Government Reform issued a report containing a formal recommendation that federal agencies should adopt the Zero Trust Model of Cybersecurity.
Lax security and a reliance on legacy IT networks and infrastructure allowed foreign adversaries to steal highly personal details about those entrusted with America’s national security secrets and intelligence and their families.
The attackers stole personally identifiable information (PII) and security clearance background investigation information of 22.1 million current or former federal employees and contractors. This included the fingerprint data of 5.6 million of those individuals.
The breach was a major wake-up call to all in government on how critical it is to best secure federal IT and data.
“A breach of this significance in terms of both data and of public trust can never happen again. Agencies can and must do better.”
“Adopting a zero trust model is the first step in restoring confidence and security in federal information technology” ~ The Hon. Jason Chaffetz, Chairman of the Committee on Oversight and Government Reform
To avoid a repeat of another disastrous breach like the 2015 OPM data, it was recommended that federal agencies move quickly and radically to alter their approach to cybersecurity by adopting the zero trust model.
Organizations and businesses of all sizes, from enterprises to SMBs, can also learn from this and pivot to the zero trust model of cybersecurity.
Adopting a zero-trust model will improve your security posture
How can your organizations improve your security posture?
- move toward a zero-trust security model
- treat cybersecurity as a business priority
- modernize IT assets
- practice basic cyber hygiene
- develop and maintain a culture of security, and
- retain and develop talent
If your organization is moving to a cloud-first strategy, adopting a zero-trust security model is the only way to protect your network and users from modern threats, attacks and the potential for extensive and disastrous exfiltration of sensitive data.
Need Help Transitioning To a Zero-Trust Security Architecture?
Contact the AGT Team to learn more about how we can help you.
As you look to embrace cloud and mobility at your enterprise, consider adopting the zero-trust security model to improve your application security and overall security posture.
For more information about developing your enterprise cloud-first strategy and adopting a zero-trust model of security, contact Ascension Global Technology today. We can help you implement a remote access security solution that will enable your partners and mobile workforce, without frustrating end users. Your users will enjoy improved remote access experience, and the complexity of the traditional network-centric world will cease to exist.
Ascension Global Technology is a dedicated Zscaler partner. We work with our enterprise clients to help with the successful adoption, implementation and project management of Zscaler cloud security solutions and Zscaler Private Access.
Resources and Further Reading
Google, An overview: “A New Approach to Enterprise Security”
Google, How Google did it: “Design to Deployment at Google”
Zscaler, “Software-defined Perimeter Service”
Zscaler, Webcast on Demand, “Adopting A Zero-Trust Model. Google Did It, Can You?”
Federal News Radio Op-Ed, “Adopting a Zero-Trust Cyber Model in Government”
Committee on Oversight and Government Reform U.S. House of Representatives “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation“
