"Never trust, always verify". That's the guiding principle behind the Zero Trust approach to cyber security. Gartner recently defined Zero Trust as “a concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they are inside or outside of the enterprise perimeter.”
John Kindervag, the Forrester Research analyst who first coined the term, said the idea of Zero Trust occurred when he considered the concept of trust, and how malicious actors stand to benefit when companies trust parties they shouldn't.
However, the issue is when it comes to the internet, the default posture is based on implicit trust. It was, after all, designed to connect things easily, rather than block connections. With an IP address and a route, it's possible to connect and communicate with other IP addresses. For online businesses, trusting the customer interacting with your website has been part of the trade-off for selling online. But trust can be fraught with risk.
Inside and Out
The history of Zero Trust goes back to the early days of security. With the simple perimeter firewall, for example, a crude line was drawn between internal and external networked systems. Those on the inside were considered to be trusted, and could therefore communicate freely with each other. The assumption that all internal systems are trusted, however, could mean that, should an internal system be compromised, the attack could easily spread laterally, or east to west, throughout the network. Indeed, this remains the main cause of the damage suffered in the event of a breach.
Conversely, systems on the outside were seen as untrusted. As such, the default position was to block any attempt at communication, whether inbound or outbound. If external access to an organization's systems and services was required, the IT team could create a VPN – effectively punching a hole in the firewall. An alternative to this would involve placing the front end of the service in a DMZ, a segmented part of the network with direct internet connectivity, from where users could access it.
Both options were heavily reliant on trust, however, and this meant significant risk. Exposure on the DMZ, for example, meant that anyone on the internet would be able to see a particular service while using a VPN meant that any attacker with the right credentials would have direct access to an organization's internal network. Indeed, it was by using stolen credentials from an external HVAC company that attackers were able to access Target's internal network and steal the credit card details of around 40 million of its customers.
When it comes to network security, it's clear that too much trust isn't necessarily a good thing.
Trust Nothing, Trust No-One
The nature of the perimeter has changed since then, of course. Applications and data are held both on-premise and, in the cloud, and internal users are able to access them from a wide range of often unmanaged devices, and often from outside the corporate network. Legacy perimeter security is no longer adequate, and neither is the approach companies had been taking with their online customers with security.
Historically, customers transacting online with banks, for example, were considered untrusted – their devices are a potential path for malware against the website. As a result, financial institutions asked customers to download security software to protect their devices and, consequently the bank. However, this was a completely ineffectual method for developing trust, as adoption rates were notoriously low.
Zero Trust, in comparison to traditional perimeter security, leverages granular perimeter enforcement and micro-segmentation to determine whether or not a particular user, machine or application can be trusted. It draws on a range of technologies, such as multifactor authentication, IAM, orchestration, analytics, encryption, scoring, and file system permissions, to understand just who a user is, and where they're coming from.
On customer endpoint security, Trusted Knight follows the Zero Trust premise to an even greater extreme. It is assumed that all customer devices cannot be trusted, and customers cannot be trusted to protect themselves. Instead, Protector Air protects their transactions online on a website – be it for a bank on e-commerce site – without the customer even knowing.
In the words of Dr. Chase Cunningham, Kindervag's successor at Forrester, “Zero Trust … means trust nothing, don't trust password management, don't trust credentials, don't trust users, and don't trust the network.”
As enterprise networks become increasingly complex, Trusted Knight's Protector Air has zero trust that endpoints are safe.