Zero Trust was first introduced going into the 2010s with the rise of cloud infrastructures and remote work. In 2022, it is a commonly used industry term – but can be confusing due to misconceptions and productization. The Zero Trust conversation may still be foreign to many businesses who are seeking simplicity and cost-effective solutions to drive their decisions.
What is Zero Trust and Why is it needed?
The fundamental premise of Zero Trust is that security is transaction-based and continually evaluated. Security cannot be implied by the physical location of a resource (e.g. a computer is inside a network boundary, so it is implicitly trusted) nor is security a static, check once – grant indefinitely process. This change in approach to security is necessitated by the proliferation of cloud-based resources outside of a network boundary, remote/work from anywhere users, IoT, OT and BYOD endpoints, and the assumption that known/controlled resources within an organization may be compromised.
The NIST Publication 800-207 outlines the seven tenants to a ZT Architecture and goes on to say, “Transitioning to a ZTA is a journey that organizations should seek to incrementally build upon by leveraging elements of a ZTA they already have in their environment today.” They go on to state, “most enterprise infrastructures will operate in a hybrid Zero Trust/Legacy mode during this time while continuing to invest in ongoing IT modernization initiatives and improving organization business processes.” The following represents a “summary” of these tenants:
- All data and IT services are considered resources.
- A cyber assessment of all connected assets is done and continuously monitored.
- Authentication and authorization are dynamic and strictly enforced prior to granting access.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy – including the observable state of client identity, application/service, and requesting asset – and may include other behavioral and environmental attributes.
Four Common Misconceptions about Zero Trust
- Zero Trust is a product
It is not. It is an information security model that eliminates implicit trust from a network gradually. Zero Trust is a security approach or framework. It is built on a set of principles and practices that have steps of implementation. While products or solutions may help you to implement or support Zero Trust, there is no immediate path to be fully Zero Trust compliant.
- Zero Trust solutions are expensive
They are not expensive because they reduce capital and operational expenses.
- Zero Trust means that users aren’t trusted
The name Zero Trust carries the common misconception that users have no trust within an organization or that an organization views them as untrustworthy – this generates pushback for new program rollouts. Zero Trust only means no trust before secure authentication. Instead of the old model of trust within a perimeter, Zero Trust requires authentication at every access transaction.
- Zero Trust is too complex
Zero trust can take time to implement, which is often equated with being highly complex. However, Zero Trust is a straightforward concept. At its core, it enforces the principles of least privilege - that each employee has access to what they need to do their job – which is supported by strong monitoring and mitigation.
Zero Trust means “trust nothing and verify everything”. It is a journey that gradually reduces the attack surface with the goal of eliminating it all together. Learn more about how Three Wire provides a policy engine, administration, and enforcement capability that can be leveraged as an organization builds out its Zero Trust solution.