The numerous data breaches that occurred over the years clearly indicate that cybersecurity is still prone to failure. Every new security measure system defenders come up with is eventually thwarted by hackers.
The number of affected users is staggering. A minimum of 500 million Yahoo users were affected by the 2014 security breach that hit the company. The last US presidential election was rife with reports of hackers stealing sensitive emails. Meanwhile, the US Navy, the Internal Revenue Service, and the Justice Department were also targeted by hackers.
While there have been large-scale attacks on government agencies and the technology sector, hackers have also targeted businesses. As a matter of fact, 15% of international businesses have estimated that their sensitive data was potentially breached or compromised over a one-year period.
The Operation Aurora attack in 2009, saw companies increasing perimeter security using firewalls and VPNs. By that time, Google had already developed a new security architecture—Zero Trust. As the name implies, trust is removed from the system so everyone, whether outside or inside the firewall, is considered a suspect. Everything attempting to connect to a company’s systems must be verified before being given access.
Understanding Zero Trust
The Zero Trust Architecture model was developed by John Kindervag in 2010. The security system’s concept revolved around the idea that institutions should not blindly trust anything or anyone outside or inside its perimeters.
Previous security paradigms worked on the idea of “trust but verify.” Organizations concentrated on protecting the perimeter under the assumption that everything inside has already been cleared for access and therefore didn’t pose a threat. This method is clearly dangerous now as more corporate data centers are being housed in the cloud, with users (ex. customers, employees) accessing it using applications from devices in multiple locations.
With Zero Trust, the idea is basically “trust no one.” According to Charlie Gero, Akamai Technologies’ CTO of Enterprise and Advanced Projects Group, Zero Trust doesn’t allow access to machines, IP addresses, etc. until it knows who the user is and whether or not they’re authorized.
Benefits of a Zero Trust Security Network
The zero-trust model meets the security demands that companies need today. The rise of cloud technology, ubiquitousness of mobile devices, and the use of third-party sources have opened a lot of loopholes in security systems.
One major benefit of the zero trust architecture is how it enabled the system to take into account the changing nature of users and their devices. It does so by redefining the user’s corporate identity, along with their device at a given point in time. This provides the system with the context required to make trust decisions at the actual time.
It also diminishes the importance of static credentials, which is an element often used in an attack. Since each access request is individually authenticated and accredited, every credential required to start a secure session is given a limited scope depending on the user and device linked to a particular resource.
Challenges of Zero Trust
As with any security system, organizations that use zero-trust will face challenges. One major challenge is the fact that this is not an install-and-forget setup. Organizations that implement a zero-trust system have to comprehend access rights starting from the lowest level of the technology right up to the topmost level.
It’s often impractical for any corporation to have a complete, exact and detailed picture of all the resources used at each level through the whole enterprise architecture on an ongoing basis. Companies that do take on this daunting task will see their efforts rewarded.
Cost and employee productivity can also be an issue with a zero-trust network since there’s some tradeoff between productivity and security. For instance, an employee might be unable to start working while the system is verifying their credentials.
Fully employing a zero-trust system also demands the acquisition of expensive tools and a large amount of administrative manpower to get everything working smoothly. Luckily, sectors like IT support and employee productivity will see reduced spending once the system is running.
There are still a lot of questions and doubts about the zero-trust security system. Some sectors believe doing away with trust is virtually impossible. There’s also the issue of cost and implementation. But there’s also no denying that the principle of the system is a good and achievable goal.