The Zero Trust security model, also known as a Zero Trust architecture or a Zero Trust network access (ZTNA) strategy, is based on the assumption that because there is no trust within the corporate network from a security perspective, strict identity verification and continuous authorisation are required for all users and devices at all times.
In essence, a Zero Trust security paradigm regroups and emphasises a set of crucial cyber security principles that should be implemented across a range of technologies to address many risks organisations increasingly face today.
One of the key drivers of this paradigm is the broadening security perimeter of organisations, which is no longer limited to the confines of the workplace. Other influences include the rising frequency of targeted, damaging cyber attacks and increased laws for data protection and information security.
In this light, there is an urgent need to implement Zero Trust strategies as they apply to modern IT systems. By adopting a Zero Trust mindset, organisations can better safeguard their assets, mitigate security risks, enhance overall resilience against evolving cyber threats and protect sensitive data.
The Gartner advisory firm defines the Zero Trust concept as a security paradigm that explicitly identifies users and devices, and grants them “just the right amount of access” so the business can operate with minimal friction while risks are reduced.
Zero Trust security is not centred on a one-time implementation but is a continuous process.
“Many organisations establish their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads,” says John Watts, VP analyst at Gartner.
“Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives. Zero Trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices and resources,” he stresses.
Significantly, Gartner predicts that the worldwide ZTNA market – which was worth $575.7 million in 2021 − will soar to $3.99 billion in 2027, with a 31.6% compound annual growth rate during this period.
The term “Zero Trust” was coined by Stephen Paul Marsh in 1994 in his doctoral thesis on computer security at the University of Stirling. Marsh's work studied trust as something finite that can be described mathematically, asserting that trust transcends human factors such as morality, ethics, lawfulness, justice and judgement.
In 2019, the UK’s National Cyber Security Centre recommended that network architects consider a Zero Trust approach for all new IT deployments, particularly when significant use of cloud services was planned.
Importantly, according to a study undertaken by the US-based MIT Lincoln Laboratory, there isn't a one-size-fits-all approach to Zero Trust. “It's why we think that having test-bed and pilot efforts are going to be very important to balance out Zero Trust security with the mission needs of [corporate] systems,” says Jeffrey Gottschalk, assistant head of Lincoln Laboratory's Cyber Security and Information Sciences division.
As can be expected, there are several key issues and considerations relating to the Zero Trust security model. One of the most crucial is identity verification. Identity is, effectively, the new perimeter in Zero Trust security.
Organisations need to verify the identity of users and devices attempting to access critical corporate resources through the implementation of robust authentication mechanisms. This often involves multi-factor authentication, biometric authentication and strong password policies.
These mechanisms should include techniques such as certificate-based authentication and continuous device health checks to ensure only authorised and trusted entities have access to corporate resources.
A second key issue is micro-segmentation on a granular level to limit the lateral movement of threats. By dividing the network into smaller, isolated segments and enforcing strict controls between them, organisations can contain breaches and minimise the impact of unauthorised access.
With this in mind, continuous monitoring and risk assessment is vital. Zero Trust security is not centred on a one-time implementation but is a continuous process. Organisations need to continuously analyse network traffic for anomalies and conduct regular risk assessments to identify potential security ambiguities and – if necessary − adapt their security policies accordingly.
A Zero Trust security paradigm emphasises the principle of least privilege. By restricting access rights based on job roles and responsibilities, the risks are minimised.
Data encryption plays a crucial role in Zero Trust security. Implementing strong encryption protocols ensures that even if unauthorised users gain access to the network, they will be powerless without the appropriate encryption keys.
Implementing Zero Trust security requires integration and orchestration of various security technologies and solutions, including – for example − identity and access management, network security appliances, endpoint security tools and security information, and event management systems. Seamless integration ensures consistent policy enforcement and effective threat detection and responses.
Finally, the Zero Trust philosophy is not only focused on technology; it also involves educating users about security best practices and the importance of adhering to corporate security policies.
By employing specialists to provide ongoing training and raise awareness about potential security threats, organisations can empower users to become active participants in maintaining a secure environment.