You’ve probably heard the term being thrown around in the last couple of years. Maybe you don’t fully know what it means, or maybe don’t know at all. You’ve got to know this to stay on top of IT security.
Zero Trust is a security framework which requires all users, whether inside or outside an organization’s network, to be authenticated, authorized, and continuously validated before being granted or keeping access to resources such as devices, applications, and data. Traditional security architecture needed only to protect on-premises resources. It therefore logically followed that securing the network was of prime importance and was the only thing necessary in preventing resource theft or sabotage. But now, with resources being moved to the cloud, this no longer applies. Resources need to be protected in and of themselves, not just as part of a network.
You can no longer count on employees accessing proprietary applications from behind corporate firewalls and over devices issued by your organization, or an environment where consumers access your website from a single place. The advent of BYOD (bring your own device), remote working (made an everyday occurrence due to the COVID-19 pandemic), and the shift of resources from on-premises to the cloud, are all rendering traditional network security obsolete.
A line of more realistic thinking has evolved that assumes attackers to be present and active on the network regardless if it is on-site or in the cloud. This helps focus attention on authentication of identities, authorization of access rights, and continual evaluation of posture – all of which will help an organization make better decisions concerning granting and monitoring access to the data, resources, or services.
Identity is the one constant that remains when you take networks out of the equation.
The digital enterprise continues to give employees, partners and customers unprecedented access to applications and data outside the firewall. It is a person who utilizes a device to gain access through a network or over the internet to a corporate resource.
All the security controls in the world won’t do you any good if you don’t know who your user is. If you can authenticate user’s identity and provide access to only the resources he or she is authorized for, you can reliably secure corporate resources. It is imperative you move to dynamic and continuous authentication so that you can be sure the user is exactly who you think they are, always.
To do this we need a secure authentication methodology, such as multi-factor or adaptive authentication. We also need granular access provisioning and access rights policy enforcement. The first one increases the security of authentication, and the second ensures that people who are authenticated only have access to what they need and nothing more (principle of least privilege).
People are accessing corporate resources from home, abroad, and cafes, and from multiple personal devices. They are not always inside the corporate network, and so a traditional firewall is not safe enough. Apps and resources must also be accessed through the public gateway, as they have largely moved to the cloud. To improve security, a Zero Trust architecture is required. This has become a necessity for business IT security today because identity and not network is the new perimeter.