Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Zero Trust, BeyondCorp, and More

A new way to think about security

In 2010, Forrester branded the concept of a Zero Trust network. In 2014, Google implemented it as the BeyondCorp security approach. In 2017, Gartner framed it as continuous adaptive risk and trust assessment (CARTA). These names have all become industry buzzwords, and have inflated expectations.

There is no single technology you can buy and implement that will deliver zero trust network and application access. These are philosophies that address today’s IT realities. While the zero trust security mindset and models are simple enough to explain--as we do below--it can be more difficult to decide where, when, and how to begin.

The original tenets of a Zero Trust network

Make security pervasive throughout the network, not just at the perimeter. Attackers or malicious insiders will penetrate threat-centric defenses.

Eliminate network trust

Assume that all traffic, regardless of location, is threat traffic until it is verified, which means authorized, inspected, and secured.

Segment network access

Adopt a least privilege strategy and strictly enforce controls so users have access only to the resources needed to perform their jobs.

Gain visibility and analytics

Continuously inspect and log all traffic internally as well as externally to monitor for malicious activity with real-time protection capabilities.

Zero Trust eXtended (ZTX)

ZTX adapts the model to today’s digital business needs. While network segmentation and visibility remain critical, people also access workloads and data beyond the network.

Zero trust workforces

Authenticate users and continuously monitor and govern their access and privileges. Secure users as they interact with the Internet.

Zero trust workloads

Enforce controls across the entire application stack, especially connections between containers or hypervisors in the public cloud.

Zero trust data

Secure and manage data, categorize and develop data classification schemas, and encrypt data--both at rest and in transit.

Continuous adaptive risk and trust assessment (CARTA)

Security posture must constantly adapt

Security has always balanced protecting access (letting good guys in) versus attack (keeping bad guys out). But the balance has been static based on predefined rules (identity and access management, firewalls, antivirus, intrusion prevention system).

Digital risk and trust vary over time

Digital trust is a dynamic measure of confidence in an identity. There is no one particular numeric value that determines trust; it all depends on the context. Digital risk means that trust directly influences what an entity may access.

Score and rate all entities

Observe the behavior of all users, devices, and applications in your complex digital ecosystem. It becomes practical to do this when you have enough intel, and the automation to adapt posture based on acceptable levels of digital risk and trust.

Shift away from one-time binary decisions

While initial assessments of risk and trust are still critical, bad guys routinely bypass the one-time gating of today's attack and access protection services. Shift from "good" versus "bad” macro decisions, toward a context-based set of smaller decisions. Give just enough trust to entities like users--even once they’ve been authenticated--to complete the action being requested.

Extend the approach regardless of location

In digital business, our data can be anywhere. Extend the approach to how data is used and accessed and how sensitive data is kept protected. The end goal is better--more accurate, faster, and adaptive--security decisions that allow users to get their jobs done in a risk-appropriate manner.

New Zero Trust report from Gartner: Download the latest Gartner report: "Zero Trust Is an Initial Step on the Roadmap to CARTA".

The BeyondCorp implementation of Zero Trust architecture

Step 1: Securely identify the device

Build a meta-inventory database of “managed device” identities using device certificates, which are issued upon a qualification process with periodic reviews.

Step 2: Securely identify the user

Generate short-lived authorization tokens using a centralized, single sign-on portal with multifactor authentication that validates identity against a user and group database.

Step 3: Remove trust from the network

RADIUS servers dynamically assign “managed devices” to an unprivileged network or “unmanaged devices” to a guest network via 802.1x authentication, which checks for the device certificates from Step 1.

Step 4: Externalize apps and workflow

An Internet-facing reverse access proxy enforces encryption between the client and application for all web-based apps via CNAME (public DNS) records.

Step 5: Implement inventory-based access control

Per application access request, enforce service-level authorization by first interrogating multiple data sources to dynamically infer the level of device or user trustworthiness.

Start your zero-trust journey

Zero trust is a comprehensive approach to securing access across your networks, applications, and environment. This approach helps secure access from users, end-user devices, APIs, IoT, micro-services, containers, and more. Cisco recommends protecting your workforce, workloads and workplace with a zero-trust approach.