In 2010, Forrester branded the concept of a Zero Trust network. In 2014, Google implemented it as the BeyondCorp security approach. In 2017, Gartner framed it as continuous adaptive risk and trust assessment (CARTA). These names have all become industry buzzwords, and have inflated expectations.
There is no single technology you can buy and implement that will deliver zero trust network and application access. These are philosophies that address today’s IT realities. While the zero trust security mindset and models are simple enough to explain--as we do below--it can be more difficult to decide where, when, and how to begin.
Make security pervasive throughout the network, not just at the perimeter. Attackers or malicious insiders will penetrate threat-centric defenses.
Assume that all traffic, regardless of location, is threat traffic until it is verified, which means authorized, inspected, and secured.
Adopt a least privilege strategy and strictly enforce controls so users have access only to the resources needed to perform their jobs.
Continuously inspect and log all traffic internally as well as externally to monitor for malicious activity with real-time protection capabilities.
ZTX adapts the model to today’s digital business needs. While network segmentation and visibility remain critical, people also access workloads and data beyond the network.
Authenticate users and continuously monitor and govern their access and privileges. Secure users as they interact with the Internet.
Enforce controls across the entire application stack, especially connections between containers or hypervisors in the public cloud.
Secure and manage data, categorize and develop data classification schemas, and encrypt data--both at rest and in transit.
Security has always balanced protecting access (letting good guys in) versus attack (keeping bad guys out). But the balance has been static based on predefined rules (identity and access management, firewalls, antivirus, intrusion prevention system).
Digital trust is a dynamic measure of confidence in an identity. There is no one particular numeric value that determines trust; it all depends on the context. Digital risk means that trust directly influences what an entity may access.
Observe the behavior of all users, devices, and applications in your complex digital ecosystem. It becomes practical to do this when you have enough intel, and the automation to adapt posture based on acceptable levels of digital risk and trust.
While initial assessments of risk and trust are still critical, bad guys routinely bypass the one-time gating of today's attack and access protection services. Shift from "good" versus "bad” macro decisions, toward a context-based set of smaller decisions. Give just enough trust to entities like users--even once they’ve been authenticated--to complete the action being requested.
In digital business, our data can be anywhere. Extend the approach to how data is used and accessed and how sensitive data is kept protected. The end goal is better--more accurate, faster, and adaptive--security decisions that allow users to get their jobs done in a risk-appropriate manner.
New Zero Trust report from Gartner: Download the latest Gartner report: "Zero Trust Is an Initial Step on the Roadmap to CARTA".
Build a meta-inventory database of “managed device” identities using device certificates, which are issued upon a qualification process with periodic reviews.
Generate short-lived authorization tokens using a centralized, single sign-on portal with multifactor authentication that validates identity against a user and group database.
RADIUS servers dynamically assign “managed devices” to an unprivileged network or “unmanaged devices” to a guest network via 802.1x authentication, which checks for the device certificates from Step 1.
An Internet-facing reverse access proxy enforces encryption between the client and application for all web-based apps via CNAME (public DNS) records.
Per application access request, enforce service-level authorization by first interrogating multiple data sources to dynamically infer the level of device or user trustworthiness.
Cisco recommends a practical zero trust approach to security consisting of six jobs-to-be-done. Establish trust levels for user and their devices, headless IoT devices, and/or app workloads. Establish software-defined perimeters for app and network access. Automate adaptive policies with normalization and integrated threat response.