Zero Trust

From HandWiki

Zero Trust is an information security framework which states that organizations should not trust any entity inside or outside of their perimeter at any time. It provides the visibility and IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data. It also involves on device detection and remediation of threats.[1][2]

Overview

Zero trust refers to an evolving set of network security paradigms that narrows defenses from wide network perimeters to individuals or small groups of resources. Its focus on protecting resources rather than network segments is a response to enterprise trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary.[3]

In a traditional castle-and-moat security approach, organizations focus on defending their perimeters and assume that every user inside a network is trustworthy and cleared for access.[4] The vulnerability with this approach is that once an attacker or unauthorized user gains access to a network, that individual has easy access to everything inside the network. In the zero trust model, no user is trusted, whether inside or outside of the network. The zero trust model operates on the principle of 'never trust, always verify'.

IBM’s 2018 Cost of a Data Breach study revealed that the average cost impact of a single data breach to a company is over $3 million.[5] By replacing traditional authentication methods with zero trust technologies, breach attempts are mitigated[6], and data across the increasingly fragmented information fabric is protected.[7]

Zero trust was founded by John Kindervag in 2010.[8][9][10][11] Related frameworks include Google's BeyondCorp, Gartner's CARTA[12][13] and MobileIron’s zero trust model.[14]


Zero Trust Network Access & Software Defined Perimeter

Gartner in 2019 published the Market Guide for Zero Trust Network Access, which stated: Zero trust network access replaces traditional technologies, which require companies to extend excessive trust to employees and partners to connect and collaborate. Security and risk management leaders should plan pilot ZTNA projects for employee/partner-facing applications.

Prior to that Software Defined Perimeter (SDP), also called a "Black Cloud", is an approach to computer security which evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007. Connectivity in a Software Defined Perimeter is based on a need-to-knowmodel, in which device posture and identity are verified before access to application infrastructure is granted. Application infrastructure is effectively “black” (a DoD term meaning the infrastructure cannot be detected), without visible DNS information or IP addresses.

References

  1. Rhonda Shantz. "Implementing a mobile-centric zero trust security framework". https://www.itproportal.com/features/implementing-a-mobile-centric-zero-trust-security-framework/. Retrieved June 24, 2019. 
  2. Phil Goldstein. "What Is a Zero-Trust Model in Cybersecurity, and What Does It Mean for Federal IT?". https://fedtechmagazine.com/article/2019/08/what-zero-trust-model-cybersecurity-and-what-does-it-mean-federal-it-perfcon. Retrieved 18 October 2019. 
  3. "NIST"> Zero Trust Architecture: Draft NIST SP 800-207 Available for Comment | url=https://www.nist.gov/news-events/news/2019/09/zero-trust-architecture-draft-nist-sp-800-207-available-comment
  4. Mary Pratt. "What is Zero Trust? A model for more effective security". https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html. Retrieved 18 October 2019. 
  5. Columbus, Louis. "IBM's 2018 Data Breach Study Shows Why We're In A Zero Trust World Now". https://www.forbes.com/sites/louiscolumbus/2018/07/27/ibms-2018-data-breach-study-shows-why-were-in-a-zero-trust-world-now/#6d27619c68ed. Retrieved 18 October 2019. 
  6. Columbus, Louis. "Three Reasons Why Killing Passwords Improves Your Cloud Security". https://www.forbes.com/sites/louiscolumbus/2019/09/17/three-reasons-why-killing-passwords-improves-your-cloud-security/#1ce3ea957bc9. Retrieved 18 October 2019. 
  7. Rhonda Shantz. "Implementing a mobile-centric zero trust security framework". https://www.itproportal.com/features/implementing-a-mobile-centric-zero-trust-security-framework/. Retrieved June 24, 2019. 
  8. Kindervag, John. "Next-Generation Access and Zero Trust", Forrester, March 27, 2018. Retrieved on August 22, 2019
  9. Dattaraj Rao. "Zero trust model is the need of hour for the current Industrial Revolution". http://bwcio.businessworld.in/article/Zero-trust-model-is-the-need-of-hour-for-the-current-Industrial-Revolution/04-09-2019-175652/. Retrieved 18 October 2019. 
  10. Horowitz, Brian. "Zero Trust Model Gains Steam With Security Experts". https://www.pcmag.com/article/364881/zero-trust-model-gains-steam-with-security-experts. Retrieved 18 October 2019. 
  11. "Security's Most Influential People in Security 2019 - Dr. Chase C. Cunningham". https://www.securitymagazine.com/articles/90837-securitys-most-influential-people-in-security-2019---dr-chase-c-cunningham. Retrieved 18 October 2019. 
  12. Gartner. "IT Security approach for the digital age", Gartner, June 17, 2017. Retrieved on August 22, 2019
  13. Horowitz, Brian. "Zero Trust Model Gains Steam With Security Experts". https://www.pcmag.com/article/364881/zero-trust-model-gains-steam-with-security-experts. Retrieved 18 October 2019. 
  14. Columbus, Louis. "Your Mobile Phone Is Your Identity. How Do You Protect It?". https://www.forbes.com/sites/louiscolumbus/2019/08/02/your-mobile-phone-is-your-identity-how-do-you-protect-it/#7740079a2902. Retrieved 18 October 2019.