It may be getting a lot of renewed attention lately, but zero trust is not a new concept. Security professionals have been promoting it for almost 20 years. Yet there remains confusion about what exactly it is and how it works.
At its core, zero trust means what the term implies: It is the end of implicit trust, where people or systems were trusted simply because of where they were — on campus, on private wireless, on a VPN, in the data centre and so on. Instead, the zero-trust model says to trust no one and require everyone and everything to be controlled, authenticated and authorized.
As we recognize National Cybersecurity Awareness Month, let’s dig into the myths and misconceptions about this concept and get to the truth.
MYTH: Zero Trust Means Endless Logins For Users
Zero-trust models definitely require that users be authenticated every time they do anything. But that doesn’t have to be done with a login page and password. Instead, single sign-on systems — integrated with browsers, client operating systems and VPN tools — are used to reduce the number of login steps visible to users. Users are still being authenticated and authorized many times, but it’s happening behind the scenes without bothering users.
If done incorrectly, zero trust is a fast track to user dissatisfaction. But a well-planned zero-trust deployment, combined with an identity and access management program, both increases the quality of the user authentication (by shifting from passwords to something stronger, such as multifactor or digital certificates) and the granularity of the controls that the security team has to grant or restrict access.
Fact: The Cloud Simplifies Zero-Trust Transitions
Zero trust requires that you rethink the connections between everyone and everything, including systems sitting next to each other in a data centre. You can definitely build a zero-trust security model in an existing on-premises data centre, if your network and application teams can cooperate.
However, many IT groups find that adding in security barriers to replace a network free-for-all inside an office building or an existing data centre to be very challenging. When applications are forklifted out of the data centre and moved to the cloud, it presents a natural opportunity to put in the security barriers that zero trust requires. For forward-looking IT groups, a cloud deployment is the ideal time to start deploying a zero-trust model at both the network and the application layers.
Fact: Zero Trust Makes A VPN Unnecessary
With zero trust, all user-to-server communication channels should be controlled, authenticated and authorized. (The same goes for server-to-server communications as well.) In the 1990s, the standard tool to do this was an IPSec VPN, and that tool still has its place in the IT manager’s toolbox to solve problems with legacy applications or very small or specialized user communities.
But the zero-trust idea of control, authentication and authorization doesn’t really overlay perfectly with typical IPSec VPN implementations, because they typically have weak controls, broad-based authentication and no authorization model at all.
Instead, application-specific encryption provides protection against eavesdropping or man-in-the-middle attacks, while also delivering a strong authentication model. Of course, you can always layer that on top of a VPN connection — and many IT leaders may choose to do that during a transition period or to accommodate legacy applications. But over the long term, the combination of application-specific authentication and encryption along with a move of many applications to cloud hosting services spells the end of VPNs for general purpose access to corporate networks.
MYTH: Zero Trust Is a User-Focused Security Initiative
Zero trust is not just about users. It’s about not trusting anyone or anything just because of where they are. What this means is that users who are on corporate Wi-Fi shouldn’t be trusted any more than users who are connecting from their home offices.
In early days of networked computing, security professionals rallied around the expression “a crunchy shell around a soft, chewy centre” to describe network security. Firewalls were used to provide the crunch in the form of access controls. Things outside the “chewy centre” had strong access controls, but everything inside the firewalls was implicitly trusted.
Zero trust sweeps away this idea. Instead, every server, every network access point and every application should have its own crunchy shell that provides the services of access control, typically coupled with authentication and authorization.
MYTH: Zero Trust Is Just Another Buzzword Designed to Sell Security Products
Zero trust isn’t a marketing ploy. Companies around the globe are being hit hard with data breaches and break-ins. Post-mortems around most of these security incidents come to a simple conclusion: We trusted someone or something that we shouldn’t have, and that’s how the breach occurred.
In the data centre, not every server joined to a Windows domain is equally well managed and protected — but when the weakest server becomes an entry point for cybercriminals, the nature of the trust relationship in the data centre makes it easy for attackers to move laterally to other systems, escalating privileges and access as they go.
The same is true for end users. Just because an end user’s PC is connected to the network in your headquarters doesn’t mean the user can be trusted to connect to every bit of network and server infrastructure on the corporate campus.
Getting rid of this overly generous model of trust in corporate networks dramatically reduces the risk of data breach and system compromise. That’s no buzz — it’s a better way to design and run an organization’s applications and infrastructure.
Is your organization ready for a modern cybersecurity strategy? Visit CDW.ca/security to learn more.