What is Zero Trust cybersecurity? I mean “Zero Trust.” A Zero Trust network or Zero Trust architecture is a concept based on the idea that organizations shouldn’t trust a device, just because it’s inside the enterprise’s network perimeter.
In Zero Trust, there’s no leeway for “insiders;” they’re treated just like outsiders and must be verified before gaining access to enterprise systems.
Cisco defines Zero Trust as a comprehensive approach to securing all access across an enterprise’s networks, applications, and environment. Zero Trust strategies are like the people you meet in life who don’t seem to open up to anyone.
On my radio show, I likened it to the movie “Meet the Parents” with Robert De Niro and Ben Stiller, where De Niro’s character Jack Byrnes talks about his “circle of trust.” Except Zero Trust is even more strict, because the idea is that there’s no circle of trust—by default, Zero Trust systems never trust other systems trying to access services or data.
Zero Trust isn’t new, but it’s become more prominent in the past couple of years, and right now you might even call it a buzzword in the industry.
A former Forrester Research Analyst named John Kindervag coined the term “Zero Trust” about a decade ago in 2010, and it recently was pretty hyped up at the RSA conference in March.
Google is part of why a lot of people are talking about Zero Trust in the first place. In 2011, Google started building zero-trust networks with the goal of allowing every Google employee to work successfully from untrusted networks without using a VPN (virtual private network).
Eventually, Google’s internal efforts turned into BeyondCorp, a security model that accomplishes this goal. It allows employees to work more securely from virtually any location without the need for a traditional VPN.
BeyondCorp started off as an internal initiative, but it’s open source now and is available to everyone as a Google cloud solution. Google has also contributed to the creation of a Zero Trust community by publishing whitepapers about its BeyondCorp process—from concept through implementation.
The dxZero Trust architecture is called different things, but let’s further define what we mean by Zero Trust.
The ACT’s (American Council for Technology’s) Industry Advisory Council released a trends whitepaper about Zero Trust in April that has some great information.
The council traces Zero Trust even farther to 2004 and a group of CISO’s (chief information security officers) in the U.K. called the Jericho Forum.
Based off these individuals’ observations about how access and authorization was changing at the time in the enterprise, the Jericho Forum introduced this security design concept that could address the dissolving or constantly moving perimeter.
The ACT’s document also highlights these five fundamental assertions of Zero Trust architecture:
- the network is always assumed to be hostile;
- external and internal threats exist on the network at all times;
- network locality is not sufficient for deciding trust in a network;
- every device, user, and network flow is authenticated and authorized;
- policies must be dynamic and calculated from as many sources of data as possible.
So, vendors are jumping on board with Zero Trust.
Some are kind of positioning themselves as if they’ve always been on board. Vendors to watch in this space, besides Google, include:
And then there’s also new up-and-coming players to watch, like Polyrize, which just came out of stealth mode and announced a $4 million seed round. That’s just a smattering of who’s supplying zero-trust-related solutions, so who’s implementing Zero Trust?
Once hospital CISO supposedly implemented a Zero Trust network security strategy. The hospital’s CISO says it started by micro-segmenting its data center; that’s just what worked best for the hospital. After that experience the best advice the CISO recommends organizations do their due diligence prior to implementation to identify all the traffic flow among devices in their network.
If your goal is to implement Zero Trust, that is some fantastic advice. If you can avoid cutting corners in the beginning stages, you’ll save yourself some headaches in the implementation phase. Having a solid plan is always the best way to avoid some real headaches later down the road.
Want to tweet about this article? Use hashtags #M2M #IoT #AI #artificialintelligence #machinelearning #5G #bigdata #digitaltransformation #cybersecurity #blockchain #enterprise #manufacturing #IIoT