What You Need to Know About Zero Trust Security
The zero trust model might be the answer to a world in which perimeters are made to be breached. Is it right for your organization?
May 22, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltbda6a0404bf691ce/64f0d5bdce538f027be3f071/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
If your network has a perimeter, it will someday be breached. That's both the lesson the "real world" works so hard to teach and the premise behind a key security model: zero trust.
"Don't trust, and verify" might be a nutshell description of the zero trust model — "don't trust" because no user or endpoint within the network is considered intrinsically secure, and "verify" because each user and endpoint accessing any resources of the network must authenticate and be verified at every point, not just at the perimeter or large network segment boundaries.
This often-repeated authentication throughout the network and application infrastructure relies on the concept of "microsegmentation," in which boundaries are defined around individual applications and logical network segments. This kind of frequent check point can go a long way toward putting an end to lateral infection in malware outbreaks, and it doesn't have to be as cumbersome to users as it sounds — as long as technology is used to deal with some of the logins and authentications along the way.
While the concept behind the zero trust model is simple, implementation can be anything but. Before a company decides to invest in the technology and processes, it should understand what is involved in the model and its application. Dark Reading has identified seven issues to resolve before launching into a zero trust environment.
If you have helped your organization move to a zero trust environment, we'd like to hear about your experience. Do you agree with our list? DId you find other issues more important? Let us know in the comments, below.
(Image: whyframeshot VIA Adobe Stock)
Zero trust and its enabling technology, microsegmentation, require changes to both security and networking infrastructure. Given that, one of the first questions to be answered is which group will own the project.
Depending on precisely how your application environment is configured before beginning the project, changes may be required to switches, routers, firewalls, authentication servers, and the application servers themselves. In many organizations, responsibility for changing those infrastructure components could fall well outside the responsibility of the security group, in which case the options boil down to expanding the security team's brief for this purpose or having security write the requirements that will be put into action by the network and application maintenance teams.
The multiple responsibilities and components of zero trust make it an instigating factor for a move to DevSecOps for some organizations. Treating every part of the infrastructure as software to be constantly authenticated against, monitored, and improved makes sense for zero trust security, and it may ease some of the issues around which group is going to drive the change process.
If your network has a perimeter, it will someday be breached. That's both the lesson the "real world" works so hard to teach and the premise behind a key security model: zero trust.
"Don't trust, and verify" might be a nutshell description of the zero trust model — "don't trust" because no user or endpoint within the network is considered intrinsically secure, and "verify" because each user and endpoint accessing any resources of the network must authenticate and be verified at every point, not just at the perimeter or large network segment boundaries.
This often-repeated authentication throughout the network and application infrastructure relies on the concept of "microsegmentation," in which boundaries are defined around individual applications and logical network segments. This kind of frequent check point can go a long way toward putting an end to lateral infection in malware outbreaks, and it doesn't have to be as cumbersome to users as it sounds — as long as technology is used to deal with some of the logins and authentications along the way.
While the concept behind the zero trust model is simple, implementation can be anything but. Before a company decides to invest in the technology and processes, it should understand what is involved in the model and its application. Dark Reading has identified seven issues to resolve before launching into a zero trust environment.
If you have helped your organization move to a zero trust environment, we'd like to hear about your experience. Do you agree with our list? DId you find other issues more important? Let us know in the comments, below.
(Image: whyframeshot VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024